I'd like for sssd to support using a smart card for authentication. There are two general cases that I'd like to see working:
- smart card by itself
- smart card used to obtain Kerberos TGTs
In configurations where sssd is using a directory server without Kerberos, it can use information in the directory to verify, once the user-supplied PIN has allowed it to access a token which it could not previously access, that the certificate was issued to the user who is attempting to log in.
If sssd is configured to use Kerberos, it let the KDC decide that question by attempting to use the newly-available token to obtain a TGT for the user via PKINIT.
component: SSSD => Kerberos Provider
milestone: NEEDS_TRIAGE => SSSD 1.4.0
owner: somebody => sbose
tests: 0 => 1
This request applies to non-Kerberos cases as well. Verifying that the certificate matches the user who is attempting to authenticate is much more simpler if we can, for example, check that
- an rfc822Name subjectAltName in the certificate matches the mail attribute from the user's directory entry, or that
- the certificate's subject name matches the DN of the user's entry, or that
- the certificate is stored as the user's entry's userCertificate attribute, or
- after using the certificate and private key to authenticate to the directory and then asking the directory who it thinks just authenticated to it, it gives us the user's name or entry
Other people will undoubtedly have other methods that they would expect to be supported.
milestone: SSSD 1.4.0 => SSSD 1.5.0
owner: sbose => sgallagh
Make sure all this works in the offline case.
milestone: SSSD 1.6.0 => SSSD 1.7.0
upgrade: => 0
It would be helpful to have CAC support (http://www.cac.mil/) to support HSPD-12.
patch: => 0
milestone: SSSD 1.8.0 => SSSD 1.9.0
In the Kerberos cases, once SSSD has mapped the certificate to a known user (or verified the mapping, if the user needed to supply a name -- SSSD could keep track of the last N subject key ID values or token names that it's seen to "remember" the user name), SSSD can read the client's principal name from the directory or the certificate and then immediately attempt PKINIT.
When doing PKINIT, SSSD can point libkrb5 at the same PKCS11 module and token that was just used. It can supply a NULL password and a prompter callback to the krb5_get_init_creds_password(), ensure that it only supplies the card PIN when asked forKRB5_PROMPT_TYPE_PREAUTH , and return errors otherwise.
This would be much simpler and less error-prone than trying to make sure that all of the involved PAM modules "know" when the PAM_AUTHTOK item is a PIN and not a password, so that we don't attempt password-based preauth with a PIN or vice-versa.
One configurable thing we should add to this list is a check for the presence of a specified OID in the EKU extension in a certificate on the card -- other OSs support limiting login access (as opposed to generally being able to use the card) based on whether or not a vendor-specific OID is present, and organizations may have designated a site-specific OID for that purpose.
The developer working on this might find this (not spam) useful.
cc: => kashyapc
milestone: SSSD 1.9.0 => SSSD Kerberos improvements
priority: major => blocker
rhbz: => 0
proposed_priority: => Blocker
rhbz: 0 => todo
summary: Support for smart cards => [RFE] Support for smart cards
Moving all the features planned for 1.10 release into 1.10 beta.
milestone: SSSD Kerberos Improvements Feature => SSSD 1.10 beta
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=854396
rhbz: todo => [https://bugzilla.redhat.com/show_bug.cgi?id=854396 854396]
design_review: => 0
selected: => Not need
Moving tickets that are not a priority for SSSD 1.10 into the next release.
milestone: SSSD 1.10 beta => SSSD 1.11 beta
priority: blocker => critical
priority: critical => major
Linked to Bugzilla bug: https://bugzilla.redhat.com/show_bug.cgi?id=865120 (RHEL RFE)
rhbz: [https://bugzilla.redhat.com/show_bug.cgi?id=854396 854396] => [https://bugzilla.redhat.com/show_bug.cgi?id=854396 854396], [https://bugzilla.redhat.com/show_bug.cgi?id=865120 865120]
milestone: SSSD 1.12 beta => Interim Bucket
owner: sgallagh => nalin
priority: major => critical
review: => 0
milestone: Interim Bucket => SSSD 1.12 beta
milestone: SSSD 1.12 beta => SSSD 1.13 beta
mark: => 1
cc: kashyapc => kashyapc, rmainz @redhat.com
We agreed this RFE will be tentatively owned by Sumit and we'll see how far we can get during the 1.13 development.
owner: nalin => sbose
patch: 0 => 1
sensitive: => 0
resolution: => fixed
status: new => closed
Metadata Update from @nalin:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.1
to comment on this ticket.
Copyright © 2014-2017 Red Hat
3.10.1 — Documentation