RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1631410 - Can't login with smartcard with multiple certs having same ID value
Summary: Can't login with smartcard with multiple certs having same ID value
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.2
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: Scott Poore
URL:
Whiteboard: sync-to-jira review
Depends On:
Blocks: 1635595
TreeView+ depends on / blocked
 
Reported: 2018-09-20 14:04 UTC by adam winberg
Modified: 2021-05-18 15:04 UTC (History)
12 users (show)

Fixed In Version: sssd-2.4.0-5.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1635595 (view as bug list)
Environment:
Last Closed: 2021-05-18 15:03:54 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)
gdm cert select for verification (293.39 KB, image/png)
2021-01-11 17:38 UTC, Scott Poore 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 5400 0 None closed Can't login with smartcard with multiple certs having same ID value 2021-01-11 15:07:37 UTC

Description adam winberg 2018-09-20 14:04:53 UTC 
Description of problem:

While testing smartcard login with SSSD on RHEL 7.6, i was not able to get login via GDM to work. I have two certificates on my card, for two different users. Logging in on console works great, I get prompted to choose which cert I want to use and then PIN input. 

In GDM, I also get prompted to choose which cert to use (using the 'allow_missing_name' option to pam_sss), but in this list there is only one cert to choose from. It is the one I want to use, but it seems odd. When i choose this cert I get a PIN prompt but then login fails. 

Looking in p11_child.log (with sss_debug set to 8) I see:

(Thu Sep 20 15:40:00 2018) [[sssd[p11_child[5424]]]] [main] (0x0400): p11_child started.
(Thu Sep 20 15:40:00 2018) [[sssd[p11_child[5424]]]] [main] (0x2000): Running in [auth] mode.
(Thu Sep 20 15:40:00 2018) [[sssd[p11_child[5424]]]] [main] (0x2000): Running with effective IDs: [0][0].
(Thu Sep 20 15:40:00 2018) [[sssd[p11_child[5424]]]] [main] (0x2000): Running with real IDs [0][0].
(Thu Sep 20 15:40:01 2018) [[sssd[p11_child[5424]]]] [do_card] (0x0010): More than one certificate found for authentication, aborting!
(Thu Sep 20 15:40:01 2018) [[sssd[p11_child[5424]]]] [main] (0x0040): do_work failed.
(Thu Sep 20 15:40:01 2018) [[sssd[p11_child[5424]]]] [main] (0x0020): p11_child failed!


So even though I choose a cert in GDM the user information does not seem to pass on to SSSD. Since this process works as expected in a console I surmise that there is something in GDM that gets confused.



Version-Release number of selected component (if applicable):
gdm-3.28.2-7.el7.x86_64
sssd-1.16.2-7.el7.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup smartcard auth with sssd
2. Log in with smartcard with multiple certs in GDM 
3.

Actual results:
Login failed

Expected results:
Login success

Additional info:
I normally use pam_pkcs11 for smartcard auth so I can't say if this works or not in RHEL7.5
Comment 2 Sumit Bose 2018-09-20 18:58:05 UTC 
Hi,

can you set debug_level=9 in the [pam] section, restart SSSD, run a console login test and a GDM login attempt and attach the sssd_pam.log and p11_child.log files to this ticket? (Feel free to send them to me directly if you think the logs might contains data not suitable for a public ticket).

bye,
Sumit
Comment 3 adam winberg 2018-09-21 08:11:25 UTC 
Have sent email with requested SSSD logs attached
Comment 4 Sumit Bose 2018-09-24 09:00:30 UTC 
Hi,

thank you for the logs. They show that both certificates have the same ID value. Typically the ID is used to connect the certificate with the private key stored on the Smartcard. So I wonder if both certificates on your Smartcard are expected to use the same private key?

The reason why the GDM login fails is that internally key-value pairs are used to handle the prompts and SSSD just uses the certificate ID as key.

To better understand the layout of your Smartcard it would be nice if you can send me the output of

    p11tool --provider /usr/lib64/pkcs11/opensc-pkcs11.so --list-all  --login

(you might have to replace /usr/lib64/pkcs11/opensc-pkcs11.so with the PKCS#11 module you use, p11tool is part of the gnutls-utils package)

bye,
Sumit
Comment 5 adam winberg 2018-09-24 09:41:02 UTC 
sent output from p11tool via email.

As you say it seems that we use the same private key for both certs. Is that an uncommon solution?
Comment 6 Sumit Bose 2018-09-24 10:09:55 UTC 
Thank you for the p11tool output. There are 2 private keys on the card, but according to the IDs only one is used to both certificates.

What I've seen so far is that if a certificate expires and the public-private key pair is still considered strong enough a new certificate is requested with the old  private key. This way you can have multiple certificates with the same private keys on a Smartcard, but here only one is valid because the others are already expired.

