Bug 1405075 - [RFE] Add PKINIT support to SSSD Kerberos provider
Summary: [RFE] Add PKINIT support to SSSD Kerberos provider
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Scott Poore
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-15 14:19 UTC by Sumit Bose
Modified: 2017-09-14 11:07 UTC (History)
12 users (show)

Fixed In Version: sssd-1.15.1-1.el7
Doc Type: Enhancement
Doc Text:
See doc text in https://bugzilla.redhat.com/show_bug.cgi?id=1200767
Clone Of:
Environment:
Last Closed: 2017-08-01 09:02:33 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2017:2294 normal SHIPPED_LIVE sssd bug fix and enhancement update 2017-08-01 12:39:55 UTC

Description Sumit Bose 2016-12-15 14:19:25 UTC
This is the client side ticket for the FreeIPA/IdM ticket https://bugzilla.redhat.com/show_bug.cgi?id=1200767.

SSSD should be able to determine if pkinit is available for the user and prompt for a Smartcard PIN if pkinit is available and a Smartcard is inserted or if only pkinit if available for authentication.

Comment 1 Jakub Hrozek 2016-12-15 15:25:14 UTC
Upstream ticket:
https://fedorahosted.org/sssd/ticket/3270

Comment 2 Hristo Venev 2017-01-03 23:14:18 UTC
Does this block https://bugzilla.redhat.com/show_bug.cgi?id=998545 ?

Comment 3 Sumit Bose 2017-01-04 09:06:05 UTC
(In reply to Hristo Venev from comment #2)
> Does this block https://bugzilla.redhat.com/show_bug.cgi?id=998545 ?

No, not in general. PKINIT is only needed if you have a Kerberos infrastructure which can handle PKINIT.

Smartcard authentication to the local system without getting a Kerberos ticket is currently already available in Fedora/RHEL for users managed by LDAP, AD or FreeIPA. Unfortunately SSSD can currently not handle Smartcard authentication for local user from /etc/passwd, but this is planned for the next release.

Comment 5 Jakub Hrozek 2017-02-23 10:03:24 UTC
master:
    2d527aa
    52f4583
    ead25e3
    82c5971
    dd17a3a
    f70d946
    d475744
    254f389
    327a166
    f561c2b

Comment 6 Jakub Hrozek 2017-02-23 10:03:52 UTC
Can we get a qa_ack, please?

Comment 8 Sumit Bose 2017-05-05 18:49:36 UTC
Hi Aneta,

it was mentioned in 
https://bugzilla.redhat.com/show_bug.cgi?id=1448236 that the changes to krb5.conf described in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/System-Level_Authentication_Guide/smartcards.html should be mentioned for this SSSD feature as well. The important options for the SSSD feature are pkinit_anchors and in some cases pkinit_kdc_hostname (this is typically needed when using AD). pkinit_cert_match should net be used because this will be set by SSSD.

I'm setting needinfo so that you can set the doc related options accordingly.

Comment 9 Scott Poore 2017-05-08 18:07:28 UTC
Verified.  Using same as bug #1200767

Version ::
ipa-client-4.5.0-8.el7.x86_64
sssd-1.15.2-17.el7.x86_64

Results ::

### First I setup users with and without certs.  the certs were generated by IPA.  The Smart Card had the users key and cert added manually with pkcs15-* commands.
### scuser107 does not have cert or certmapdata added
### demosc1 has both cert and certmapdata
### demosc2 has certmapdata only

