Bug 2075452
Summary: | [RFE] add certificate support to ipa-client instead of one time password | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Alexandre Maumené <amaumene> | |
Component: | ipa | Assignee: | Florence Blanc-Renaud <frenaud> | |
Status: | CLOSED ERRATA | QA Contact: | ipa-qe <ipa-qe> | |
Severity: | medium | Docs Contact: | Alexandra Nikandrova <anikandr> | |
Priority: | unspecified | |||
Version: | 8.4 | CC: | abokovoy, afarley, anikandr, cheimes, pasik, rcritten, rjeffman, sumenon, tscherf | |
Target Milestone: | rc | Keywords: | FutureFeature, Triaged | |
Target Release: | --- | |||
Hardware: | Unspecified | |||
OS: | Unspecified | |||
Whiteboard: | ||||
Fixed In Version: | ipa-4.9.10-8.module+el8.8.0+17352+b0592984 | Doc Type: | Enhancement | |
Doc Text: |
.`ipa-client-install` now supports authentication with PKINIT
Previously, the `ipa-client-install` supported only password based authentication. This update provides support to `ipa-client-install` for authentication with PKINIT.
For example:
----
ipa-client-install --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem --pkinit-anchor=FILE:/path/to/cacerts.pem
----
To use the PKINIT authentication, you must establish trust between IdM and the CA chain of the PKINIT certificate. For more information see the `ipa-cacert-manage(1)` man page. Also, the certificate identity mapping rules must map the PKINIT certificate of the host to a principal that has permission to add or modify a host record. For more information see the `ipa certmaprule-add` man page.
|
Story Points: | --- | |
Clone Of: | ||||
: | 2143224 (view as bug list) | Environment: | ||
Last Closed: | 2023-05-16 08:28:45 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 2143224 | |||
Deadline: | 2022-12-26 |
Description
Alexandre Maumené
2022-04-14 09:19:17 UTC
Some notes. I think one can achieve that already, almost. Since you are using certificates, you might be able to set up Kerberos PKINIT using a certificates and certificate mapping rules. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/managing_certificates_in_idm/index A host object is essentially a Kebreros principal host/f.q.d.n@REALM. When PKINIT is in use, a password key does not need to be present. If a certificate issued for this host has distinct properties, a matching and mapping rule can be set up to allow KDC to associate a PKINIT request with this principal. For example: # ipa certmaprule-mod host-rule --matchrule='<SAN:dNSName>.*\.ipa\.test' --maprule='(fqdn={subject_dns_name})' ------------------------------------------------------ Modified Certificate Identity Mapping Rule "host-rule" ------------------------------------------------------ Rule name: host-rule Description: Map cert to host Mapping rule: (fqdn={subject_dns_name}) Matching rule: <SAN:dNSName>.