Bug 1631410
| Summary: | Can't login with smartcard with multiple certs having same ID value | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | adam winberg <adam.winberg> | ||||
| Component: | sssd | Assignee: | Sumit Bose <sbose> | ||||
| Status: | CLOSED ERRATA | QA Contact: | Scott Poore <spoore> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 8.2 | CC: | atikhono, grajaiya, jhrozek, lslebodn, mkosek, mzidek, pbrezina, sbose, sgoveas, spoore, thalman, tscherf | ||||
| Target Milestone: | rc | Keywords: | Triaged | ||||
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
||||
| Hardware: | Unspecified | ||||||
| OS: | Unspecified | ||||||
| Whiteboard: | sync-to-jira review | ||||||
| Fixed In Version: | sssd-2.4.0-5.el8 | Doc Type: | If docs needed, set a value | ||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | |||||||
| : | 1635595 (view as bug list) | Environment: | |||||
| Last Closed: | 2021-05-18 15:03:54 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Bug Depends On: | |||||||
| Bug Blocks: | 1635595 | ||||||
| Attachments: |
|
||||||
|
Description
adam winberg
2018-09-20 14:04:53 UTC
Hi, can you set debug_level=9 in the [pam] section, restart SSSD, run a console login test and a GDM login attempt and attach the sssd_pam.log and p11_child.log files to this ticket? (Feel free to send them to me directly if you think the logs might contains data not suitable for a public ticket). bye, Sumit Have sent email with requested SSSD logs attached Hi,
thank you for the logs. They show that both certificates have the same ID value. Typically the ID is used to connect the certificate with the private key stored on the Smartcard. So I wonder if both certificates on your Smartcard are expected to use the same private key?
The reason why the GDM login fails is that internally key-value pairs are used to handle the prompts and SSSD just uses the certificate ID as key.
To better understand the layout of your Smartcard it would be nice if you can send me the output of
p11tool --provider /usr/lib64/pkcs11/opensc-pkcs11.so --list-all --login
(you might have to replace /usr/lib64/pkcs11/opensc-pkcs11.so with the PKCS#11 module you use, p11tool is part of the gnutls-utils package)
bye,
Sumit
sent output from p11tool via email. As you say it seems that we use the same private key for both certs. Is that an uncommon solution? Thank you for the p11tool output. There are 2 private keys on the card, but according to the IDs only one is used to both certificates. What I've seen so far is that if a certificate expires and the public-private key pair is still considered strong enough a new certificate is requested with the old private key. This way you can have multiple certificates with the same private keys on a Smartcard, but here only one is valid because the others are already expired. Nevertheless I'll make sure that SSSD will not use only the ID as key for the GDM based authentication in a upcoming SSSD release. I can chime in here as OP, and we have migrated to RHEL8 so for our sake this change is not needed in RHEL7. Upstream ticket: https://github.com/SSSD/sssd/issues/5400 Hi Scott, please have a look at https://github.com/sumit-bose/sssd/blob/multiple_certs_same_id/src/tests/test_CA/Makefile.am#L143 for the commands I use to create a SoftHSM2 token with 2 certificates using the same key and sharing the same ID for a unit test. The unit test already covers the 'More than one certificate found for authentication, aborting!' part of the issue. For testing only GDM login tests are needed to cover the "In GDM, I also get prompted to choose which cert to use (using the 'allow_missing_name' option to pam_sss), but in this list there is only one cert to choose from." issue. Just checking if GDM show both certificates to select from would be sufficient but I guess it would good to make sure the whole authentication works in this case as well. bye, Sumit Sumit, Thanks for the pointer. One question about that though. Where does SSSD_test_cert_0006.config come from? I only see 1-5 in the test_CA directory. I'm assuming the only difference from say the 0001.config file is the CN? (In reply to Scott Poore from comment #20) > Sumit, > > Thanks for the pointer. > > One question about that though. Where does SSSD_test_cert_0006.config come > from? I only see 1-5 in the test_CA directory. I'm assuming the only > difference from say the 0001.config file is the CN? ah, thanks for the hint, I forgot to include it in the commit. I pushed a new version, please check again. bye, Sumit I see it now. Thanks Upstream master:
f633f37 - add tests multiple certs same id
b8800d3 - pam_sss: add certificate label to reply to pam_sss
8b6be52 - authtok: add label to Smartcard token
1b9b7f5 - pam_sss: use unique id for gdm choice list
Verified.
