Bug 854396 - [RFE] Support for smart cards
Summary: [RFE] Support for smart cards
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: Kaushik Banerjee
Aneta Šteflová Petrová
Depends On:
Blocks: 796928 865120 1181710 1270027
TreeView+ depends on / blocked
Reported: 2012-09-04 21:33 UTC by Dmitri Pal
Modified: 2020-05-02 16:15 UTC (History)
10 users (show)

Fixed In Version: sssd-1.13.0-11.el7
Doc Type: Release Note
Doc Text:
SSSD smart card support SSSD now supports smart cards for local authentication. With this feature, the user can use a smart card to log on to the system using a text-based or graphical console, as well as local services such as the sudo service. The user places the smart card into the reader and provides the user name and the smart card PIN at the login prompt. If the certificate on the smart card is verified, the user is successfully authenticated. Note that SSSD does not currently enable the user to acquire a Kerberos ticket using a smart card. To obtain a Kerberos ticket, the user is still required to authenticate using the kinit utility.
Clone Of:
: 1249084 1270027 (view as bug list)
Last Closed: 2015-11-19 11:35:37 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Priority Status Summary Last Updated
Github SSSD sssd issues 1588 None closed [RFE] Support for smart cards 2020-05-02 16:15:58 UTC
Red Hat Bugzilla 1081088 None None None Never
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC

Description Dmitri Pal 2012-09-04 21:33:44 UTC
This bug is created as a clone of upstream ticket:

I'd like for sssd to support using a smart card for authentication.  There are two general cases that I'd like to see working:
 * smart card by itself
 * smart card used to obtain Kerberos TGTs

In configurations where sssd is using a directory server without Kerberos, it can use information in the directory to verify, once the user-supplied PIN has allowed it to access a token which it could not previously access, that the certificate was issued to the user who is attempting to log in.

If sssd is configured to use Kerberos, it let the KDC decide that question by attempting to use the newly-available token to obtain a TGT for the user via PKINIT.

Comment 5 Martin Kosek 2015-06-04 09:53:49 UTC
The current development status of this feature was discussed and it's scope will be limited for the first release. Authentication is planned to happen only over LDAP and the certificates stored in the user entries (upstream ticket: https://fedorahosted.org/freeipa/ticket/4238).

Kerberos authentication or automatic retrieval of user TGT after authentication (pkinit) will be therefore postponed, given the functionality currently requires special certificate extension (id-pkinit-san) in order to properly map certificates and (user) principals. This is not guaranteed with the primary supported cards (CAC), so we would first need to work on extending our Kerberos backend to provide the mapping ourselves.

Comment 6 Sumit Bose 2015-06-04 10:47:00 UTC
I would like to clarify the sentence "Authentication is planned to happen only over LDAP and the certificates stored in the user entries". The matching user entry will be looked up in LDAP with the help of the certificate. The authentication will happen on the client by validating the CA trust-path of the certificate and by checking if the user knows the PIN by encrypting some random data with the private key on the card and validating the results with the help of the public key ("smart card by itself" from the orginal description).

Comment 7 Martin Kosek 2015-06-04 11:49:01 UTC
Yes, this is exactly what I meant. Thanks Sumit for clarification.

Comment 8 Jakub Hrozek 2015-06-24 19:00:18 UTC
Assigning to a real owner, just for book-keeping.

Comment 9 Jakub Hrozek 2015-07-31 08:13:05 UTC

Comment 16 Roshni 2015-10-08 20:45:01 UTC
[root@dhcp129-12 ~]# rpm -qi ipa-client
Name        : ipa-client
Version     : 4.2.0
Release     : 12.el7
Architecture: x86_64
Install Date: Wed 30 Sep 2015 03:40:57 PM EDT
Group       : System Environment/Base
Size        : 460096
License     : GPLv3+
Signature   : RSA/SHA256, Thu 24 Sep 2015 01:52:59 AM EDT, Key ID 938a80caf21541eb
Source RPM  : ipa-4.2.0-12.el7.src.rpm
Build Date  : Wed 23 Sep 2015 11:19:36 AM EDT
Build Host  : x86-035.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.freeipa.org/
Summary     : IPA authentication for use on clients

[root@dhcp129-12 ~]# rpm -qi sssd
Name        : sssd
Version     : 1.13.0
Release     : 36.el7
Architecture: x86_64
Install Date: Thu 01 Oct 2015 09:49:33 AM EDT
Group       : Applications/System
Size        : 35147
License     : GPLv3+
Signature   : RSA/SHA256, Wed 30 Sep 2015 11:27:03 AM EDT, Key ID 938a80caf21541eb
Source RPM  : sssd-1.13.0-36.el7.src.rpm
Build Date  : Wed 30 Sep 2015 05:53:03 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

Smartcard login using certs issued by IPA and external CA were tested based on https://tcms.engineering.redhat.com/case/500937/?from_plan=18963 and https://tcms.engineering.redhat.com/case/505003/?from_plan=18963. There are 2 outstanding bugs https://bugzilla.redhat.com/show_bug.cgi?id=1266108 and https://bugzilla.redhat.com/show_bug.cgi?id=1267656. Obtaining kerberos credentials during smartcard login is yet to be supported. Apart from these all other login tests (gdm login, su and ssh) were executed successfully.

Comment 17 errata-xmlrpc 2015-11-19 11:35:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.