*\.ipa\.test Enabled: TRUE The certificate mapping rule above says that we match an LDAP entry which has fqdn attribute equal to SAN dNSName value from the certificate and that matching rule for SAN dNSName is forcing it to be in .ipa.test domain. On the client side the following will allow us to acquire Kerberos TGT for host/client.ipa.test principal with the certificate that corresponds to these features: kinit -X X509_user_identity=FILE:./client.crt,./client.key -X X509_anchors=FILE:./kdc-ca-bundle.pem host/client.ipa.test The resulting Kerberos TGT is [root@client ~]# klist Ticket cache: KCM:0 Default principal: host/client.ipa.test Valid starting Expires Service principal 04/14/22 10:09:24 04/15/22 10:02:44 krbtgt/IPA.TEST renew until 04/21/22 10:09:22 What we lack, currently, is an option in ipa-client-install that would allow us to perform 'kinit' with the supplied certificate bundle. ipa-client-install will fail in non-interactive (-U) mode because we haven't supplied a password. However, if we would add that, ipa-join would work seamlessly with the ticket acquired for the host itself. Below I am demonstrating that: [root@client ~]# cp ipa-ca.crt /etc/ipa/ca.crt [root@client ~]# ipa-join -s master.ipa.test -k ./host.keytab -d JSON-RPC request: {"method": "join", "params": [["client.ipa.test"], {"nsosversion": "5.16.15-201.fc35.x86_64", "nshardwareplatform": "x86_64"}]} * Trying 10.0.192.191:443... * Connected to master.ipa.test (10.0.192.191) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: /etc/ipa/ca.crt * CApath: none * SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: O=IPA.TEST; CN=master.ipa.test * start date: Mar 19 15:08:09 2022 GMT * expire date: Mar 19 15:08:09 2024 GMT * subjectAltName: host "master.ipa.test" matched cert's "master.ipa.test" * issuer: O=IPA.TEST; CN=Certificate Authority * SSL certificate verify ok. * Server auth using Negotiate with user '' > POST /ipa/json HTTP/1.1 Host: master.ipa.test Authorization: Negotiate YIIHGwYGKwYBBQUCoIIHDzCCBwugDTALBgkqhkiG9xIBAgKiggb4BIIG9GCCBvAGCSqGSIb3EgECAgEAboIG3zCCBtugAwIBBaEDAgEOogcDBQAgAAAAo4IF5mGCBeIwggXeoAMCAQWhChsISVBBLlRFU1SiIjAgoAMCAQOhGTAXGwRIVFRQGw9tYXN0ZXIuaXBhLnRlc3SjggWlMIIFoaADAgEUoQMCAQGiggWTBIIFjyzXjB2wpEDOY/ErlMZyqDDdcUrQgqACzkdrhyktFHRxvNN+vpTHE1aivGI5e8pPvqHmUDycrK5GnFaase4kbzl38X0ZJwuOtZHzZ2qRGUSgh72pOiZA3JKbBkqw2Cn52Vkk+HzG6taBC8CrB1Zo/7z8h8nH4PsdPQei08yiwre29jbKXebB6jFz78Di1LSCcaYflJxV2215FaCT0iCNxnpoJ7/MNBbn4edzl7ZNB+jR56BbgRE6CQIyoWCXqTRcz7uuD9V9tMEEOr59YeAhwKkAFzfgCN5PKqsk9oN9wiz/FVaKwMzRcwJIWTVjXYt/5M1h98CV6trYXKU2G+LJQQ2C9hfP91sbTzWKfpJs/C/XjinxOBcyMevUI034KEnV7hox23Hxp7eUxV878JqGl2MQlon9OrvgiCmAQKkSoh6FnD6uHNiJ7I80xDORCh5MHXjyJ3+XuuTnxZh2xxd+vsIydbCzFbaZHf4S52I4BLBQfxPBwwPm4lTykQDrysTPKYYaq02k3qp7BymC1l/1tlyOkDF5j/ZB3wwAzYqUtjwkNY55GcmJH4PzXGYn87FSCKuNr77ffNgtGUJ1QvpBqnjcFaq6FXMiAMlUHh4TWGoJW51jGRTPhTDazRjUSb2u+BDTJU7FJHxwhRJWo30WIoxxIdJ+pLp4NO3V16mFO6JFj2lnhJwsoSNcxD8M/NFdTMaq4XVbqxjj7FBL11iGpTEnk5cwyKtr3GkrFGF2877JR6g0UsW1/13SR6dwsQi0gohmeAVIUlm8vsIqgv2uuPrp4FJFnFdRqGN/ghnFmEmcF4cORG6uYc84EsKK2k63nahqqCEZbOfcYb6J4IlZonzhZj+2RsoxA5z2drp7Ao/hP3tbmby3erVowU6k0LN5jMvDhA+WLNOooAJelTTHkKE2scHc3UiXh/w87ADXzKm86ka+rPNAmyeGDkuH4OHfRRSw8+7L7Iymeg1EjWLh6GfrzVp5VS0yVZupTFr/lqi2LrURBqOJJWcxXxm4TpYjCbSQ4KtzdVTFGhwVDr2vIBE2vRNXc+l4QdL/WohpV+Rr9ozBNckOrgaLSsEZR4qoFv3RXT7a1SNn8AODACqBrhiprkhiyrSsE1ynKaQaZuR6Ugo7tbPAdJysTA14lteYvgj9cE/aftNAdcvL6MIyCn/LH1LTSV2h0S/HoKqQsYAoA2F/GysAl+zm+SW7Md/xzDukDY+cJyLcr6nv/zOdMbnuhmtZfkytI5FnmWm4q2ghqFwY39Xv6/YmOJmFJg37g6cDW8APzjXuhJEY14k4KSj9a5RVKYnFMWcFDP4L5QOwQsYntqP5Co1Y1S1cWISPCct3OAQIYO1qvmR6B6qVjzaw79H/D77Mjv5t5xSqlkaZUm3TMhALGlZCpw8Wq3j6YorSj11aN6V0jwd4c7gnSmCy4eIEn5RPHNcfR8bgANrF8PtDN21oQejWRe3AzqRbl27F4mfdkPjwD+vcblkVGKMzzD0Q2O0u5aOXxAt+Ek/AbCRn2EIIXEZlD29TS3kvaJy6Qm0MdDQBJitRvgi1GeRqFQXN+bcws8leAr96R2gabjR63yIqUeTidr7UGpqe/MwFkp0uVA6z+qk550iZ7deQpjOyhoKa6fSZ0afhDJ+f0SAUJd1NLAkZoXOETuu5g3oLeE1hA538QXvDiTUyjrh2vcXzvePj4zSSQojT0HhCuYpGviafdxiFBk7K5OjmeBloHPBoDw7Px7d+QZ5eln4Retlsvj/Xg9AVhsl6btVKe0NMnLg0Jb7ardoW1TZTH3LdMIQSvJiTfaLQIlismJXVKmjBJ32WIXLIXQjTb5CrAQp23oBcVm964HkRxP3OXqpiOkCF3fhPHRr7O9ZLLp61Q/Qk2kw3L5eHvAj2Iv+kgdswgdigAwIBEqKB0ASBzXucpxfshT6wKES0hX79r3VErLOzXrAyIZJ36vqQ/ZrwgA9/SIbtK2/3wLSLHhBUfveGFI3IpswuJ12fHsvYZpv/JDwC62SUbnwRt0lQvv4qAq0C852RvMt6pfj2mn8rmvPOo4jmnigSfiD+TF8Iv6PGIwNNOjaXmNqLodqzfl0PXAitvu/C2Ru+cws4wPtL26wd4yrGcmqpt+JH87apuNi/LJ/ihGm4N/4A4KyeKswav8MmOfydR8eaTMptRyOC3z+wiaP6r5djCH8R06s= referer: https://master.ipa.test/ipa User-Agent: ipa-join/4.10.0.dev202203170906+gite6e0eac08 Accept: application/json Content-Type: application/json Content-Length: 127 * old SSL session ID is stale, removing * Mark bundle as not supporting multiuse < HTTP/1.1 200 Success < Date: Thu, 14 Apr 2022 10:20:47 GMT < Server: Apache/2.4.52 (Fedora Linux) OpenSSL/1.1.1l mod_wsgi/4.9.0 Python/3.10 mod_auth_gssapi/1.6.3 < WWW-Authenticate: Negotiate oYG3MIG0oAMKAQChCwYJKoZIhvcSAQICooGfBIGcYIGZBgkqhkiG9xIBAgICAG+BiTCBhqADAgEFoQMCAQ+iejB4oAMCARKicQRvddDY5UDWDRprq5LI4lw7L0sHrZG6Er15icIXCrMOsYrQX6IDd6jh+yC5HG0+KoHiB1v2i36E1Skgt6pLwwLPv4zByO8wH5ytl4CYKpX4t+XgVXt45q654nqtrkQUzNUUfeHuMw5lZrOqpE5lI6um < Set-Cookie: ipa_session=MagBearerToken=dxoLo5xrWUkyucLMtYpukEFdfkTxcDqSmA1BQGkKhkM8J0XqVY96WjrJVqH%2fuj%2bBfRMq%2bVX13cwHO0s7mxKCEKIO4UQeiYfh2W39Q6zxrhVhtZecvkIOPfwrX6xL%2fOKXl3xW7ybLrscDuWpQP%2btU98%2bPh12vX6Io3UTK9HmS8ivXdXsLhNI9rg%2bKACQJs%2b3MAw9WUlGAsaUJfD5ezXaz7BXfSa%2bQtwmo2okJdWrf%2bUIKEQIrwxKx1aumuD%2fKz37Y;path=/ipa;httponly;secure; < X-Frame-Options: