Description of problem: sssd seems to be picky about the fields it expects to match a certificate. I get a "does not match matching rules and is ignored." from parse_p11_child_response in sssd_pam log using a yubikey. Users of yubico-piv-tool who create a key/certificate on the yubikey will get self-signed certificate that probably lacks the Key Usage field needed for p11_child? Version-Release number of selected component (if applicable): 2.0.0-4 but also the latest version How reproducible: configure the system to use the certificate of a yubico-piv-tool generated certificate. Actual results: sudo -i [sudo] Password for fubar Expected results: sudo -i PIN for fubar ************ Additional info: I've been told sbose already knows about how to get this fixed.
can I help with anything else?
(In reply to Christoph Sievers from comment #1) > can I help with anything else? no, the delay was just caused by the holidays.
i'm not using the feature anymore.
insufficient data? Actually sbose had all needed data. Not sure if he decided not to implement it.
I'm sorry, that's my fault, I completely forgot to send the related pull-request to fix the issue. I just opened https://github.com/SSSD/sssd/pull/814 for this. Currently the CI still finds issues, but this way it won't get lost again. bye, Sumit
(In reply to Sumit Bose from comment #5) > I'm sorry, that's my fault, I completely forgot to send the related > pull-request to fix the issue. I just opened > https://github.com/SSSD/sssd/pull/814 for this. Currently the CI still finds > issues, but this way it won't get lost again. > Do you plan also to reopen this BZ?
By the way, the patches were merged to master: f91d54e2d56f5babca6f6b3ca6e1a158fa889b45 b0525a69c1dd979dcfabf5b24fe6b023a7d919fb e122f495b98123db2f065b2c557d7b8d2f776a10 1c40208aa1e0f9a17cc4f336c99bcaa6977592d3 e1734ba828470d00370c44c95da56822fdcc104d aef8e49b7ee2e7743d6981070d61bc89b7c8fcfb
I guess it would be nice to have the bug closed properly in an update..
Well, we forgot to include the bug in an update and because the reporter is no longer interested, let's just close the bugzilla..