Bug 1200767 - [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)
Summary: [RFE] Allow Kerberos authentication for users with certificates on smart card...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.0
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Scott Poore
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On: 1428484
Blocks: 1396494 1399979 1340711 1411852 1411858 1427497
TreeView+ depends on / blocked
 
Reported: 2015-03-11 11:10 UTC by Martin Kosek
Modified: 2017-09-14 11:06 UTC (History)
11 users (show)

Fixed In Version: ipa-4.5.0-9.el7
Doc Type: Enhancement
Doc Text:
SSSD supports obtaining a Kerberos ticket when users authenticate with a smart card The System Security Services Daemon (SSSD) now supports the Kerberos PKINIT preauthentication mechanism. When authenticating with a smart card to a desktop client system enrolled in an Identity Management (IdM) domain, users receive a valid Kerberos ticket-granting ticket (TGT) if the authentication was successful. Users can then use the TGT for further single sign-on (SSO) authentication from the client system. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sc-pkinit-auth.html.
Clone Of:
: 1427497 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:37:23 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Martin Kosek 2015-03-11 11:10:13 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/freeipa/ticket/4905

This requirement has several parts:

* Support of Smart Cards in SSSD ([https://fedorahosted.org/sssd/ticket/546 upstream ticket])
* API/CLI for configuring the trusted CA certificate in KDC (related - #616)
* Optionally, also #521 (Add dogtag support to generate KDC certificatesfor Pkinit)

Comment 1 Martin Kosek 2015-06-04 11:54:43 UTC
The current development status of this feature was discussed and it's scope will be limited for the first release. SC authentication will be LDAP-based (details in https://bugzilla.redhat.com/show_bug.cgi?id=854396#c6).

Kerberos authentication or automatic retrieval of user TGT after authentication (pkinit) will be postponed, given the functionality currently requires special certificate extension (id-pkinit-san) in order to properly map certificates and (user) principals. This is not guaranteed with the primary supported cards (CAC), so we would first need to work on extending our Kerberos backend to provide the mapping ourselves.

Comment 5 Petr Vobornik 2017-03-28 12:27:22 UTC
Note that the RFE is implemented, it works with new installs but there are still bugs in upgrades, which have to be fixed. But let's put these patches to current build to allow early testing of at least this.

Comment 8 Jan Cholasta 2017-04-26 13:41:24 UTC
We need to bump Requires on krb5 to 1.15.1-4 which resolves bug 1428484, moving back to ASSIGNED.

Comment 12 Scott Poore 2017-05-08 18:07:10 UTC
Verified.

Version ::
ipa-client-4.5.0-8.el7.x86_64
sssd-1.15.2-17.el7.x86_64

Results ::

### First the options for enabling/disabling anonymous pkinit support
### Also shows anonymous pkinit working

[root@dhcp129-184 ~]# ipa pkinit-anonymous enable

[root@dhcp129-184 ~]# kdestroy -A

[root@dhcp129-184 ~]# kinit -n

[root@dhcp129-184 ~]# ARMOR_CCACHE=$(klist|grep cache:|cut -d' ' -f3-)

[root@dhcp129-184 ~]# kinit -T $ARMOR_CCACHE admin@TESTRELM.TEST
Password for admin@TESTRELM.TEST: 

[root@dhcp129-184 ~]# ipa pkinit-anonymous disable

[root@dhcp129-184 ~]# kdestroy -A

### Also, to be thorough, a test with kinit using the smart card:

[root@dhcp129-184 ~]# kinit -X X509_user_identity=PKCS11:module_name=/usr/lib64/opensc-pkcs11.so demosc1
demosc1 (OpenSC Card)            PIN: 

[root@dhcp129-184 ~]# klist
Ticket cache: KEYRING:persistent:0:krb_ccache_7XZIAfK
Default principal: demosc1@TESTRELM.TEST

Valid starting       Expires              Service principal
05/08/2017 12:06:24  05/09/2017 12:06:19  krbtgt/TESTRELM.TEST@TESTRELM.TEST