Version ::
sssd-2.4.0-5.el8.x86_64
Results ::
[root@rhel8-6 ~]# pushd $TEST_CA
/opt/test_ca ~
[root@rhel8-6 test_ca]# NAME=localuser1
[root@rhel8-6 test_ca]# cat > req_${NAME}.cnf <<EOF
> [ req ]
> distinguished_name = req_distinguished_name
> prompt = no
>
> [ req_distinguished_name ]
> O = Example
> OU = Example Test
> CN = ${NAME}
>
> [ req_exts ]
> basicConstraints = CA:FALSE
> nsCertType = client, email
> nsComment = "${NAME}"
> subjectKeyIdentifier = hash
> keyUsage = critical, nonRepudiation, digitalSignature
> extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin
> subjectAltName = otherName:msUPN;UTF8:${NAME}@EXAMPLE.COM, email:${NAME}@example.com
> EOF
[root@rhel8-6 test_ca]# NAME=localuser1_2
[root@rhel8-6 test_ca]# cat > req_${NAME}.cnf <<EOF
> [ req ]
> distinguished_name = req_distinguished_name
> prompt = no
>
> [ req_distinguished_name ]
> O = Example
> OU = Example Test
> CN = ${NAME}
>
> [ req_exts ]
> basicConstraints = CA:FALSE
> nsCertType = client, email
> nsComment = "${NAME}"
> subjectKeyIdentifier = hash
> keyUsage = critical, nonRepudiation, digitalSignature
> extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin
> subjectAltName = otherName:msUPN;UTF8:${NAME}@EXAMPLE.COM, email:${NAME}@example.com
> EOF
[root@rhel8-6 test_ca]# NAME=localuser1
[root@rhel8-6 test_ca]# openssl genrsa -out ${NAME}.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
....+++++
e is 65537 (0x010001)
[root@rhel8-6 test_ca]# openssl req -new -nodes -key ${NAME}.key \
> -reqexts req_exts -config req_${NAME}.cnf -out ${NAME}.csr
[root@rhel8-6 test_ca]# openssl ca -config ca.cnf -batch -notext \
> -keyfile rootCA.key -in ${NAME}.csr -days 365 \
> -extensions usr_cert -out ${NAME}.crt
Using configuration from ca.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 136485 (0x21525)
Validity
Not Before: Jan 11 16:22:16 2021 GMT
Not After : Jan 11 16:22:16 2022 GMT
Subject:
organizationName = Example
organizationalUnitName = Example Test
commonName = localuser1
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:45:0B:2B:A4:5F:E8:43:53:F1:C3:DF:2E:12:B2:CD:00:5E:90:23:89
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
localuser1
X509v3 Subject Key Identifier:
AA:65:A7:AC:44:CB:56:55:56:C1:A4:3D:94:1B:41:95:49:99:49:CC
X509v3 Key Usage: critical
Digital Signature, Non Repudiation
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection, Microsoft Smartcard Login
X509v3 Subject Alternative Name:
othername:<unsupported>, email:localuser1
Certificate is to be certified until Jan 11 16:22:16 2022 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
[root@rhel8-6 test_ca]# openssl req -new -nodes -key localuser1.key \
> -reqexts req_exts -config req_localuser1_2.cnf -out localuser1_2.csr
[root@rhel8-6 test_ca]# openssl ca -config ca.cnf -batch -notext -keyfile rootCA.key -in localuser1_2.csr -days 365 -extensions usr_cert -out localuser1_2.crt
Using configuration from ca.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
Serial Number: 136487 (0x21527)
Validity
Not Before: Jan 11 16:23:53 2021 GMT
Not After : Jan 11 16:23:53 2022 GMT
Subject:
organizationName = Example
organizationalUnitName = Example Test
commonName = localuser1_2
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:45:0B:2B:A4:5F:E8:43:53:F1:C3:DF:2E:12:B2:CD:00:5E:90:23:89
X509v3 Basic Constraints:
CA:FALSE
Netscape Cert Type:
SSL Client, S/MIME
Netscape Comment:
localuser1_2
X509v3 Subject Key Identifier:
AA:65:A7:AC:44:CB:56:55:56:C1:A4:3D:94:1B:41:95:49:99:49:CC
X509v3 Key Usage: critical
Digital Signature, Non Repudiation
X509v3 Extended Key Usage:
TLS Web Client Authentication, E-mail Protection, Microsoft Smartcard Login
X509v3 Subject Alternative Name:
othername:<unsupported>, email:localuser1_2
Certificate is to be certified until Jan 11 16:23:53 2022 GMT (365 days)
Write out database with 1 new entries
Data Base Updated
[root@rhel8-6 pam.d]# rm -rf /var/lib/sss/tokens
[root@rhel8-6 pam.d]# mkdir /var/lib/sss/tokens
[root@rhel8-6 pam.d]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf
[root@rhel8-6 pam.d]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat
The token has been initialized and is reassigned to slot 2053371761
[root@rhel8-6 pam.d]# pushd $TEST_CA/
/opt/test_ca /etc/pam.d ~
[root@rhel8-6 test_ca]# pkcs11-tool --module libsofthsm2.so --write-object localuser1.key --type privkey --label localuser1 --pin redhat --id 01
Using slot 0 with a present token (0x7a63f771)
Created private key:
Private Key Object; RSA
label: localuser1
ID: 01
Usage: decrypt, sign, unwrap
Access: sensitive
[root@rhel8-6 test_ca]# pkcs11-tool --module libsofthsm2.so --write-object localuser1.crt --type cert --label localuser1 --pin redhat --id 01
Using slot 0 with a present token (0x7a63f771)
Created certificate:
Certificate Object; type = X.509 cert
label: localuser1
subject: DN: O=Example, OU=Example Test, CN=localuser1
ID: 01
[root@rhel8-6 test_ca]# pkcs11-tool --module libsofthsm2.so --write-object localuser1_2.crt --type cert --label localuser1_2 --pin redhat --id 01
Using slot 0 with a present token (0x7a63f771)
Created certificate:
Certificate Object; type = X.509 cert
label: localuser1_2
subject: DN: O=Example, OU=Example Test, CN=localuser1_2
ID: 01
[root@rhel8-6 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd
[root@rhel8-6 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
Please select a certificate by typing the corresponding number
[1]:
localuser1_2
CN=localuser1_2,OU=Example Test,O=Example
[2]:
localuser1
CN=localuser1,OU=Example Test,O=Example
1
Certificate ‘01’ selected
PIN for My token 1:
localuser1
[root@rhel8-6 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
Please select a certificate by typing the corresponding number
[1]:
localuser1_2
CN=localuser1_2,OU=Example Test,O=Example
[2]:
localuser1
CN=localuser1,OU=Example Test,O=Example
2
Certificate ‘01’ selected
PIN for My token 1:
localuser1
GDM also shows "Please select a certificate" with the 2 options listed. Will attach image for that as well.
Created attachment 1746380 [details]
gdm cert select for verification
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (sssd bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1666 |