Bug 854396 - [RFE] Support for smart cards
Summary: [RFE] Support for smart cards
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: sssd
Version: 7.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: Kaushik Banerjee
Aneta Šteflová Petrová
URL:
Whiteboard:
Depends On:
Blocks: 796928 865120 1181710 1270027
TreeView+ depends on / blocked
 
Reported: 2012-09-04 21:33 UTC by Dmitri Pal
Modified: 2019-10-10 09:04 UTC (History)
10 users (show)

Fixed In Version: sssd-1.13.0-11.el7
Doc Type: Release Note
Doc Text:
SSSD smart card support SSSD now supports smart cards for local authentication. With this feature, the user can use a smart card to log on to the system using a text-based or graphical console, as well as local services such as the sudo service. The user places the smart card into the reader and provides the user name and the smart card PIN at the login prompt. If the certificate on the smart card is verified, the user is successfully authenticated. Note that SSSD does not currently enable the user to acquire a Kerberos ticket using a smart card. To obtain a Kerberos ticket, the user is still required to authenticate using the kinit utility.
Clone Of:
: 1249084 1270027 (view as bug list)
Environment:
Last Closed: 2015-11-19 11:35:37 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2015:2355 normal SHIPPED_LIVE Low: sssd security, bug fix, and enhancement update 2015-11-19 10:27:42 UTC
Red Hat Bugzilla 1081088 None None None Never

Description Dmitri Pal 2012-09-04 21:33:44 UTC
This bug is created as a clone of upstream ticket:
https://fedorahosted.org/sssd/ticket/546

I'd like for sssd to support using a smart card for authentication.  There are two general cases that I'd like to see working:
 * smart card by itself
 * smart card used to obtain Kerberos TGTs

In configurations where sssd is using a directory server without Kerberos, it can use information in the directory to verify, once the user-supplied PIN has allowed it to access a token which it could not previously access, that the certificate was issued to the user who is attempting to log in.

If sssd is configured to use Kerberos, it let the KDC decide that question by attempting to use the newly-available token to obtain a TGT for the user via PKINIT.

Comment 5 Martin Kosek 2015-06-04 09:53:49 UTC
The current development status of this feature was discussed and it's scope will be limited for the first release. Authentication is planned to happen only over LDAP and the certificates stored in the user entries (upstream ticket: https://fedorahosted.org/freeipa/ticket/4238).

Kerberos authentication or automatic retrieval of user TGT after authentication (pkinit) will be therefore postponed, given the functionality currently requires special certificate extension (id-pkinit-san) in order to properly map certificates and (user) principals. This is not guaranteed with the primary supported cards (CAC), so we would first need to work on extending our Kerberos backend to provide the mapping ourselves.

Comment 6 Sumit Bose 2015-06-04 10:47:00 UTC
I would like to clarify the sentence "Authentication is planned to happen only over LDAP and the certificates stored in the user entries". The matching user entry will be looked up in LDAP with the help of the certificate. The authentication will happen on the client by validating the CA trust-path of the certificate and by checking if the user knows the PIN by encrypting some random data with the private key on the card and validating the results with the help of the public key ("smart card by itself" from the orginal description).

Comment 7 Martin Kosek 2015-06-04 11:49:01 UTC
Yes, this is exactly what I meant. Thanks Sumit for clarification.

Comment 8 Jakub Hrozek 2015-06-24 19:00:18 UTC
Assigning to a real owner, just for book-keeping.

Comment 9 Jakub Hrozek 2015-07-31 08:13:05 UTC
master:
    4de84af23db74e13e867985c9093f394c9fa8d51
    5242964d275d0b2e96c9b0d1f8a9958c85d566fc
    a8d887323f83984679a7d9b827a70146656bb7b2
    10703cd558016685ee778e333f1d4490238d46e7
    35f3a213e0f0f2c60e9b5f095a05388e21092ae2
    45726939a48e605b0166521f94300ae04981a3a7
    0d5bb38364a6976e9c85d6349aa13a04d181a090

Comment 16 Roshni 2015-10-08 20:45:01 UTC
[root@dhcp129-12 ~]# rpm -qi ipa-client
Name        : ipa-client
Version     : 4.2.0
Release     : 12.el7
Architecture: x86_64
Install Date: Wed 30 Sep 2015 03:40:57 PM EDT
Group       : System Environment/Base
Size        : 460096
License     : GPLv3+
Signature   : RSA/SHA256, Thu 24 Sep 2015 01:52:59 AM EDT, Key ID 938a80caf21541eb
Source RPM  : ipa-4.2.0-12.el7.src.rpm
Build Date  : Wed 23 Sep 2015 11:19:36 AM EDT
Build Host  : x86-035.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://www.freeipa.org/
Summary     : IPA authentication for use on clients


[root@dhcp129-12 ~]# rpm -qi sssd
Name        : sssd
Version     : 1.13.0
Release     : 36.el7
Architecture: x86_64
Install Date: Thu 01 Oct 2015 09:49:33 AM EDT
Group       : Applications/System
Size        : 35147
License     : GPLv3+
Signature   : RSA/SHA256, Wed 30 Sep 2015 11:27:03 AM EDT, Key ID 938a80caf21541eb
Source RPM  : sssd-1.13.0-36.el7.src.rpm
Build Date  : Wed 30 Sep 2015 05:53:03 AM EDT
Build Host  : x86-017.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon


Smartcard login using certs issued by IPA and external CA were tested based on https://tcms.engineering.redhat.com/case/500937/?from_plan=18963 and https://tcms.engineering.redhat.com/case/505003/?from_plan=18963. There are 2 outstanding bugs https://bugzilla.redhat.com/show_bug.cgi?id=1266108 and https://bugzilla.redhat.com/show_bug.cgi?id=1267656. Obtaining kerberos credentials during smartcard login is yet to be supported. Apart from these all other login tests (gdm login, su and ssh) were executed successfully.

Comment 17 errata-xmlrpc 2015-11-19 11:35:37 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHSA-2015-2355.html


Note You need to log in before you can comment on or make changes to this bug.