#3500 Make sure sssd is a replacement for pam_pkcs11 also for local account authentication
Closed: Fixed 10 months ago Opened 2 years ago by jhrozek.

pam_pkcs11 is no longer maintained upstream: https://github.com/OpenSC/pam_pkcs11/blob/master/README.md

And it doesn't even build with the latest OpenSSL. In the meantime, SSSD gained many capabilities to support smart card authentication.

This ticket is more of a task tracker to remind us that we need to test and document the use case of a local user with a smart card. Chances are no code changes are required in SSSD, but there might be changes required to the PAM stack.

Documenthing this would enable other distributions to either reuse our documentation or right away tune their default PAM stack.


Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.0

2 years ago

Metadata Update from @jhrozek:
- Issue priority set to: blocker

2 years ago

As pam_pkcs11 is going away and is being replaced by pam_sssd for local smart card authentication, what are your plans for closer specification of PKCS#11 slot/object that will be used to authenticate users?

The pam_pkcs11 had options slot_description and slot_num, which were able to specify restrict the selection in cumbersome way (given that slot numbers is not guaranteed to be stable if I am right).

So far, I see you only specify pam_cert_db_path and the rest of it is handled by NSS. Do you plan to implement a way of clarifying the token/certificate objects, such as PKCS#11 URIs (RFC 7512)?

Metadata Update from @sbose:
- Issue assigned to sbose

a year ago

Commit d724ea3 relates to this ticket

First two patches are laying the groundwork:
* d724ea3
* 72099c3

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 2.1 (was: SSSD 2.0)

11 months ago

Metadata Update from @jhrozek:
- Custom field rhbz adjusted to https://bugzilla.redhat.com/show_bug.cgi?id=1615417

11 months ago

It would be great to have this! Especially if in sss_user_mod there is a way to add the userCertificate etc. Making the unrollment process painless is super important. I look forward to seeing this!

Metadata Update from @sbose:
- Custom field patch adjusted to on

10 months ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

10 months ago

Login to comment on this ticket.

Metadata