Hide Forgot
Cloned from upstream: https://pagure.io/freeipa/issue/6982 Currently the task of setting up Smart Card authentication against FreeIPA KDC and WebUI require a number of non-trivial manual tasks (e.g. enabling OCSP, configuring PKINIT etc.). As an Administrator I want to be able to set up the feature by running one or more CLI scripts which will: a) check whether the environment is ready to support the feature b) if yes, configure the individual components without any human intervention c) if the required components were already configured, do nothing but report success anyway The last point is important for re-use of these tools in configuration managers like Chef, Ansible etc.
Upstream ticket: https://pagure.io/freeipa/issue/6982
Upstream ticket: https://pagure.io/freeipa/issue/7000
Prerequisite command has been pushed upstream Fixed upstream ipa-4-5: https://pagure.io/freeipa/c/1b62e5aac9d9668604e82879c020bff310fa549f https://pagure.io/freeipa/c/c072135340bc8e75f621e2b9163b1347b9eb528f https://pagure.io/freeipa/c/cb9353d6e0fbc0912dd20bf29e3835a7740d1af6 master: https://pagure.io/freeipa/c/e131905f3e0fe9179c5f4a09da4e7a204012603a https://pagure.io/freeipa/c/92276c1e8809f3ff6b59bd6124869f816627bac7 https://pagure.io/freeipa/c/0772ef20b39b11950fddc913a350534988294c89
Fixed upstream master: https://pagure.io/freeipa/c/0569c02f17f853d97280f52f4a7fefecc72cf45d https://pagure.io/freeipa/c/e418e9a4ca747886c53d05ae80597834f1d3d021 ipa-4-5: https://pagure.io/freeipa/c/7ea7ee4326679c098d3e4e4d6a2bc743707708ca https://pagure.io/freeipa/c/84ca9761bd47f28b72581d1fe6bd8cfa824b6df3
What is the expected level of configuration at the end of executing the advise scripts? At the moment, I think the advise script for client config is either incomplete or confusing. It requires a cert that signed the cert on the card. This to implies that it will use this cert to completely setup the client configuration to use the card with no further interventions. This is not the case however when I ran the script. Post advise script steps needed to complete setup for my environment: 0. I have to make sure the signing CA cert(s) are all located on both the IPA Client and Server (in my case, we're using /etc/ipa to store them). 1. In my case, the signing cert is not the root ca so I have to also add that to /etc/pki/nssdb. [root@vm2 ~]# certutil -d /etc/pki/nssdb -A -i /root/jitc-root-ca-2.pem -n "Root CA for Smart Card CA" -t CT,C,C 2. Then I have to add pkinit_anchors on the client for the two CA certs needed to verify the cert on the card: [root@vm2 ~]# vim /etc/krb5.conf ... [realms] EXAMPLE.TEST = { ... pkinit_anchors = FILE:/etc/ipa/jitc-ca.pem pkinit_anchors = FILE:/etc/ipa/jitc-root-ca-2.pem } 3. Then I have to add the CA certs to /etc/pki/nssdb on the IPA Server: [root@vm1 ~]# certutil -d /etc/pki/nssdb -A -i /root/jitc-root-ca-2.pem -n "Root CA for Smart Card CA" -t CT,C,C [root@vm1 ~]# certutil -d /etc/pki/nssdb -A -i /root/jitc-ca.pem -n "Smart Card CA" -t CT,C,C 4. And add the pkinit_anchors as well on the IPA server. [root@vm1 ~]# vim /etc/krb5.conf ... [realms] EXAMPLE.TEST = { ... pkinit_anchors = FILE:/etc/ipa/jitc-ca.pem pkinit_anchors = FILE:/etc/ipa/jitc-root-ca-2.pem } The following is OPTIONAL and depends on environment (if USB redirecting to a VM for testing like I'm doing) 5. Add some timeouts to sssd.conf to support long lookup times [root@vm2 ~]# vim /etc/sssd/sssd.conf ... [domain/example.test] ... krb5_auth_timeout = 60 It is confusing that the advise script prompts for a ca cert but, only configures it in one place. [root@vm2 ~]# ipa-advise config-client-for-smart-card-auth > advise.sh trying https://vm1.example.test/ipa/session/json [root@vm2 ~]# chmod 755 advise.sh [root@vm2 ~]# ./advise.sh You need to provide the path to the PEM file containing CA signing the Smart Cards [root@vm2 ~]# ./advise.sh jitc-ca.pem Loaded plugins: langpacks, product-id, search-disabled-repos, subscription-manager This system is not registered with an entitlement server. You can use subscription-manager to register. Package dconf-0.26.0-2.el7.x86_64 already installed and latest version Resolving Dependencies --> Running transaction check ---> Package opensc.x86_64 0:0.16.0-5.20170227git777e2a3.el7 will be installed ...truncating yum output... Complete! WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Module "OpenSC" added to database. A couple things I would have expected: 1. generated script should take a "list" of files to include. Maybe just as a simple quoted string to be split during processing like "file1 file2 file3". 2. I expect the script to add the pkinit_anchors to the client's /etc/krb5.conf 3. I expect output stating to copy the files to the server and run the same there. OR, the server script should do similar to above. I think that would be preferable.
