Red Hat Bugzilla – Bug 1405075
[RFE] Add PKINIT support to SSSD Kerberos provider
Last modified: 2017-09-14 07:07:19 EDT
This is the client side ticket for the FreeIPA/IdM ticket https://bugzilla.redhat.com/show_bug.cgi?id=1200767. SSSD should be able to determine if pkinit is available for the user and prompt for a Smartcard PIN if pkinit is available and a Smartcard is inserted or if only pkinit if available for authentication.
Upstream ticket: https://fedorahosted.org/sssd/ticket/3270
Does this block https://bugzilla.redhat.com/show_bug.cgi?id=998545 ?
(In reply to Hristo Venev from comment #2) > Does this block https://bugzilla.redhat.com/show_bug.cgi?id=998545 ? No, not in general. PKINIT is only needed if you have a Kerberos infrastructure which can handle PKINIT. Smartcard authentication to the local system without getting a Kerberos ticket is currently already available in Fedora/RHEL for users managed by LDAP, AD or FreeIPA. Unfortunately SSSD can currently not handle Smartcard authentication for local user from /etc/passwd, but this is planned for the next release.
master: 2d527aa 52f4583 ead25e3 82c5971 dd17a3a f70d946 d475744 254f389 327a166 f561c2b
Can we get a qa_ack, please?
Hi Aneta, it was mentioned in https://bugzilla.redhat.com/show_bug.cgi?id=1448236 that the changes to krb5.conf described in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html should be mentioned for this SSSD feature as well. The important options for the SSSD feature are pkinit_anchors and in some cases pkinit_kdc_hostname (this is typically needed when using AD). pkinit_cert_match should net be used because this will be set by SSSD. I'm setting needinfo so that you can set the doc related options accordingly.
Verified. Using same as bug #1200767 Version :: ipa-client-4.5.0-8.el7.x86_64 sssd-1.15.2-17.el7.x86_64 Results :: ### First I setup users with and without certs. the certs were generated by IPA. The Smart Card had the users key and cert added manually with pkcs15-* commands. ### scuser107 does not have cert or certmapdata added ### demosc1 has both cert and certmapdata ### demosc2 has certmapdata only [root@dhcp129-184 ~]# ipa user-show demosc1 |sed 's/MII.*$/MII.../' User login: demosc1 First name: demosc Last name: demosc1 Home directory: /home/demosc1 Login shell: /bin/sh Principal name: demosc1@TESTRELM.TEST Principal alias: demosc1@TESTRELM.TEST Email address: demosc1@testrelm.test UID: 576400131 GID: 576400131 Certificate: MII... Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@dhcp129-184 ~]# ipa user-show demosc2 |sed 's/MII.*$/MII.../' User login: demosc2 First name: demosc2 Last name: demosc2 Home directory: /home/demosc2 Login shell: /bin/sh Principal name: demosc2@TESTRELM.TEST Principal alias: demosc2@TESTRELM.TEST Email address: demosc2@testrelm.test UID: 576400132 GID: 576400132 Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@dhcp129-184 ~]# ipa user-show scuser107 |sed 's/MII.*$/MII.../' User login: scuser107 First name: f Last name: l Home directory: /home/scuser107 Login shell: /bin/sh Principal name: scuser107@TESTRELM.TEST Principal alias: scuser107@TESTRELM.TEST Email address: scuser107@testrelm.test UID: 576400135 GID: 576400135 Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True [root@dhcp129-184 ~]# ipa certmaprule-find combined ------------------------------------------- 1 Certificate Identity Mapping Rule matched ------------------------------------------- Rule name: combined Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})) Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST Enabled: TRUE ---------------------------- Number of entries returned 1 ---------------------------- #################################################################### ### Now the test showing su ask for pin and getting kerberos ticket #################################################################### [root@dhcp129-184 ~]# su - demosc1 -c 'kdestroy -A' [root@dhcp129-184 ~]# su - demosc1 -c klist klist: Credentials cache keyring 'persistent:576400131:krb_ccache_Yova6yX' not found [root@dhcp129-184 ~]# su - scuser107 Last login: Mon May 8 11:56:17 MDT 2017 on pts/0 -sh-4.2$ whoami scuser107 -sh-4.2$ su - demosc1 -c 'klist' PIN for demosc1 (OpenSC Card) for user demosc1@testrelm.test Ticket cache: KEYRING:persistent:576400131:krb_ccache_ndRgXGh Default principal: demosc1@TESTRELM.TEST Valid starting Expires Service principal 05/08/2017 11:57:34 05/09/2017 11:57:32 krbtgt/TESTRELM.TEST@TESTRELM.TEST ### Then as second user with certmapdata: [root@dhcp129-184 ~]# su - demosc2 -c 'kdestroy -A' [root@dhcp129-184 ~]# su - demosc2 -c 'klist' klist: Credentials cache keyring 'persistent:576400132:krb_ccache_ZAnYcCH' not found [root@dhcp129-184 ~]# su - scuser107 Last login: Mon May 8 11:57:11 MDT 2017 on pts/0 -sh-4.2$ whoami scuser107 -sh-4.2$ su - demosc2 -c 'klist' PIN for demosc1 (OpenSC Card) for user demosc2@testrelm.test Ticket cache: KEYRING:persistent:576400132:krb_ccache_9Or3NnY Default principal: demosc2@TESTRELM.TEST Valid starting Expires Service principal 05/08/2017 11:59:07 05/09/2017 11:59:05 krbtgt/TESTRELM.TEST@TESTRELM.TEST
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here: https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter: https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2017:2294