Bug 854396
| Summary: | [RFE] Support for smart cards | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Dmitri Pal <dpal> | |
| Component: | sssd | Assignee: | Sumit Bose <sbose> | |
| Status: | CLOSED ERRATA | QA Contact: | Kaushik Banerjee <kbanerje> | |
| Severity: | medium | Docs Contact: | Aneta Šteflová Petrová <apetrova> | |
| Priority: | medium | |||
| Version: | 7.0 | CC: | ddas, jfenal, jgalipea, jhrozek, mkosek, mnavrati, nmavrogi, nsoman, rpattath, sbose | |
| Target Milestone: | rc | Keywords: | FutureFeature | |
| Target Release: | --- | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | sssd-1.13.0-11.el7 | Doc Type: | Release Note | |
| Doc Text: |
SSSD smart card support
SSSD now supports smart cards for local authentication. With this feature, the user can use a smart card to log on to the system using a text-based or graphical console, as well as local services such as the sudo service. The user places the smart card into the reader and provides the user name and the smart card PIN at the login prompt. If the certificate on the smart card is verified, the user is successfully authenticated.
Note that SSSD does not currently enable the user to acquire a Kerberos ticket using a smart card. To obtain a Kerberos ticket, the user is still required to authenticate using the kinit utility.
|
Story Points: | --- | |
| Clone Of: | ||||
| : | 1249084 1270027 (view as bug list) | Environment: | ||
| Last Closed: | 2015-11-19 11:35:37 UTC | Type: | --- | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 796928, 865120, 1181710, 1270027 | |||
|
Description
Dmitri Pal
2012-09-04 21:33:44 UTC
The current development status of this feature was discussed and it's scope will be limited for the first release. Authentication is planned to happen only over LDAP and the certificates stored in the user entries (upstream ticket: https://fedorahosted.org/freeipa/ticket/4238). Kerberos authentication or automatic retrieval of user TGT after authentication (pkinit) will be therefore postponed, given the functionality currently requires special certificate extension (id-pkinit-san) in order to properly map certificates and (user) principals. This is not guaranteed with the primary supported cards (CAC), so we would first need to work on extending our Kerberos backend to provide the mapping ourselves. I would like to clarify the sentence "Authentication is planned to happen only over LDAP and the certificates stored in the user entries". The matching user entry will be looked up in LDAP with the help of the certificate. The authentication will happen on the client by validating the CA trust-path of the certificate and by checking if the user knows the PIN by encrypting some random data with the private key on the card and validating the results with the help of the public key ("smart card by itself" from the orginal description).
Yes, this is exactly what I meant. Thanks Sumit for clarification. Assigning to a real owner, just for book-keeping. master:
4de84af23db74e13e867985c9093f394c9fa8d51
5242964d275d0b2e96c9b0d1f8a9958c85d566fc
a8d887323f83984679a7d9b827a70146656bb7b2
10703cd558016685ee778e333f1d4490238d46e7
35f3a213e0f0f2c60e9b5f095a05388e21092ae2
45726939a48e605b0166521f94300ae04981a3a7
0d5bb38364a6976e9c85d6349aa13a04d181a090
[root@dhcp129-12 ~]# rpm -qi ipa-client Name : ipa-client Version : 4.2.0 Release : 12.el7 Architecture: x86_64 Install Date: Wed 30 Sep 2015 03:40:57 PM EDT Group : System Environment/Base Size : 460096 License : GPLv3+ Signature : RSA/SHA256, Thu 24 Sep 2015 01:52:59 AM EDT, Key ID 938a80caf21541eb Source RPM : ipa-4.2.0-12.el7.src.rpm Build Date : Wed 23 Sep 2015 11:19:36 AM EDT Build Host : x86-035.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://www.freeipa.org/ Summary : IPA authentication for use on clients [root@dhcp129-12 ~]# rpm -qi sssd Name : sssd Version : 1.13.0 Release : 36.el7 Architecture: x86_64 Install Date: Thu 01 Oct 2015 09:49:33 AM EDT Group : Applications/System Size : 35147 License : GPLv3+ Signature : RSA/SHA256, Wed 30 Sep 2015 11:27:03 AM EDT, Key ID 938a80caf21541eb Source RPM : sssd-1.13.0-36.el7.src.rpm Build Date : Wed 30 Sep 2015 05:53:03 AM EDT Build Host : x86-017.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : http://fedorahosted.org/sssd/ Summary : System Security Services Daemon Smartcard login using certs issued by IPA and external CA were tested based on https://tcms.engineering.redhat.com/case/500937/?from_plan=18963 and https://tcms.engineering.redhat.com/case/505003/?from_plan=18963. There are 2 outstanding bugs https://bugzilla.redhat.com/show_bug.cgi?id=1266108 and https://bugzilla.redhat.com/show_bug.cgi?id=1267656. Obtaining kerberos credentials during smartcard login is yet to be supported. Apart from these all other login tests (gdm login, su and ssh) were executed successfully. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://rhn.redhat.com/errata/RHSA-2015-2355.html |