#4905 [RFE] Allow Kerberos authentication for users with certificates on smart cards (pkinit)
Closed: fixed 8 months ago by rcritten. Opened 4 years ago by mkosek.

This requirement has several parts:

  • Support of Smart Cards in SSSD (upstream ticket)
  • API/CLI for configuring the trusted CA certificate in KDC (related - #616)
  • Optionally, also #521 (Add dogtag support to generate KDC certificatesfor Pkinit)
  • Enable PKINIT on clients by default and add respective RPM requirements (krb5-pkinit{,-openssl}) for freeipa-client.

The current development status of this feature was discussed and it's scope will be limited for the first release. SC authentication will be LDAP-based (details in https://bugzilla.redhat.com/show_bug.cgi?id=854396#c6).

Kerberos authentication or automatic retrieval of user TGT after authentication (pkinit) will be postponed, given the functionality currently requires special certificate extension (id-pkinit-san) in order to properly map certificates and (user) principals. This is not guaranteed with the primary supported cards (CAC), so we would first need to work on extending our Kerberos backend to provide the mapping ourselves.

Metadata Update from @mkosek:
- Issue assigned to someone
- Issue set to the milestone: FreeIPA 4.5

2 years ago

Metadata Update from @pvoborni:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/575 (was: 0)
- Issue assigned to sbose (was: someone)
- Issue close_status updated to: None

2 years ago

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.1 (was: FreeIPA 4.5)

2 years ago

master:

  • da880de ipa-kdb: add ipadb_fetch_principals_with_extra_filter()
  • c415604 IPA certauth plugin
    ipa-4-5:

  • cfaaf4e ipa-kdb: add ipadb_fetch_principals_with_extra_filter()

  • 5a1ce1f IPA certauth plugin

master:

  • 2dda1ac spec file: bump krb5-devel BuildRequires for certauth

ipa-4-5:

  • 2d24600 spec file: bump krb5-devel BuildRequires for certauth

master:

  • 0f42670 spec file: bump krb5 Requires for certauth fixes

ipa-4-5:

  • ec3a2a6 spec file: bump krb5 Requires for certauth fixes

@mbabinsk can we close this ticket as fixed?

Metadata Update from @mbasti:
- Issue set to the milestone: FreeIPA 4.5.2 (was: FreeIPA 4.5.1)

2 years ago

FreeIPA 4.5.1 has been released, moving to FreeIPA 4.5.2 milestone

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.3 (was: FreeIPA 4.5.2)

2 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.4 (was: FreeIPA 4.5.3)

2 years ago

Metadata Update from @tkrizek:
- Issue set to the milestone: FreeIPA 4.5.5 (was: FreeIPA 4.5.4)

2 years ago

Metadata Update from @rcritten:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

8 months ago

Login to comment on this ticket.

Metadata