Ticket #546 (new enhancement)

Opened 4 years ago

Last modified 5 months ago

[RFE] Support for smart cards

Reported by: nalin Owned by: nalin
Priority: critical Milestone: SSSD 1.13 beta
Component: Kerberos Provider Version:
Keywords: Cc: kashyapc
Blocked By: Blocking:
Tests Updated: no Coverity Bug:
Patch Submitted: no Red Hat Bugzilla: 854396, 865120
Design link:
Feature Milestone:
Design review: no Fedora test page:
Chosen: Not need Candidate to push out: no
Release Notes:

Description

I'd like for sssd to support using a smart card for authentication. There are two general cases that I'd like to see working:

  • smart card by itself
  • smart card used to obtain Kerberos TGTs

In configurations where sssd is using a directory server without Kerberos, it can use information in the directory to verify, once the user-supplied PIN has allowed it to access a token which it could not previously access, that the certificate was issued to the user who is attempting to log in.

If sssd is configured to use Kerberos, it let the KDC decide that question by attempting to use the newly-available token to obtain a TGT for the user via PKINIT.

Change History

comment:1 Changed 4 years ago by sgallagh

  • Owner changed from somebody to sbose
  • Component changed from SSSD to Kerberos Provider
  • Milestone changed from NEEDS_TRIAGE to SSSD 1.4.0

comment:2 Changed 4 years ago by sgallagh

  • tests changed from 0 to 1

comment:3 Changed 4 years ago by nalin

This request applies to non-Kerberos cases as well. Verifying that the certificate matches the user who is attempting to authenticate is much more simpler if we can, for example, check that

  • an rfc822Name subjectAltName in the certificate matches the mail attribute from the user's directory entry, or that
  • the certificate's subject name matches the DN of the user's entry, or that
  • the certificate is stored as the user's entry's userCertificate attribute, or
  • after using the certificate and private key to authenticate to the directory and then asking the directory who it thinks just authenticated to it, it gives us the user's name or entry

Other people will undoubtedly have other methods that they would expect to be supported.

comment:4 Changed 4 years ago by dpal

  • Owner changed from sbose to sgallagh
  • Milestone changed from SSSD 1.4.0 to SSSD 1.5.0

comment:5 Changed 3 years ago by dpal

Make sure all this works in the offline case.

comment:6 Changed 3 years ago by dpal

  • upgrade set to 0
  • Milestone changed from SSSD 1.6.0 to SSSD 1.7.0

comment:7 Changed 3 years ago by rcritten

  • Patch Submitted unset

It would be helpful to have CAC support (http://www.cac.mil/) to support HSPD-12.

comment:8 Changed 3 years ago by dpal

  • Milestone changed from SSSD 1.8.0 to SSSD 1.9.0

comment:9 Changed 3 years ago by nalin

In the Kerberos cases, once SSSD has mapped the certificate to a known user (or verified the mapping, if the user needed to supply a name -- SSSD could keep track of the last N subject key ID values or token names that it's seen to "remember" the user name), SSSD can read the client's principal name from the directory or the certificate and then immediately attempt PKINIT.

When doing PKINIT, SSSD can point libkrb5 at the same PKCS11 module and token that was just used. It can supply a NULL password and a prompter callback to the krb5_get_init_creds_password(), ensure that it only supplies the card PIN when asked forKRB5_PROMPT_TYPE_PREAUTH , and return errors otherwise.

This would be much simpler and less error-prone than trying to make sure that all of the involved PAM modules "know" when the PAM_AUTHTOK item is a PIN and not a password, so that we don't attempt password-based preauth with a PIN or vice-versa.

comment:10 Changed 3 years ago by nalin

One configurable thing we should add to this list is a check for the presence of a specified OID in the EKU extension in a certificate on the card -- other OSs support limiting login access (as opposed to generally being able to use the card) based on whether or not a vendor-specific OID is present, and organizations may have designated a site-specific OID for that purpose.

comment:11 Changed 3 years ago by sejeff

The developer working on this might find this (not spam) useful.

comment:12 Changed 2 years ago by kashyapc

  • Cc kashyapc added

comment:13 Changed 2 years ago by dpal

  • Milestone changed from SSSD 1.9.0 to SSSD Kerberos improvements

comment:14 Changed 2 years ago by dpal

  • Priority changed from major to blocker

comment:15 Changed 2 years ago by dpal

  • Red Hat Bugzilla set to 0

comment:16 Changed 20 months ago by dpal

  • proposed_priority set to Blocker

comment:17 Changed 20 months ago by jgalipea

  • Red Hat Bugzilla changed from 0 to todo
  • Summary changed from Support for smart cards to [RFE] Support for smart cards

comment:18 Changed 20 months ago by dpal

  • Milestone changed from SSSD Kerberos Improvements Feature to SSSD 1.10 beta

Moving all the features planned for 1.10 release into 1.10 beta.

comment:19 Changed 20 months ago by dpal

  • Red Hat Bugzilla changed from todo to [https://bugzilla.redhat.com/show_bug.cgi?id=854396 854396]

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=854396

comment:20 Changed 16 months ago by dpal

  • Chosen set to Not need
  • Design review unset

comment:21 Changed 16 months ago by dpal

  • Milestone changed from SSSD 1.10 beta to SSSD 1.11 beta

Moving tickets that are not a priority for SSSD 1.10 into the next release.

comment:22 Changed 16 months ago by arubin

  • Priority changed from blocker to critical

comment:23 Changed 16 months ago by arubin

  • Priority changed from critical to major

comment:24 Changed 10 months ago by dpal

  • Red Hat Bugzilla changed from [https://bugzilla.redhat.com/show_bug.cgi?id=854396 854396] to [https://bugzilla.redhat.com/show_bug.cgi?id=854396 854396], [https://bugzilla.redhat.com/show_bug.cgi?id=865120 865120]

Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=865120 (RHEL RFE)

comment:25 Changed 9 months ago by dpal

  • Owner changed from sgallagh to nalin
  • Candidate to push out unset
  • Milestone changed from SSSD 1.12 beta to Interim Bucket
  • Priority changed from major to critical

comment:26 Changed 9 months ago by dpal

  • Milestone changed from Interim Bucket to SSSD 1.12 beta

comment:27 Changed 5 months ago by dpal

  • Milestone changed from SSSD 1.12 beta to SSSD 1.13 beta
Note: See TracTickets for help on using tickets.