[root@dhcp129-184 ~]# ipa user-show demosc1 |sed 's/MII.*$/MII.../'
  User login: demosc1
  First name: demosc
  Last name: demosc1
  Home directory: /home/demosc1
  Login shell: /bin/sh
  Principal name: demosc1@TESTRELM.TEST
  Principal alias: demosc1@TESTRELM.TEST
  Email address: demosc1@testrelm.test
  UID: 576400131
  GID: 576400131
  Certificate: MII...
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa user-show demosc2 |sed 's/MII.*$/MII.../'
  User login: demosc2
  First name: demosc2
  Last name: demosc2
  Home directory: /home/demosc2
  Login shell: /bin/sh
  Principal name: demosc2@TESTRELM.TEST
  Principal alias: demosc2@TESTRELM.TEST
  Email address: demosc2@testrelm.test
  UID: 576400132
  GID: 576400132
  Certificate mapping data: X509:<I>O=TESTRELM.TEST,CN=Certificate Authority<S>O=TESTRELM.TEST,CN=demosc1
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa user-show scuser107 |sed 's/MII.*$/MII.../'
  User login: scuser107
  First name: f
  Last name: l
  Home directory: /home/scuser107
  Login shell: /bin/sh
  Principal name: scuser107@TESTRELM.TEST
  Principal alias: scuser107@TESTRELM.TEST
  Email address: scuser107@testrelm.test
  UID: 576400135
  GID: 576400135
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

[root@dhcp129-184 ~]# ipa certmaprule-find combined
-------------------------------------------
1 Certificate Identity Mapping Rule matched
-------------------------------------------
  Rule name: combined
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))
  Matching rule: <ISSUER>CN=Certificate Authority,O=TESTRELM.TEST
  Enabled: TRUE
----------------------------
Number of entries returned 1
----------------------------

####################################################################
### Now the test showing su ask for pin and getting kerberos ticket
####################################################################

[root@dhcp129-184 ~]# su - demosc1 -c 'kdestroy -A'

[root@dhcp129-184 ~]# su - demosc1 -c klist
klist: Credentials cache keyring 'persistent:576400131:krb_ccache_Yova6yX' not found

[root@dhcp129-184 ~]# su - scuser107 
Last login: Mon May  8 11:56:17 MDT 2017 on pts/0

-sh-4.2$ whoami
scuser107

-sh-4.2$ su - demosc1 -c 'klist'
PIN for demosc1 (OpenSC Card) for user demosc1@testrelm.test
Ticket cache: KEYRING:persistent:576400131:krb_ccache_ndRgXGh
Default principal: demosc1@TESTRELM.TEST

Valid starting       Expires              Service principal
05/08/2017 11:57:34  05/09/2017 11:57:32  krbtgt/TESTRELM.TEST@TESTRELM.TEST

### Then as second user with certmapdata:

[root@dhcp129-184 ~]# su - demosc2 -c 'kdestroy -A'

[root@dhcp129-184 ~]# su - demosc2 -c 'klist'
klist: Credentials cache keyring 'persistent:576400132:krb_ccache_ZAnYcCH' not found

[root@dhcp129-184 ~]# su - scuser107 
Last login: Mon May  8 11:57:11 MDT 2017 on pts/0

-sh-4.2$ whoami
scuser107

-sh-4.2$ su - demosc2 -c 'klist'
PIN for demosc1 (OpenSC Card) for user demosc2@testrelm.test
Ticket cache: KEYRING:persistent:576400132:krb_ccache_9Or3NnY
Default principal: demosc2@TESTRELM.TEST

Valid starting       Expires              Service principal
05/08/2017 11:59:07  05/09/2017 11:59:05  krbtgt/TESTRELM.TEST@TESTRELM.TEST

Comment 13 Martin Kosek 2017-05-26 09:40:13 UTC
Please note that Red Hat officially released public RHEL-7.4 Beta this week, as announced here:
https://www.redhat.com/en/about/blog/red-hat-enterprise-linux-74-beta-now-available

The new RHEL-7.4 release includes a lot of new IdM functionality, including this RFE. Highlights can be found in RHEL-7.4 Release Notes, especially in the Authentication & Interoperability chapter:
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/7.4_Release_Notes/new_features_authentication_and_interoperability.html

IdM Engineering team would like to encourage everyone interested in this new functionality (and especially customers or community members requesting it) to try Beta and provide us with your feedback!

Comment 14 errata-xmlrpc 2017-08-01 09:02:33 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2017:2294


Note You need to log in before you can comment on or make changes to this bug.