Scott, the client side advise plugin should configure all aspects of smart card auth, if you need so much additional work to set it up, then I need to fix the plugin to perform them. As for the server-side config, I would say that only the part which imports the card signing certs/CAs and configures pkinit anchor should be added to server-side advise. Do you agree or is it necessary to run full client config?
Martin, Yes, I think I agree. Just need the pkinit_anchors in krb5.conf and nssdb imports on the server side. I didn't seem to need anything else. Thanks, Scott
Martin, Also, be aware, that I just ran the server script on an IPA server with FIPS mode enabled and I was prompted for the NSSDB password: + certutil -M -n Server-Cert -d /etc/httpd/alias -t Pu,u,u Enter Password or Pin for "NSS FIPS 140-2 Certificate DB": I had to look it up from /etc/httpd/alias/pwdfile.txt. Should certutil command use -f /etc/httpd/alias/pwdfile.txt if that file exists? If it doesn't exist run without -f and expect people to know the password? Thanks, Scott
Hi Scott, good catch, I will push this fix on top of all other improvements I made for the smart card advises.
Question based on the use of ipa-certupdate you also pointed out earlier. Instead of the pkinit_anchors, will you have the server script run something like the following? ipa-cacert-manage install ipa-certupdate and the client script run ipa-certupdate Still need the certutil on the client side I think but, that would handled the pkinit_anchors right? Thanks, Scott
Upstream ticket: https://pagure.io/freeipa/issue/7036
Martin, Also note, we may want the client script to check that krb5-pkinit is installed. A client I was testing on was missing that as well. Thanks, Scott
Fixed upstream master: https://pagure.io/freeipa/c/69ba5f942284d17f32650638965c21dcf907a579 https://pagure.io/freeipa/c/584abe5b68b74d6a4721525328d5dfadd0e092c0 https://pagure.io/freeipa/c/e0c2e0f26cc264dccc51295cdd595109b4e46392 https://pagure.io/freeipa/c/36e0d2d65cf19033b1022737cd24a1120bc0f85f https://pagure.io/freeipa/c/0181334c4c8e4b73b9b1c634d9837857e5e388b8 https://pagure.io/freeipa/c/dea4b4ca1bebf128a9a2e26dbbe9ffd3d6f360e1 https://pagure.io/freeipa/c/9808395c17388d69b51e562bc7f2b1d7d172a7fb https://pagure.io/freeipa/c/85a79b5ccd29a532f7e3f0f17b9ba08153bf9717 https://pagure.io/freeipa/c/a9fec090f7a50e6f53394cab1cc5929c18934ac0 https://pagure.io/freeipa/c/4d57aef7a50eeae04bbd117531808ac616c675eb https://pagure.io/freeipa/c/e0cf7090f3869bc3d4673242f64d63011dc8d1a5 https://pagure.io/freeipa/c/53c5c0ad7bde137b1123504f6a52c2b22e2a3868 ipa-4-5: https://pagure.io/freeipa/c/23917c71f72ba899054bc5dc72c36d5308ead94c https://pagure.io/freeipa/c/ef2ab942d2dee4a7a902f70a7eaf1c35cf88bee6 https://pagure.io/freeipa/c/3ebab27ded06a72d807c10b1ba521c6406df1ab4 https://pagure.io/freeipa/c/e5f31e35d3d17b5871cb39ebe55b413ba0dca489 https://pagure.io/freeipa/c/9561e3f8a2be66c1c236ac7fe296a8c8cbbac5c1 https://pagure.io/freeipa/c/666c2da3afcc461870d423409db4298e7ead6493 https://pagure.io/freeipa/c/2be45a1d95b7033ee25a643fdd74f5f30c41fea5 https://pagure.io/freeipa/c/61f6cb7e6fa632db08628534c512a22e35682dc1 https://pagure.io/freeipa/c/08f56c3c8ccde61146baec16085b325726582752 https://pagure.io/freeipa/c/e5e4c0a484412e11cc414ca80dc230b0000c00d7 https://pagure.io/freeipa/c/e14194e171be82d43ad16b4a585502a9c28aace3 https://pagure.io/freeipa/c/1114e113d5cc558f13398af8bc5a179b33f9354b
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:2304