Nevertheless I'll make sure that SSSD will not use only the ID as key for the GDM based authentication in a upcoming SSSD release.
Comment 9 adam winberg 2020-04-14 09:00:29 UTC 
I can chime in here as OP, and we have migrated to RHEL8 so for our sake this change is not needed in RHEL7.
Comment 18 Sumit Bose 2020-11-16 16:21:11 UTC 
Upstream ticket:
https://github.com/SSSD/sssd/issues/5400
Comment 19 Sumit Bose 2020-11-16 16:50:49 UTC 
Hi Scott,

please have a look at https://github.com/sumit-bose/sssd/blob/multiple_certs_same_id/src/tests/test_CA/Makefile.am#L143 for the commands I use to create a SoftHSM2 token with 2 certificates using the same key and sharing the same ID for a unit test.

The unit test already covers the 'More than one certificate found for authentication, aborting!' part of the issue. For testing only GDM login tests are needed to cover the "In GDM, I also get prompted to choose which cert to use (using the 'allow_missing_name' option to pam_sss), but in this list there is only one cert to choose from." issue. Just checking if GDM show both certificates to select from would be sufficient but I guess it would good to make sure the whole authentication works in this case as well.

bye,
Sumit
Comment 20 Scott Poore 2020-11-16 17:14:50 UTC 
Sumit, 

Thanks for the pointer.  

One question about that though.  Where does SSSD_test_cert_0006.config come from?  I only see 1-5 in the test_CA directory.  I'm assuming the only difference from say the 0001.config file is the CN?
Comment 21 Sumit Bose 2020-11-16 17:27:25 UTC 
(In reply to Scott Poore from comment #20)
> Sumit, 
> 
> Thanks for the pointer.  
> 
> One question about that though.  Where does SSSD_test_cert_0006.config come
> from?  I only see 1-5 in the test_CA directory.  I'm assuming the only
> difference from say the 0001.config file is the CN?

ah, thanks for the hint, I forgot to include it in the commit. I pushed a new version, please check again.

bye,
Sumit
Comment 22 Scott Poore 2020-11-16 23:27:51 UTC 
I see it now.  Thanks
Comment 25 Sumit Bose 2020-12-16 14:58:15 UTC 
Upstream master:
        f633f37 - add tests multiple certs same id
        b8800d3 - pam_sss: add certificate label to reply to pam_sss
        8b6be52 - authtok: add label to Smartcard token
        1b9b7f5 - pam_sss: use unique id for gdm choice list
Comment 35 Scott Poore 2021-01-11 17:37:58 UTC 
Verified.

Version ::

sssd-2.4.0-5.el8.x86_64

Results ::

[root@rhel8-6 ~]# pushd $TEST_CA
/opt/test_ca ~

[root@rhel8-6 test_ca]# NAME=localuser1

[root@rhel8-6 test_ca]# cat > req_${NAME}.cnf <<EOF
> [ req ]
> distinguished_name = req_distinguished_name
> prompt = no
> 
> [ req_distinguished_name ]
> O = Example
> OU = Example Test
> CN = ${NAME}
> 
> [ req_exts ]
> basicConstraints = CA:FALSE
> nsCertType = client, email
> nsComment = "${NAME}"
> subjectKeyIdentifier = hash
> keyUsage = critical, nonRepudiation, digitalSignature
> extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin
> subjectAltName = otherName:msUPN;UTF8:${NAME}@EXAMPLE.COM, email:${NAME}@example.com
> EOF

[root@rhel8-6 test_ca]# NAME=localuser1_2

[root@rhel8-6 test_ca]# cat > req_${NAME}.cnf <<EOF
> [ req ]
> distinguished_name = req_distinguished_name
> prompt = no
> 
> [ req_distinguished_name ]
> O = Example
> OU = Example Test
> CN = ${NAME}
> 
> [ req_exts ]
> basicConstraints = CA:FALSE
> nsCertType = client, email
> nsComment = "${NAME}"
> subjectKeyIdentifier = hash
> keyUsage = critical, nonRepudiation, digitalSignature
> extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin
> subjectAltName = otherName:msUPN;UTF8:${NAME}@EXAMPLE.COM, email:${NAME}@example.com
> EOF

[root@rhel8-6 test_ca]# NAME=localuser1

[root@rhel8-6 test_ca]# openssl genrsa -out ${NAME}.key 2048
Generating RSA private key, 2048 bit long modulus (2 primes)
..+++++
....+++++
e is 65537 (0x010001)

[root@rhel8-6 test_ca]# openssl req -new -nodes -key ${NAME}.key \
>     -reqexts req_exts -config req_${NAME}.cnf -out ${NAME}.csr

[root@rhel8-6 test_ca]# openssl ca -config ca.cnf -batch -notext \
>     -keyfile rootCA.key -in ${NAME}.csr -days 365 \
>     -extensions usr_cert -out ${NAME}.crt
Using configuration from ca.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 136485 (0x21525)
        Validity
            Not Before: Jan 11 16:22:16 2021 GMT
            Not After : Jan 11 16:22:16 2022 GMT
        Subject:
            organizationName          = Example
            organizationalUnitName    = Example Test
            commonName                = localuser1
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:45:0B:2B:A4:5F:E8:43:53:F1:C3:DF:2E:12:B2:CD:00:5E:90:23:89

