1660899 – self signed certificate from yubikey: does not match matching rules and is ignored (p11_child_response) in sssd_pam.log

Bug 1660899 - self signed certificate from yubikey: does not match matching rules and is ignored (p11_child_response) in sssd_pam.log

Summary: self signed certificate from yubikey: does not match matching rules and is ig...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	sssd
Sub Component:
Version:	29
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Jakub Hrozek
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-12-19 15:01 UTC by Christoph Sievers
Modified:	2019-07-05 14:47 UTC (History)
CC List:	8 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-07-05 14:47:26 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Christoph Sievers 2018-12-19 15:01:24 UTC

Description of problem:

sssd seems to be picky about the fields it expects to match a certificate. I get a "does not match matching rules and is ignored." from parse_p11_child_response in sssd_pam log using a yubikey.

Users of yubico-piv-tool who create a key/certificate on the yubikey will get self-signed certificate that probably lacks the Key Usage field needed for p11_child?

Version-Release number of selected component (if applicable):

2.0.0-4 but also the latest version

How reproducible:

configure the system to use the certificate of a yubico-piv-tool generated certificate.


Actual results:

sudo -i
[sudo] Password for fubar

Expected results:

sudo -i
PIN for fubar ************

Additional info:

I've been told sbose already knows about how to get this fixed.

Comment 1 Christoph Sievers 2019-01-09 14:53:53 UTC

can I help with anything else?

Comment 2 Sumit Bose 2019-01-09 15:38:19 UTC

(In reply to Christoph Sievers from comment #1)
> can I help with anything else?

no, the delay was just caused by the holidays.

Comment 3 Christoph Sievers 2019-05-12 19:15:41 UTC

i'm not using the feature anymore.

Comment 4 Christoph Sievers 2019-05-13 11:06:58 UTC

insufficient data? Actually sbose had all needed data. Not sure if he decided not to implement it.

Comment 5 Sumit Bose 2019-05-13 15:42:18 UTC

I'm sorry, that's my fault, I completely forgot to send the related pull-request to fix the issue. I just opened https://github.com/SSSD/sssd/pull/814 for this. Currently the CI still finds issues, but this way it won't get lost again.

bye,
Sumit

Comment 6 Lukas Slebodnik 2019-05-13 16:25:17 UTC

(In reply to Sumit Bose from comment #5)
> I'm sorry, that's my fault, I completely forgot to send the related
> pull-request to fix the issue. I just opened
> https://github.com/SSSD/sssd/pull/814 for this. Currently the CI still finds
> issues, but this way it won't get lost again.
> 

Do you plan also to reopen this BZ?

Comment 7 Jakub Hrozek 2019-05-28 21:27:06 UTC

By the way, the patches were merged to master:
f91d54e2d56f5babca6f6b3ca6e1a158fa889b45
b0525a69c1dd979dcfabf5b24fe6b023a7d919fb
e122f495b98123db2f065b2c557d7b8d2f776a10
1c40208aa1e0f9a17cc4f336c99bcaa6977592d3
e1734ba828470d00370c44c95da56822fdcc104d
aef8e49b7ee2e7743d6981070d61bc89b7c8fcfb

Comment 8 Jakub Hrozek 2019-05-28 21:27:42 UTC

I guess it would be nice to have the bug closed properly in an update..

Comment 9 Jakub Hrozek 2019-07-05 14:47:26 UTC

Well, we forgot to include the bug in an update and because the reporter is no longer interested, let's just close the bugzilla..

Note You need to log in before you can comment on or make changes to this bug.