Bug 1366572 - [RFE] Web UI: allow Smart Card authentication
Summary: [RFE] Web UI: allow Smart Card authentication
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.4
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: Scott Poore
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On: 1317379 1343422 1402820 1403194
Blocks: 1396494 1399979 1430655
TreeView+ depends on / blocked
 
Reported: 2016-08-12 11:17 UTC by Martin Kosek
Modified: 2017-08-01 09:39 UTC (History)
12 users (show)

Fixed In Version: ipa-4.5.0-3.el7
Doc Type: Enhancement
Doc Text:
IdM web UI enables smart card login The Identity Management web UI enables users to log in using smart cards. For details, see https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/sc-web-ui-auth.html.
Clone Of: 1317379
: 1430655 (view as bug list)
Environment:
Last Closed: 2017-08-01 09:39:54 UTC

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2304 normal SHIPPED_LIVE ipa bug fix and enhancement update 2017-08-01 12:41:35 UTC

Description Martin Kosek 2016-08-12 11:17:02 UTC 
Bug 1317379 implemented experimental support of Smart Card authentication to IdM Web UI. This bug is tracking implementation of a version without the security concerns in the original solution.

+++ Original description of Bug 1317379 +++

Description of problem:
IdM Web UI in RHEL-7.2 or older only allows Kerberos or Password authentication. The Web UI capabilities should be extended to also allow Smart Card authentication for environments leveraging Smart Card authentication instead of Kerberos.

This change means changing current Web UI authentication architecture, which does a kinit internally, when a password is passed. This cannot be done with the Smart Cards as Web UI does not have access to it.


User Story:
As an Administrator in Government Sector (required to use Smart Cards), I want to authenticate to the IdM Web UI with my Smart Card, so that I am not forced to enable password authentication which is forbidden in my environment.

--- Additional comment from Martin Kosek on 2016-08-12 07:02:35 EDT ---

This feature was investigated and implemented as a POC for IdM in RHEL-7.3. Given current IdM Server architecture around it's Web (Apache) service, the solution cannot unfortunately be claimed as ready for production use due to security concerns and lack of privilege separation.

Therefore, the feature will be only presented as Experimental feature for users, where they can qualify it, test in their environment and report back if it works and satisfies the expectations/requirements. The feature won't be enabled by default and will require configuration (including API/CLI and Web UI plugins). 

Upstream feature page is here:
http://www.freeipa.org/page/V4/External_Authentication

Current configuration procedure is being developed here:
http://www.freeipa.org/page/V4/External_Authentication/Setup

Given above, I am changing the feature to "Experimental". A new Bugzilla will be created to track "proper" implementation that is secure and better suited for production use.
Comment 1 Petr Vobornik 2016-08-17 16:36:28 UTC 
Upstream ticket:
https://fedorahosted.org/freeipa/ticket/6225
Comment 4 Martin Bašti 2017-03-14 17:56:55 UTC 
Fixed upstream
master:
https://pagure.io/freeipa/c/f4cd61f3011877fc9cc2a809438059b07362b0aa
Comment 7 Petr Vobornik 2017-03-27 15:03:41 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6819
Comment 8 Petr Vobornik 2017-03-27 15:05:12 UTC 
There is an issue which breaks the cert login: comment 7 - #6819.
Comment 11 Pavel Vomacka 2017-03-28 11:35:19 UTC 
Upstream ticket:
https://pagure.io/freeipa/issue/6823
Comment 17 Scott Poore 2017-05-02 18:33:36 UTC 
Verified.

Version ::

ipa-server-4.5.0-9.el7.x86_64

Results ::

Both with and without certmaprules, I can login to the WebUI with a smart card:

notes:


[root@auto-hv-02-guest08 ~]# ipa user-show scuser107
  User login: scuser107
  First name: f
  Last name: l
  Home directory: /home/scuser107
  Login shell: /bin/sh
  Principal name: scuser107@TESTRELM.TEST
  Principal alias: scuser107@TESTRELM.TEST
  Email address: scuser107@testrelm.test
  UID: 576400135
  GID: 576400135
  Certificate: MIIDrzCCApegAwIBAgIBZDANBgkqhkiG9w0BAQsFADA4MRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMR4wHAYDVQQDDBVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwHhcNMTcwNTAxMTYwNTQ4WhcNMTkwNTAyMTYwNTQ4WjAsMRYwFAYDVQQKDA1URVNUUkVMTS5URVNUMRIwEAYDVQQDDAlzY3VzZXIxMDcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAP7lUSsuSatW94nvERpill68DrkcfGs2Irlvzt81MCheAURuXHnTNiqtyWOeGRH3DcJC+b4QKxKBOf/pNpJ24L+DVuYHu+Fh3xzSm1utWVwbnzagG8Af4m0TdGD01rDdz63Z7nR1R8521GIPIM0oW3czayql1dta9XUEMGg6dRFFAgMBAAGjggFSMIIBTjAfBgNVHSMEGDAWgBTLFsJ1lbOOttE9mqzYy5hK4iJsQDA/BggrBgEFBQcBAQQzMDEwLwYIKwYBBQUHMAGGI2h0dHA6Ly9pcGEtY2EudGVzdHJlbG0udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIweAYDVR0fBHEwbzBtoDWgM4YxaHR0cDovL2lwYS1jYS50ZXN0cmVsbS50ZXN0L2lwYS9jcmwvTWFzdGVyQ1JMLmJpbqI0pDIwMDEOMAwGA1UECgwFaXBhY2ExHjAcBgNVBAMMFUNlcnRpZmljYXRlIEF1dGhvcml0eTAdBgNVHQ4EFgQUdtRhuXtmo2ad1zWb2Wrmd92McmgwIgYDVR0RBBswGYEXc2N1c2VyMTA3QHRlc3RyZWxtLnRlc3QwDQYJKoZIhvcNAQELBQADggEBAFiOdOK6WyTWECIyeXxwQlyRLyWbuMpVmp/e08WKy244X56ufwtzhnbgc9n6XR0eMQpkIHw2qLJ7npywJ+d8jq7/QrSG58nXv0fhahDPMBD7ckhpW8qw3/p4W6z8OSrtoO9B8n2Zal7RvsqiGHXVEik/xqj9DDYZHqbHOcvVk73SPO77WZ+uvlHD+XtidIIIcqfJ3Z4Pco/vzhXWVxzSetpqQ7VAqY3VS0ADK+3I6qD2Kf+K7xoNXEoLA/xnoMXKQY4/P/vbvvn94PZV3e+sZwSpDqWNk08Crq1ZFIYww6iCJfcXIlhn4VsyjCV+KdRvuECj5HXiAWwoRUQGgPPES0c=
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@auto-hv-02-guest08 ~]# ipa certmaprule-find
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: combined
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))
  Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------


It should be noted that there were problems with logging in as different users.  I will post that under bug #1430675 though.  For the basic purpose of this bug covering WebUI authentication with Smart Cards, it appears to work for this version.
Comment 18 Martin Kosek 2017-05-26 09:39:40 UTC 
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Comment 19 errata-xmlrpc 2017-08-01 09:39:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2304
Note You need to log in before you can comment on or make changes to this bug.