#546 [RFE] Support for smart cards

Created 6 years ago by nalin
Modified 2 months ago

I'd like for sssd to support using a smart card for authentication. There are two general cases that I'd like to see working:
- smart card by itself
- smart card used to obtain Kerberos TGTs

In configurations where sssd is using a directory server without Kerberos, it can use information in the directory to verify, once the user-supplied PIN has allowed it to access a token which it could not previously access, that the certificate was issued to the user who is attempting to log in.

If sssd is configured to use Kerberos, it let the KDC decide that question by attempting to use the newly-available token to obtain a TGT for the user via PKINIT.

Attachments
Bob Foster.jpg - 2017-01-27 20:08:18 Comment Download

Fields changed

component: SSSD => Kerberos Provider
milestone: NEEDS_TRIAGE => SSSD 1.4.0
owner: somebody => sbose

Fields changed

tests: 0 => 1

This request applies to non-Kerberos cases as well. Verifying that the certificate matches the user who is attempting to authenticate is much more simpler if we can, for example, check that
- an rfc822Name subjectAltName in the certificate matches the mail attribute from the user's directory entry, or that
- the certificate's subject name matches the DN of the user's entry, or that
- the certificate is stored as the user's entry's userCertificate attribute, or
- after using the certificate and private key to authenticate to the directory and then asking the directory who it thinks just authenticated to it, it gives us the user's name or entry
Other people will undoubtedly have other methods that they would expect to be supported.

Fields changed

milestone: SSSD 1.4.0 => SSSD 1.5.0
owner: sbose => sgallagh

Make sure all this works in the offline case.

Fields changed

coverity: =>
milestone: SSSD 1.6.0 => SSSD 1.7.0
upgrade: => 0

It would be helpful to have CAC support (http://www.cac.mil/) to support HSPD-12.

patch: => 0

Fields changed

milestone: SSSD 1.8.0 => SSSD 1.9.0

In the Kerberos cases, once SSSD has mapped the certificate to a known user (or verified the mapping, if the user needed to supply a name -- SSSD could keep track of the last N subject key ID values or token names that it's seen to "remember" the user name), SSSD can read the client's principal name from the directory or the certificate and then immediately attempt PKINIT.

When doing PKINIT, SSSD can point libkrb5 at the same PKCS11 module and token that was just used. It can supply a NULL password and a prompter callback to the krb5_get_init_creds_password(), ensure that it only supplies the card PIN when asked forKRB5_PROMPT_TYPE_PREAUTH , and return errors otherwise.

This would be much simpler and less error-prone than trying to make sure that all of the involved PAM modules "know" when the PAM_AUTHTOK item is a PIN and not a password, so that we don't attempt password-based preauth with a PIN or vice-versa.

rhbz: =>

One configurable thing we should add to this list is a check for the presence of a specified OID in the EKU extension in a certificate on the card -- other OSs support limiting login access (as opposed to generally being able to use the card) based on whether or not a vendor-specific OID is present, and organizations may have designated a site-specific OID for that purpose.

The developer working on this might find this (not spam) useful.

Fields changed

cc: => kashyapc

Fields changed

blockedby: =>
blocking: =>
milestone: SSSD 1.9.0 => SSSD Kerberos improvements

Fields changed

priority: major => blocker

Fields changed

rhbz: => 0

Fields changed

feature_milestone: =>
proposed_priority: => Blocker

Fields changed

rhbz: 0 => todo
summary: Support for smart cards => [RFE] Support for smart cards

Moving all the features planned for 1.10 release into 1.10 beta.

milestone: SSSD Kerberos Improvements Feature => SSSD 1.10 beta

Fields changed

design: =>
design_review: => 0
fedora_test_page: =>
selected: => Not need

Moving tickets that are not a priority for SSSD 1.10 into the next release.

milestone: SSSD 1.10 beta => SSSD 1.11 beta

Fields changed

priority: blocker => critical

Fields changed

priority: critical => major

Fields changed

changelog: =>
milestone: SSSD 1.12 beta => Interim Bucket
owner: sgallagh => nalin
priority: major => critical
review: => 0

Fields changed

milestone: Interim Bucket => SSSD 1.12 beta

Fields changed

milestone: SSSD 1.12 beta => SSSD 1.13 beta

Fields changed

mark: => 1

Fields changed

cc: kashyapc => kashyapc, rmainz @redhat.com

We agreed this RFE will be tentatively owned by Sumit and we'll see how far we can get during the 1.13 development.

owner: nalin => sbose

Fields changed

patch: 0 => 1
sensitive: => 0

  • master:
    • 4de84af23db74e13e867985c9093f394c9fa8d51
    • 5242964d275d0b2e96c9b0d1f8a9958c85d566fc
    • a8d887323f83984679a7d9b827a70146656bb7b2
    • 10703cd558016685ee778e333f1d4490238d46e7
    • 35f3a213e0f0f2c60e9b5f095a05388e21092ae2
    • 45726939a48e605b0166521f94300ae04981a3a7
    • 0d5bb38364a6976e9c85d6349aa13a04d181a090

resolution: => fixed
status: new => closed

2 months ago

Metadata Update from @nalin:
- Issue assigned to sbose
- Issue set to the milestone: SSSD 1.13.1

Login to comment on this ticket.

enhancement

Kerberos Provider

0

Not need

1

https://bugzilla.redhat.com/show_bug.cgi?id=854396, https://bugzilla.redhat.com/show_bug.cgi?id=865120

0

0

1

0

kashyapc, rmainz@redhat.com

cancel