DENY < Content-Security-Policy: frame-ancestors 'none' < Cache-Control: no-cache, private < Vary: Accept-Encoding < Transfer-Encoding: chunked < Content-Type: application/json; charset=utf-8 < * Connection #0 to host master.ipa.test left intact JSON-RPC response: {"result": ["fqdn=client.ipa.test,cn=computers,cn=accounts,dc=ipa,dc=test", {"objectclass": ["ipaobject", "nshost", "ipahost", "pkiuser", "ipaservice", "krbprincipalaux", "krbprincipal", "ieee802device", "ipasshhost", "top", "ipaSshGroupOfPubKeys"], "cn": ["client.ipa.test"], "serverhostname": ["client"], "ipauniqueid": ["08e04aba-bbd6-11ec-b677-fa163e094202"], "krbprincipalname": ["host/client.ipa.test"], "usercertificate": [{"__base64__": "MIIEnTCCAwWgAwIBAgIBDzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTIyMDQxNDA5MzkwM1oXDTI0MDQxNDA5MzkwM1owLTERMA8GA1UECgwISVBBLlRFU1QxGDAWBgNVBAMMD2NsaWVudC5pcGEudGVzdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALM8ELw8jd12otd1C0NUx/qPPSzwH1LsrzpDrV6hdPjJ67PM0X1BjAHQDcex/7sJH/wSphndXW90ZxBGk4Qk8/Q69WQcFteuI9VzsfgTXEfhb39iwbrP+kY5sVOgaB/Kx5kiYDWBBFfCFnpoZSnFr7YBQYtI5mZnZqluzS5FlUBlHNP5AXgxNiJ25Qb8HZXTiNg733Sf5RAzJ/DdKrXP/gVeznmu0HyoxvQWOa3Pzp7OtWael6wL4kYbQFCzQxfrCGQ+fWkF+I7gjTrTWoMQq/2LrDkIyxlf+aez1DcTyOrN+WZiK5OHKiXcqxJjb1VMc4z6btF56/l4hcrNzVNkyRUCAwEAAaOCAUAwggE8MB8GA1UdIwQYMBaAFBjMlz8/keiSkCGKBHMU85Xw047WMDoGCCsGAQUFBwEBBC4wLDAqBggrBgEFBQcwAYYeaHR0cDovL2lwYS1jYS5pcGEudGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwcwYDVR0fBGwwajBooDCgLoYsaHR0cDovL2lwYS1jYS5pcGEudGVzdC9pcGEvY3JsL01hc3RlckNSTC5iaW6iNKQyMDAxDjAMBgNVBAoMBWlwYWNhMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHQYDVR0OBBYEFCblmyu0T7mUBLTM982Wy5wG81ScMBoGA1UdEQQTMBGCD2NsaWVudC5pcGEudGVzdDANBgkqhkiG9w0BAQsFAAOCAYEAmLA/rTijpPDvbMdxERuhW5AWfWqcGSh0nknUi3n2ZKJbYDbrxcVWqJt/MilFKclx1Di8HCNxZH5Gbfz4u3jHW1fFRKLcb8ejjNtxxLx8soDH7U0uEh21elYwVyN+hNMY+9fQDgpNzA4BCp+Z3xrvAmLM01FmwJ9/nyYPd6jGFQfV7ubGFrNhlX+Pqvx3zqFEz3OXTQFCOAwi8GQSLQKdo1qccwvvTcdO0S/MMGbcfU/m2DlOqq8fUefasOP50gN/bCy2SzIbS8qC3x6vyFJ+J+g6FNFZxIrDAWvMCKUf5I6RgmBJ7HP/MLbAE0UxDFlIEKRSE1nCDluAva+c3vnEnu+V7U41qwlLb9rc1KnmoucLc9iCFTxDrF1GcP+DHe/gRLtTl23yxDtYmyOlg0Qdq3opj3B1tVkvGEo/AMyLX7qyKMawVQyUJOwkfLwCFh+6jtH2XyeKlGrEO+8QBcctb0ycIYRWFdTI8cON3qjfxQ9ruOhZUAmTqfEkndrna5Sm"}], "fqdn": ["client.ipa.test"], "krbcanonicalname": ["host/client.ipa.test"], "has_password": false, "has_keytab": false, "subject": "CN=client.ipa.test,O=IPA.TEST", "serial_number": "15", "serial_number_hex": "0xF", "issuer": "CN=Certificate Authority,O=IPA.TEST", "valid_not_before": "Thu Apr 14 09:39:03 2022 UTC", "valid_not_after": "Sun Apr 14 09:39:03 2024 