URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: RFC: server-side smart card auth advise plugin Action: opened
PR body: """ This advise plugin generates a script which configures all the components required for successful processing of smart card auth requests on IPA server.
I could split it into sub-advises and call them from the combined advise but that would require some further refactoring of advise plugin framework. Let me know if you would prefer this way instead.
https://pagure.io/freeipa/issue/6982 """
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/854/head:pr854 git checkout pr854
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: RFC: server-side smart card auth advise plugin
abbra commented: """ It looks good, thanks. One small comment is that we probably want to allow the script to work on non-RPM platforms as well (Debian or Ubuntu too) where `yum` does not exist. On the other hand, we also would probably want to eventually allow setting this up against `mod_ssl` too. These two changes can be added later. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-306523469
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: RFC: server-side smart card auth advise plugin
martbab commented: """ support for non-RPM platforms would require some more additions to the base Advice code to handle this systematically, or alternatively we may just test for the presence of required command and fail with instruction to install the missing package using platform-specific means.
While we may want to migrate to `mod_ssl` in the future, there will be much more work to do regarding switching TLS modules so the advise can be ported as a part of this effort. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-306714152
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: RFC: server-side smart card auth advise plugin
abbra commented: """ Yes, I'm not asking you to implement these improvements as part of this PR. That's fine to be done in a separate effort. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-306721034
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: RFC: server-side smart card auth advise plugin
Label: +prioritized
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: RFC: server-side smart card auth advise plugin
flo-renaud commented: """ Hi @martbab thank you for the patch. Works great! We could also enhance the script: - check that it is run by the root user - to enable NSSOCP, the regex does not match "##NSSOCSP off" but should. - the script must be run on each IPA server, maybe we should make it clearer. - the script could also configure /etc/sssd.conf with [pam] pam_cert_auth = True
This could be done in a later commit, I can open a RFE if needed """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-306801866
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: RFC: server-side smart card auth advise plugin
martbab commented: """ @flo thanks for your input, I will rework the PR tomorrow. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-306811993
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: RFC: server-side smart card auth advise plugin Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/854/head:pr854 git checkout pr854
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: server-side and client-side advises for configuring smart card auth Action: edited
Changed field: title Original value: """ RFC: server-side smart card auth advise plugin """
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: server-side and client-side advises for configuring smart card auth Action: edited
Changed field: body Original value: """ This advise plugin generates a script which configures all the components required for successful processing of smart card auth requests on IPA server.
I could split it into sub-advises and call them from the combined advise but that would require some further refactoring of advise plugin framework. Let me know if you would prefer this way instead.
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented: """ @flo @abbra I have rebased PR and included also a recipe for client configuration for the sake of completeness. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307326811
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented: """ Thanks. Comments so far: * client configuration does not make sure to ask for a removal of `pam_pkcs11` package * client configuration does not call for the `authconfig` to configure PAM stack. It seems to me that we either need a second recipe that enables IPA client system for a remote logon or need to integrate it in the same recipe * there are few places in the server plugin that do an explicit 'if ... ' command. This probably would be better to replace with `commands_on_predicate` like in the client case
"""
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307340749
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented: """ @abbra thanks for review. Is `pam_pkcs11` removal necessary for client? Also what option does the recipe need to pass to `authconfig` to properly configure smart card auth? isn't it enough to configure SSSD? """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307352108
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented: """ It is all documented in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Bet... (notice 7-Beta, this is a new material for RHEL 7.4 beta), section 22.5.1.3. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307354137
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented: """ That section[1] only instructs to configure `pam_cert_auth=true` in the SSSD's `pam` section which is already done on both server and client, see `enable_pam_auth_in_sssd` method. Am I missing something?
[1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Bet... """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307358447
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
flo-renaud commented: """ Hi @martbab I think @abbra was referring to this [section](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Bet...) running authconfig --enablesmartcard --smartcardmodule=sssd --updateall This command will update sssd.conf with pam_cert_auth=True.
"""
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307360284
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented: """ @flo ah sorry I missed that. I will incorporate it into advise then. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307360499
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented: """ @flo regarding enabling Smart Card login ( add PKCS#11 module, configure SSSD and such), do we really need to setup this on server? I do not expect somebody logging directly to machine hosting FreeIPA server using smard card reader. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307424330
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented: """ @martbab, this actually makes full sense -- if you want to increase the security of your IPA masters, you might force using smart cards only to do ssh login. We are not there yet by default but I can see it being a mandate for organizations that enforce industry or governmental requirements. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307426705
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented: """ Note that "directly" may actually mean using a virtualized remote smart card access which is provided via virtualized USB pass-through done by your virtualization environment. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307427085
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented: """ Also I get the following error when running authconfig:
```console authconfig: Authentication module /lib64/security/pam_pkcs11.so is missing. Authentication process might not work correctly. ```
It is understandable, since I have removed pam_pkcs11 package as per documentation, but it still puzzles me.
It may be that I have an old version of authconfig, as I am developing this on F25 where I have authconfig-6.2.10-14.fc25.x86_64. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307427676
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented: """ @martbab, definitely `authconfig` in fc25 is too old for this. On F26 I have version 7.0.1-1. It does announce support for SSSD smartcard enablement. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307440827
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: server-side and client-side advises for configuring smart card auth Action: synchronized
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/854/head:pr854 git checkout pr854
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
flo-renaud commented: """ Hi @martbab Thank you for the fix. Works as expected. """
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-308363482
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
Label: +ack
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented: """ master:
* 0569c02f17f853d97280f52f4a7fefecc72cf45d Extend the advice printing code by some useful abstractions * e418e9a4ca747886c53d05ae80597834f1d3d021 Prepare advise plugin for smart card auth configuration
ipa-4-5:
* 7ea7ee4326679c098d3e4e4d6a2bc743707708ca Extend the advice printing code by some useful abstractions * 84ca9761bd47f28b72581d1fe6bd8cfa824b6df3 Prepare advise plugin for smart card auth configuration
"""
See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-308390829
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth
Label: +pushed
URL: https://github.com/freeipa/freeipa/pull/854 Author: martbab Title: #854: server-side and client-side advises for configuring smart card auth Action: closed
To pull the PR as Git branch: git remote add ghfreeipa https://github.com/freeipa/freeipa git fetch ghfreeipa pull/854/head:pr854 git checkout pr854
freeipa-devel@lists.fedorahosted.org