1507614 – Improve Smartcard integration if multiple certificates or multiple mapped identities are available

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available

Summary: Improve Smartcard integration if multiple certificates or multiple mapped ide...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	7.3
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	high
Target Milestone:	rc
Target Release:	---
Assignee:	SSSD Maintainers
QA Contact:	Scott Poore
Docs Contact:
URL:
Whiteboard:
Depends On:	1413900 1512213
Blocks:
TreeView+	depends on / blocked

Reported:	2017-10-30 17:45 UTC by Sumit Bose
Modified:	2020-05-02 18:50 UTC (History)
CC List:	19 users (show)
Fixed In Version:	sssd-1.16.0-5.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1413900
Environment:
Last Closed:	2018-04-10 17:18:11 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 4585	0	None	None	None	2020-05-02 18:50:06 UTC
Red Hat Product Errata	RHEA-2018:0929	0	None	None	None	2018-04-10 17:19:41 UTC

Description Sumit Bose 2017-10-30 17:45:28 UTC

+++ This bug was initially created as a clone of Bug #1413900 +++

Description of problem:

Currently GDM Smartcard integration works great if the Smartcard contains only one certificate valid for authentication which is mapped to a single user.

But there are valid use cases where either multiple certificates valid for authentication are on the Smartcard or where a single certificate is mapped to multiple users. Please see https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities for details.

While it would be possible for SSSD to handle the needed prompting it would imo improve the user experience if GDM can handle some of the prompting in a more appealing way.

Comment 1 Sumit Bose 2017-10-30 17:52:48 UTC

This is the ticket for the SSSD part of this feature which can drive the new GDM conversation type.

The new location of the original design page is https://docs.pagure.org/SSSD.sssd/design_pages/smartcards_and_multiple_identities.html. Since this pages describes some feature which are already fixed by https://pagure.io/SSSD/sssd/issue/3050 I will add a new page which is focused on Smartcards with multiple certificates.

Comment 2 Sumit Bose 2017-10-31 17:30:54 UTC

Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3560

Comment 3 Lukas Slebodnik 2017-11-13 15:44:03 UTC

master:
* 57cefea8305a57c1c0491afb739813b7f17d5a25
* 177ab84f0e336b75289a3ac0b2df25bd5ab5198b
* 08d1f8c0d6eece6a48201d7f8824b282eac3458d
* fd6f4047b58686bd4057c9859c3c804a77b136d8
* 06c2300353faf3983e38fecb1d6afe1f6cc8fe32
* 0a8024af282b271ad2185f68703d9f4e766d2bdc
* 122830e67472390b41edc73f0cfcd5c5705b726b
* 0bdd8800c16f39b8fe308d20694ad905c669dff3
* 39fd336e4390ece3a8465714735ef4203f329e54

Comment 5 Scott Poore 2017-11-15 03:38:50 UTC

Verified.

Version ::

sssd-1.16.0-5.el7.x86_64

Results ::

IPA Server and Client setup with RHEL7.5 images. 

ipa-advise scripts used to setup client and server:

ipa-advise config-server-for-smart-card-auth > setup_server.sh

ipa-advise config-client-for-smart-card-auth > setup_client.sh

# On Server:

sh /root/setup_server.sh root_ca.crt issuing_ca.crt

scp /root/setup_client.sh root@client:/root

# On Client:

sh /root/setup_client.sh root_ca.crt issuing_ca.crt

vim /etc/sssd/sssd.conf
# In [domain/<domainname>] section add:
krb5_auth_timeout = 60

# In [sssd] section add:
certificate_verification = no_ocsp
# We can also specify the ocsp config if needed. Or leave this out if the cert
# includes the correct address for the OCSP.

# In [pam] section add:
p11_child_timeout = 60

systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; sleep 1; systemctl start sssd

yum groupinstall "Server with GUI"

reboot

# On Server

setup certmap rules:

[root@ipaserver ~]# ipa certmaprule-find
--------------------------------------------
2 Certificate Identity Mapping Rules matched
--------------------------------------------
  Rule name: jitc_email_ca_41
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=DOD JITC EMAIL CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US
  Domain name: ipa.test, ad.test
  Enabled: TRUE

  Rule name: jitc_id_ca_41
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=DOD JITC ID CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US
  Domain name: ipa.test, ad.test
  Enabled: TRUE
----------------------------
Number of entries returned 2
----------------------------


and add to user data:

[root@ipaserver ~]# ipa user-show ipauser1
  User login: ipauser1
  First name: user
  Last name: one
  Home directory: /home/ipauser1
  Login shell: /bin/sh
  Principal name: ipauser1
  Principal alias: ipauser1
  Email address: ipauser1
  UID: 1315200001
  GID: 1315200001
  Certificate mapping data: X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD JITC EMAIL
                            CA-41<S>C=US,O=U.S.
                            Government,OU=DoD,OU=PKI,OU=NOAA,CN=blahblah...
                            X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD JITC ID
                            CA-41<S>C=US,O=U.S.
                            Government,OU=DoD,OU=PKI,OU=NOAA,CN=blahblah....
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


# Reset sssd and reboot client again to make sure gdm has all updates
# share usb card reader to client
# insert card
# on the cac card I'm using it has 3 certs that should be visible.  
# All three are visisble with similar output on gdm login screen:

[1]:
Certificate for Key Management
CN=blahblah...

[2]:
Certificate for Digital Signature
CN=blahblah...

[3]:
Certificate for PIC Authentication
CN=blahblah...

Comment 6 Scott Poore 2017-11-15 14:12:49 UTC

Also, more info on verification of this one:

[root@ipaclient ~]# su - ipauser1 -c "su - ipauser1 -c klist"
Please select a certificate by typing the corresponding number

[1]:
Certificate for Key Management
CN=blahblah...

[2]:
Certificate for Digital Signature
CN=blahblah...

[3]:
Certificate for PIV Authentication
CN=blahblah...
3  <<< This is what I entered <<<
Certificate ‘01’ selected
PIN for blahblah
Ticket cache: KEYRING:persistent:1315200001:krb_ccache_O1YMAQX
Default principal: ipauser1

Valid starting       Expires              Service principal
11/15/2017 08:09:43  11/16/2017 08:09:36  krbtgt/IPA.TEST

Comment 9 errata-xmlrpc 2018-04-10 17:18:11 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929

Note You need to log in before you can comment on or make changes to this bug.