From 7a19c0d730ae3d16a9763f4769a37bf19680622a Mon Sep 17 00:00:00 2001 From: Florence Blanc-Renaud Date: Nov 11 2019 11:54:53 +0000 Subject: smartcard: make the ipa-advise script compatible with authselect/authconfig "ipa-advise config-client-for-smart-card-auth" is run on a server and creates a script that needs to be copied and executed on a client. The client may be of a different version and use authconfig instead of authselect. The generated script must be able to handle both cases (client using authselect or client using authconfig). The patch checks whether authselect is available and calls the proper configuration command (authselect or authconfig) depending on its availability on the client. Fixes: https://pagure.io/freeipa/issue/8113 Reviewed-By: Rob Crittenden Reviewed-By: Rob Crittenden --- diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py index 1f6209a..6484f66 100644 --- a/ipaserver/advise/plugins/smart_card_auth.py +++ b/ipaserver/advise/plugins/smart_card_auth.py @@ -54,6 +54,9 @@ class common_smart_card_auth_config(Advice): ) def upload_smartcard_ca_certificates_to_systemwide_db(self): + # Newer version of sssd use OpenSSL and read the CA certs + # from /etc/sssd/pki/sssd_auth_ca_db.pem + self.log.command('mkdir -p /etc/sssd/pki') with self.log.for_loop( self.single_ca_cert_variable_name, '${}'.format(self.smart_card_ca_certs_variable_name)): @@ -63,6 +66,11 @@ class common_smart_card_auth_config(Advice): self.systemwide_nssdb, self.single_ca_cert_variable_name ) ) + self.log.command( + 'cat ${} >> /etc/sssd/pki/sssd_auth_ca_db.pem'.format( + self.single_ca_cert_variable_name + ) + ) def install_smart_card_signing_ca_certs(self): with self.log.for_loop( @@ -265,6 +273,7 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config): self.upload_smartcard_ca_certificates_to_systemwide_db() self.update_ipa_ca_certificate_store() self.run_authconfig_to_configure_smart_card_auth() + self.configure_pam_cert_auth() self.restart_sssd() def check_and_remove_pam_pkcs11(self): @@ -317,13 +326,34 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config): ) def run_authconfig_to_configure_smart_card_auth(self): + # In order to be compatible with all clients, we check first + # if the client supports authselect. + # Otherwise authconfig will be used. + self.log.comment('Use either authselect or authconfig to enable ' + 'Smart Card authentication') + self.log.commands_on_predicate( + '[ -f "/usr/bin/authselect" ]', + ['AUTHCMD="authselect enable-feature with-smartcard"'], + ['AUTHCMD="authconfig --enablesssd --enablesssdauth ' + '--enablesmartcard --smartcardmodule=sssd --smartcardaction=1 ' + '--updateall"'] + ) self.log.exit_on_failed_command( - 'authconfig --enablesssd --enablesssdauth --enablesmartcard ' - '--smartcardmodule=sssd --smartcardaction=1 --updateall', + '$AUTHCMD', [ 'Failed to configure Smart Card authentication in SSSD' ] ) + def configure_pam_cert_auth(self): + self.log.comment('Set pam_cert_auth=True in /etc/sssd/sssd.conf') + self.log.comment('This step is required only when authselect is used') + self.log.commands_on_predicate( + '[ -f "/usr/bin/authselect" ]', + ["python3 -c 'from SSSDConfig import SSSDConfig; " + "c = SSSDConfig(); c.import_config(); " + "c.set(\"pam\", \"pam_cert_auth\", \"True\"); " + "c.write()'"]) + def restart_sssd(self): self.log.command('systemctl restart sssd.service')