            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, S/MIME
            Netscape Comment: 
                localuser1
            X509v3 Subject Key Identifier: 
                AA:65:A7:AC:44:CB:56:55:56:C1:A4:3D:94:1B:41:95:49:99:49:CC
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection, Microsoft Smartcard Login
            X509v3 Subject Alternative Name: 
                othername:<unsupported>, email:localuser1
Certificate is to be certified until Jan 11 16:22:16 2022 GMT (365 days)

Write out database with 1 new entries
Data Base Updated

[root@rhel8-6 test_ca]# openssl req -new -nodes -key localuser1.key \
>     -reqexts req_exts -config req_localuser1_2.cnf -out localuser1_2.csr

[root@rhel8-6 test_ca]# openssl ca -config ca.cnf -batch -notext     -keyfile rootCA.key -in localuser1_2.csr -days 365 -extensions usr_cert -out localuser1_2.crt
Using configuration from ca.cnf
Check that the request matches the signature
Signature ok
Certificate Details:
        Serial Number: 136487 (0x21527)
        Validity
            Not Before: Jan 11 16:23:53 2021 GMT
            Not After : Jan 11 16:23:53 2022 GMT
        Subject:
            organizationName          = Example
            organizationalUnitName    = Example Test
            commonName                = localuser1_2
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:45:0B:2B:A4:5F:E8:43:53:F1:C3:DF:2E:12:B2:CD:00:5E:90:23:89

            X509v3 Basic Constraints: 
                CA:FALSE
            Netscape Cert Type: 
                SSL Client, S/MIME
            Netscape Comment: 
                localuser1_2
            X509v3 Subject Key Identifier: 
                AA:65:A7:AC:44:CB:56:55:56:C1:A4:3D:94:1B:41:95:49:99:49:CC
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection, Microsoft Smartcard Login
            X509v3 Subject Alternative Name: 
                othername:<unsupported>, email:localuser1_2
Certificate is to be certified until Jan 11 16:23:53 2022 GMT (365 days)

Write out database with 1 new entries
Data Base Updated


[root@rhel8-6 pam.d]# rm -rf /var/lib/sss/tokens

[root@rhel8-6 pam.d]# mkdir /var/lib/sss/tokens

[root@rhel8-6 pam.d]# export SOFTHSM2_CONF=/etc/sssd/conf.d/softhsm2_conf

[root@rhel8-6 pam.d]# softhsm2-util --init-token --slot 0 --label "My token 1" --pin redhat --so-pin redhat
The token has been initialized and is reassigned to slot 2053371761

[root@rhel8-6 pam.d]# pushd $TEST_CA/
/opt/test_ca /etc/pam.d ~

[root@rhel8-6 test_ca]# pkcs11-tool --module libsofthsm2.so --write-object localuser1.key --type privkey --label localuser1 --pin redhat --id 01
Using slot 0 with a present token (0x7a63f771)
Created private key:
Private Key Object; RSA 
  label:      localuser1
  ID:         01
  Usage:      decrypt, sign, unwrap
  Access:     sensitive

[root@rhel8-6 test_ca]# pkcs11-tool --module libsofthsm2.so --write-object localuser1.crt --type cert --label localuser1 --pin redhat --id 01
Using slot 0 with a present token (0x7a63f771)
Created certificate:
Certificate Object; type = X.509 cert
  label:      localuser1
  subject:    DN: O=Example, OU=Example Test, CN=localuser1
  ID:         01

[root@rhel8-6 test_ca]# pkcs11-tool --module libsofthsm2.so --write-object localuser1_2.crt --type cert --label localuser1_2 --pin redhat --id 01
Using slot 0 with a present token (0x7a63f771)
Created certificate:
Certificate Object; type = X.509 cert
  label:      localuser1_2
  subject:    DN: O=Example, OU=Example Test, CN=localuser1_2
  ID:         01

[root@rhel8-6 test_ca]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel8-6 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
Please select a certificate by typing the corresponding number

[1]:
localuser1_2
CN=localuser1_2,OU=Example Test,O=Example

[2]:
localuser1
CN=localuser1,OU=Example Test,O=Example
1
Certificate ‘01’ selected
PIN for My token 1: 
localuser1

[root@rhel8-6 test_ca]# su - localuser1 -c 'su - localuser1 -c whoami'
Please select a certificate by typing the corresponding number

[1]:
localuser1_2
CN=localuser1_2,OU=Example Test,O=Example

[2]:
localuser1
CN=localuser1,OU=Example Test,O=Example
2
Certificate ‘01’ selected
PIN for My token 1: 
localuser1

GDM also shows "Please select a certificate" with the 2 options listed.  Will attach image for that as well.
Comment 36 Scott Poore 2021-01-11 17:38:38 UTC 
Created attachment 1746380 [details]
gdm cert select for verification
Comment 38 errata-xmlrpc 2021-05-18 15:03:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1666
Note You need to log in before you can comment on or make changes to this bug.