Bug 1660899

Summary:	self signed certificate from yubikey: does not match matching rules and is ignored (p11_child_response) in sssd_pam.log
Product:	[Fedora] Fedora	Reporter:	Christoph Sievers <christoph.sievers>
Component:	sssd	Assignee:	Jakub Hrozek <jhrozek>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	29	CC:	abokovoy, jhrozek, lslebodn, mzidek, pbrezina, rharwood, sbose, ssorce
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-07-05 14:47:26 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Christoph Sievers 2018-12-19 15:01:24 UTC

Description of problem:

sssd seems to be picky about the fields it expects to match a certificate. I get a "does not match matching rules and is ignored." from parse_p11_child_response in sssd_pam log using a yubikey.

Users of yubico-piv-tool who create a key/certificate on the yubikey will get self-signed certificate that probably lacks the Key Usage field needed for p11_child?

Version-Release number of selected component (if applicable):

2.0.0-4 but also the latest version

How reproducible:

configure the system to use the certificate of a yubico-piv-tool generated certificate.


Actual results:

sudo -i
[sudo] Password for fubar

Expected results:

sudo -i
PIN for fubar ************

Additional info:

I've been told sbose already knows about how to get this fixed.

Comment 1 Christoph Sievers 2019-01-09 14:53:53 UTC

can I help with anything else?

Comment 2 Sumit Bose 2019-01-09 15:38:19 UTC

(In reply to Christoph Sievers from comment #1)
> can I help with anything else?

no, the delay was just caused by the holidays.

Comment 3 Christoph Sievers 2019-05-12 19:15:41 UTC

i'm not using the feature anymore.

Comment 4 Christoph Sievers 2019-05-13 11:06:58 UTC

insufficient data? Actually sbose had all needed data. Not sure if he decided not to implement it.

Comment 5 Sumit Bose 2019-05-13 15:42:18 UTC

I'm sorry, that's my fault, I completely forgot to send the related pull-request to fix the issue. I just opened https://github.com/SSSD/sssd/pull/814 for this. Currently the CI still finds issues, but this way it won't get lost again.

bye,
Sumit

Comment 6 Lukas Slebodnik 2019-05-13 16:25:17 UTC

(In reply to Sumit Bose from comment #5)
> I'm sorry, that's my fault, I completely forgot to send the related
> pull-request to fix the issue. I just opened
> https://github.com/SSSD/sssd/pull/814 for this. Currently the CI still finds
> issues, but this way it won't get lost again.
> 

Do you plan also to reopen this BZ?

Comment 7 Jakub Hrozek 2019-05-28 21:27:06 UTC

By the way, the patches were merged to master:
f91d54e2d56f5babca6f6b3ca6e1a158fa889b45
b0525a69c1dd979dcfabf5b24fe6b023a7d919fb
e122f495b98123db2f065b2c557d7b8d2f776a10
1c40208aa1e0f9a17cc4f336c99bcaa6977592d3
e1734ba828470d00370c44c95da56822fdcc104d
aef8e49b7ee2e7743d6981070d61bc89b7c8fcfb

Comment 8 Jakub Hrozek 2019-05-28 21:27:42 UTC

I guess it would be nice to have the bug closed properly in an update..

Comment 9 Jakub Hrozek 2019-07-05 14:47:26 UTC

Well, we forgot to include the bug in an update and because the reporter is no longer interested, let's just close the bugzilla..