[root@dhcp129-184 ~]# kinit -n
kinit: Client's credentials have been revoked while getting initial credentials

[root@dhcp129-184 ~]# kinit admin
Password for admin@TESTRELM.TEST: 


### Now showing that we get a kerberos ticket when logging in using a smart card
### This example uses SU but, we saw the same behavior work with GDM logins

### First I setup users with and without certs.  the certs were generated by IPA.  The Smart Card had the users key and cert added manually with pkcs15-* commands.
### scuser107 does not have cert or certmapdata added
### demosc1 has both cert and certmapdata
### demosc2 has certmapdata only

[root@dhcp129-184 ~]# ipa user-show demosc1 |sed 's/MII.*$/MII.../'
  User login: demosc1
  First name: demosc
  Last name: demosc1
  Home directory: /home/demosc1
  Login shell: /bin/sh
  Principal name: demosc1@TESTRELM.TEST
  Principal alias: demosc1@TESTRELM.TEST
  Email address: demosc1@testrelm.test
  UID: 576400131
  GID: 576400131
  Certificate: MII...
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa user-show demosc2 |sed 's/MII.*$/MII.../'
  User login: demosc2
  First name: demosc2
  Last name: demosc2
  Home directory: /home/demosc2
  Login shell: /bin/sh
  Principal name: demosc2@TESTRELM.TEST
  Principal alias: demosc2@TESTRELM.TEST
  Email address: demosc2@testrelm.test
  UID: 576400132
  GID: 576400132
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa user-show scuser107 |sed 's/MII.*$/MII.../'
  User login: scuser107
  First name: f
  Last name: l
  Home directory: /home/scuser107
  Login shell: /bin/sh
  Principal name: scuser107@TESTRELM.TEST
  Principal alias: scuser107@TESTRELM.TEST
  Email address: scuser107@testrelm.test
  UID: 576400135
  GID: 576400135
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa certmaprule-find combined
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: combined
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))
  Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------

####################################################################
### Now the test showing su ask for pin and getting kerberos ticket
####################################################################

[root@dhcp129-184 ~]# su - demosc1 -c 'kdestroy -A'

[root@dhcp129-184 ~]# su - demosc1 -c klist
klist: Credentials cache keyring 'persistent:576400131:krb_ccache_Yova6yX' not found

[root@dhcp129-184 ~]# su - scuser107 
Last login: Mon May  8 11:56:17 MDT 2017 on pts/0

-sh-4.2$ whoami
scuser107

-sh-4.2$ su - demosc1 -c 'klist'
PIN for demosc1 (OpenSC Card) for user demosc1@testrelm.test
Ticket cache: KEYRING:persistent:576400131:krb_ccache_ndRgXGh
Default principal: demosc1@TESTRELM.TEST

Valid starting       Expires              Service principal
05/08/2017 11:57:34  05/09/2017 11:57:32  krbtgt/TESTRELM.TEST@TESTRELM.TEST

### Then as second user with certmapdata:

[root@dhcp129-184 ~]# su - demosc2 -c 'kdestroy -A'

[root@dhcp129-184 ~]# su - demosc2 -c 'klist'
klist: Credentials cache keyring 'persistent:576400132:krb_ccache_ZAnYcCH' not found

[root@dhcp129-184 ~]# su - scuser107 
Last login: Mon May  8 11:57:11 MDT 2017 on pts/0

-sh-4.2$ whoami
scuser107

-sh-4.2$ su - demosc2 -c 'klist'
PIN for demosc1 (OpenSC Card) for user demosc2@testrelm.test
Ticket cache: KEYRING:persistent:576400132:krb_ccache_9Or3NnY
Default principal: demosc2@TESTRELM.TEST

Valid starting       Expires              Service principal
05/08/2017 11:59:07  05/09/2017 11:59:05  krbtgt/TESTRELM.TEST@TESTRELM.TEST

Comment 15 Martin Kosek 2017-05-26 09:39:35 UTC
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!

Comment 16 errata-xmlrpc 2017-08-01 09:37:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304


Note You need to log in before you can comment on or make changes to this bug.