On Wed, Apr 26, 2017 at 03:46:07PM -0000, tallinn1960(a)yahoo.de wrote:
I am trying to setup a PKINIT/smartcard-based logon scheme using sssd
1.15.1 on Ubuntu 16.04. I am using the opensc-pkcs11 lib to access the smartcard. I have a
working pam_krb5 based PKINIT smartcard logon to the KDC. The opensc pkcs11 lib and all
relevant ca certificates are installed in the nss database.
However, p11_child is not happy about the yubikey:
➜ ~ sudo /usr/local/libexec/sssd/p11_child -d 9 --nssdb=/etc/pki/nssdb --pre
(Wed Apr 26 17:40:56:522588 2017) [[sssd[p11_child[2677]]]] [main] (0x0400): p11_child
started.
(Wed Apr 26 17:40:56:522763 2017) [[sssd[p11_child[2677]]]] [main] (0x2000): Running in
[pre-auth] mode.
(Wed Apr 26 17:40:56:522849 2017) [[sssd[p11_child[2677]]]] [main] (0x2000): Running with
effective IDs: [0][0].
(Wed Apr 26 17:40:56:522931 2017) [[sssd[p11_child[2677]]]] [main] (0x2000): Running with
real IDs [0][0].
(Wed Apr 26 17:40:56:655832 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Default
Module List:
(Wed Apr 26 17:40:56:655859 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): common
name: [NSS Internal PKCS #11 Module].
(Wed Apr 26 17:40:56:655864 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): dll name:
[(null)].
(Wed Apr 26 17:40:56:655869 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): common
name: [yubikey].
(Wed Apr 26 17:40:56:655873 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): dll name:
[/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so].
(Wed Apr 26 17:40:56:655877 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Dead
Module List:
(Wed Apr 26 17:40:56:655883 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): DB Module
List:
(Wed Apr 26 17:40:56:655888 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): common
name: [NSS Internal Module].
(Wed Apr 26 17:40:56:655892 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): dll name:
[(null)].
(Wed Apr 26 17:40:56:655917 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000):
Description [NSS Internal Cryptographic Services Mozilla
Foundation ] Manufacturer [Mozilla Foundation ] flags [1].
(Wed Apr 26 17:40:56:655924 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000):
Description [NSS User Private Key and Certificate Services Mozilla
Foundation ] Manufacturer [Mozilla Foundation ] flags [1].
(Wed Apr 26 17:40:56:655929 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000):
Description [Yubico Yubikey 4 OTP+CCID 00 00 OpenSC
(
www.opensc-project.org) ] Manufacturer [OpenSC (
www.opensc-project.org) ] flags [7].
(Wed Apr 26 17:40:56:655940 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Found
[PIV_II (PIV Card Holder pin)] in slot [Yubico Yubikey 4 OTP+CCID 00 00][1] of module
[2][/usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so].
(Wed Apr 26 17:40:56:655946 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Token is
NOT friendly.
(Wed Apr 26 17:40:56:655951 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Trying to
switch to friendly to read certificate.
(Wed Apr 26 17:40:56:655957 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Login
required.
(Wed Apr 26 17:40:56:655961 2017) [[sssd[p11_child[2677]]]] [do_work] (0x0020): Login
required but no pin available, continue.
(Wed Apr 26 17:40:56:656102 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): found
cert[PIV_II (PIV Card Holder pin):Certificate for PIV
Authentication][CN=secadm,UID=4915377]
(Wed Apr 26 17:40:56:656127 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): Filtered
certificates:
(Wed Apr 26 17:40:56:656132 2017) [[sssd[p11_child[2677]]]] [do_work] (0x4000): No
certificate found.
It looks like the certificate on the key is PIN-protected. Shouldn't p11_child ask
for a PIN? Giving p11_child the --pin flag has absolutely no effect.
Typically the private key is pin protect, since there is nothing secret
in the certificate I can be read without a pin.
SSSD expects that certificates used for authentication have at least the
key usage digitalSignature and the extended key usage clientAuth. Please
check if your certificate meet this criteria.
HTH
bye,
Sumit
>
> Any help is welcome.
>
> Thx
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org