UTC", "sha1_fingerprint": "2d:16:5e:2d:91:ed:b3:23:3b:d0:68:b6:10:bb:31:22:32:6d:22:c3", "sha256_fingerprint": "d5:08:5b:fa:d7:60:6f:9c:0d:05:da:87:5f:51:a9:4b:ea:39:f9:6e:f1:7d:95:0f:7f:ce:b4:a3:d6:48:f4:bb", "ipakrbrequirespreauth": true, "ipakrbokasdelegate": false, "ipakrboktoauthasdelegate": false, "managedby_host": ["client.ipa.test"], "managing_host": ["client.ipa.test"], "dn": "fqdn=client.ipa.test,cn=computers,cn=accounts,dc=ipa,dc=test", "ipacertificatesubjectbase": ["O=IPA.TEST"]}], "error": null, "id": null, "principal": "host/client.ipa.test", "version": "4.10.0.dev202203211148+git9312dc6f4"} Keytab successfully retrieved and stored in: ./host.keytab As you can see, once we registered the host, it was successfully added by the 'host/client.ipa.test' principal. This is all possible because host itself can manage own properties. So, for the purpose of structuring a possible implementation: - add options to ipa-client-install to allow to specify a PKINIT certificate and KDC CA chain - add kinit variant that uses PKINIT certificate and KDC CA chain to obtain a TGT in ipalib/install/kinit.py - add logic in in ipaclient/install/client.py:_install() to use this new kinit variant in case these options were specified - documentation needs to be updated, both for ipa-client-install and may be a separate design page should be created It probably makes no sense to autodiscover the principal corresponding to the certificate. Instead, require that if PKINIT certificate is used, -p must be explicitly set to the full principal (including realm). This all sounds relatively limited effort, though creating tests would probably take a bit of time. Upstream ticket: https://pagure.io/freeipa/issue/9271 Upstream PR: https://github.com/freeipa/freeipa/pull/6543 Test provided as a part of the upstream PR: ipatests/test_integration/test_pkinit_install.py Fixed upstream master: https://pagure.io/freeipa/c/dbebed2e3a8d3d27e7344bec0d829364891bb00b === Tickets fixed === https://pagure.io/freeipa/issue/9269 https://pagure.io/freeipa/issue/9271 Feature design is documented at https://github.com/freeipa/freeipa/blob/master/doc/designs/client-install-pkinit.md . ipa-client-install \ --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \ --pkinit-anchor=FILE:/path/to/kdc-ca-bundle.pem Fixed upstream ipa-4-10: https://pagure.io/freeipa/c/9d902d340793d01aa6b65d01a1facaf480819526 Fixed upstream ipa-4-9: https://pagure.io/freeipa/c/80da53eaada1b5ad61b8cff2f9ed1217fea600c9 Upstream ticket: https://pagure.io/freeipa/issue/9269 Upstream ticket: https://pagure.io/freeipa/issue/9271 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (idm:client and idm:DL1 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2794 |