Bug 1507614 - Improve Smartcard integration if multiple certificates or multiple mapped identities are available
Summary: Improve Smartcard integration if multiple certificates or multiple mapped ide...
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.3
Hardware: Unspecified
OS: Unspecified
urgent
high
Target Milestone: rc
: ---
Assignee: SSSD Maintainers
QA Contact: Scott Poore
URL:
Whiteboard:
Keywords:
Depends On: 1413900 1512213
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-10-30 17:45 UTC by Sumit Bose
Modified: 2018-05-29 08:39 UTC (History)
19 users (show)

(edit)
Clone Of: 1413900
(edit)
Last Closed: 2018-04-10 17:18:11 UTC


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:0929 None None None 2018-04-10 17:19 UTC

Description Sumit Bose 2017-10-30 17:45:28 UTC
+++ This bug was initially created as a clone of Bug #1413900 +++

Description of problem:

Currently GDM Smartcard integration works great if the Smartcard contains only one certificate valid for authentication which is mapped to a single user.

But there are valid use cases where either multiple certificates valid for authentication are on the Smartcard or where a single certificate is mapped to multiple users. Please see https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardsAndMultipleIdentities for details.

While it would be possible for SSSD to handle the needed prompting it would imo improve the user experience if GDM can handle some of the prompting in a more appealing way.

Comment 1 Sumit Bose 2017-10-30 17:52:48 UTC
This is the ticket for the SSSD part of this feature which can drive the new GDM conversation type.

The new location of the original design page is https://docs.pagure.org/SSSD.sssd/design_pages/smartcards_and_multiple_identities.html. Since this pages describes some feature which are already fixed by https://pagure.io/SSSD/sssd/issue/3050 I will add a new page which is focused on Smartcards with multiple certificates.

Comment 2 Sumit Bose 2017-10-31 17:30:54 UTC
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/3560

Comment 3 Lukas Slebodnik 2017-11-13 15:44:03 UTC
master:
* 57cefea8305a57c1c0491afb739813b7f17d5a25
* 177ab84f0e336b75289a3ac0b2df25bd5ab5198b
* 08d1f8c0d6eece6a48201d7f8824b282eac3458d
* fd6f4047b58686bd4057c9859c3c804a77b136d8
* 06c2300353faf3983e38fecb1d6afe1f6cc8fe32
* 0a8024af282b271ad2185f68703d9f4e766d2bdc
* 122830e67472390b41edc73f0cfcd5c5705b726b
* 0bdd8800c16f39b8fe308d20694ad905c669dff3
* 39fd336e4390ece3a8465714735ef4203f329e54

Comment 5 Scott Poore 2017-11-15 03:38:50 UTC
Verified.

Version ::

sssd-1.16.0-5.el7.x86_64

Results ::

IPA Server and Client setup with RHEL7.5 images. 

ipa-advise scripts used to setup client and server:

ipa-advise config-server-for-smart-card-auth > setup_server.sh

ipa-advise config-client-for-smart-card-auth > setup_client.sh

# On Server:

sh /root/setup_server.sh root_ca.crt issuing_ca.crt

scp /root/setup_client.sh root@client:/root

# On Client:

sh /root/setup_client.sh root_ca.crt issuing_ca.crt

vim /etc/sssd/sssd.conf
# In [domain/<domainname>] section add:
krb5_auth_timeout = 60

# In [sssd] section add:
certificate_verification = no_ocsp
# We can also specify the ocsp config if needed. Or leave this out if the cert
# includes the correct address for the OCSP.

# In [pam] section add:
p11_child_timeout = 60

systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; sleep 1; systemctl start sssd

yum groupinstall "Server with GUI"

reboot

# On Server

setup certmap rules:

[root@ipaserver ~]# ipa certmaprule-find
--------------------------------------------
2 Certificate Identity Mapping Rules matched
--------------------------------------------
  Rule name: jitc_email_ca_41
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=DOD JITC EMAIL CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US
  Domain name: ipa.test, ad.test
  Enabled: TRUE

  Rule name: jitc_id_ca_41
  Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})(altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}))
  Matching rule: <ISSUER>CN=DOD JITC ID CA-41,OU=PKI,OU=DoD,O=U.S. Government,C=US
  Domain name: ipa.test, ad.test
  Enabled: TRUE
----------------------------
Number of entries returned 2
----------------------------


and add to user data:

[root@ipaserver ~]# ipa user-show ipauser1
  User login: ipauser1
  First name: user
  Last name: one
  Home directory: /home/ipauser1
  Login shell: /bin/sh
  Principal name: ipauser1@IPA.TEST
  Principal alias: ipauser1@IPA.TEST
  Email address: ipauser1@ipa.test
  UID: 1315200001
  GID: 1315200001
  Certificate mapping data: X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD JITC EMAIL
                            CA-41<S>C=US,O=U.S.
                            Government,OU=DoD,OU=PKI,OU=NOAA,CN=blahblah...
                            X509:<I>C=US,O=U.S. Government,OU=DoD,OU=PKI,CN=DOD JITC ID
                            CA-41<S>C=US,O=U.S.
                            Government,OU=DoD,OU=PKI,OU=NOAA,CN=blahblah....
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True


# Reset sssd and reboot client again to make sure gdm has all updates
# share usb card reader to client
# insert card
# on the cac card I'm using it has 3 certs that should be visible.  
# All three are visisble with similar output on gdm login screen:

[1]:
Certificate for Key Management
CN=blahblah...

[2]:
Certificate for Digital Signature
CN=blahblah...

[3]:
Certificate for PIC Authentication
CN=blahblah...

Comment 6 Scott Poore 2017-11-15 14:12:49 UTC
Also, more info on verification of this one:

[root@ipaclient ~]# su - ipauser1 -c "su - ipauser1 -c klist"
Please select a certificate by typing the corresponding number

[1]:
Certificate for Key Management
CN=blahblah...

[2]:
Certificate for Digital Signature
CN=blahblah...

[3]:
Certificate for PIV Authentication
CN=blahblah...
3  <<< This is what I entered <<<
Certificate ‘01’ selected
PIN for blahblah
Ticket cache: KEYRING:persistent:1315200001:krb_ccache_O1YMAQX
Default principal: ipauser1@IPA.TEST

Valid starting       Expires              Service principal
11/15/2017 08:09:43  11/16/2017 08:09:36  krbtgt/IPA.TEST@IPA.TEST

Comment 9 errata-xmlrpc 2018-04-10 17:18:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0929


Note You need to log in before you can comment on or make changes to this bug.