On Fri, Oct 18, 2019, at 9:58 PM, James Ralston wrote:
I am struggling to get smartcard authentication working on RHEL7,
using sssd-1.16.4-21.el7 and krb5 PKINIT against Microsoft Active
Directory KDCs.
Has anyone actually gotten this working? If so, what behavior
differences do you see from various login mechanisms (gdm, login,
et. al.)?
I've gotten it working.
Because I see *no* visual differences in any login mechanism. gdm,
login, et. al. prompt for a username/password, exactly as before.
Both after I enter the username, and after I enter the PIN (at the
"password" prompt), there is a delay while sssd pokes at the card. I
can also tell this from watching the light on the card reader blink.
I've seen it behave both ways, and I'm not sure what the difference was.
Sometimes, the GDM login screen automatically shows the correct user when the Smart Card
is inserted; other times, I must first enter the user name before being prompted for the
PIN.
But then the login fails.
I mean, these documents:
https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_authentication_p...
https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certifi...
…make it sound like the gdm login screen should prompt me to insert a
smartcard, or least differentiate *somehow* that smartcard
authentication is in play. Both features claim to be implemented in
sssd-1.16.4-21.el7. But I see nothing that indicates these features
are working.
I've not seen GDM prompt for a Smart Card, but I'm also not enforcing Smart
Card-only login at this time.
If it's really the case that we have to train our users to type
their
username into the "username" prompt and enter their smartcard PIN into
the "password" prompt, we can do that, but that doesn't seem to be how
it's supposed to work based on the above documents. And that's going
to seem completely horrible to users in contrast to how Windows works,
where you walk up, insert your smartcard, and the login screen
identifies you and then prompts for your PIN.
The PIN should not be entered into the "Password" prompt. Only the prompt that
says "PIN"
I mean, I get it that /usr/bin/login running on a virtual console
can't engage in a nifty interactive dialog like Windows does. But is
really the case that gdm is that dumb with smartcards as well?
Or am I misunderstanding how gdm+sssd+smartcard+PKINIT is supposed to
work?
I can supply (somewhat redacted) configuration files if need be, but I
have everything set correctly that I know to set:
* krb5.conf is configured correctly; I can kinit using the
smartcard+PIN.
This is correct if you can type the following and are prompted for a PIN:
$ kinit username@REALM
In particular, you shouldn't have to pass any additional parameters to kinit.
Generally, the steps to make this work are to set these in krb5.conf:
[libdefaults]
pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt
pkinit_identities = PKCS11:
pkinit_cert_match = <EKU>msScLogin<KU>digitalSignature
[realms]
EXAMPLE.COM = {
pkinit_kdc_hostname =
EXAMPLE.COM
}
In particular, the `FILE:` part is important; you can't use just a path. (You can also
use DIR:, etc.)
pkinit_kdc_hostname is needed because the AD CA generally doesn't have the
id-pkinit-san attribute on its certificate.
* We use pam_sss.so in all of (password-auth, system-auth,
smartcard-auth), so no matter how a program enters the PAM stack, it
should get pam_sss.so and PKINIT.
AFAIK, there's no way in the RHEL 7 version of sssd to enforce PKINIT at the SSSD
level, but it will perform PKINIT in the case that Smart Card auth is being performed.
* I touched /var/lib/sss/pubconf/pam_preauth_available into
existence
and restarted sssd.
There is no need to perform this step. This is performed automatically by sssd when
configured with `pam_cert_auth = True`
* I set enable-smartcard-authentication to true in dconf (for
org.gnome.login-screen).
I didn't have to change this from the default.
* I set "pam_cert_auth = true" in the [
domain/example.org]
section of
/etc/sssd/sssd.conf.
This should be in the [pam] section of the sssd.conf
* I extracted the correct certificate from my smartcard (the one
that
krb5.conf is configured to find) and added it to my userCertificate
attribute in Active Directory.
This is necessary if you want to use the Smart Card for SSH authentication. I'm
unsure if it's necessary for authentication when the card is physically present at the
machine. I know it's not necessary with the latest upstream version of SSSD, but not
sure if it made it into RHEL.
* I even populated /etc/pki/nssdb with all of the same certificates
that update-ca-trust maintains, even though I'm not sure that's
necessary, as I think krb5 pkinit.so should handle that.
This is required for SSSD, but not for plain PKINIT.
I had to do this to add them to the nssdb store:
# certutil -A -n example_ca -t CT,C,C -a -d /etc/pki/nssdb -i example_ca.crt
* I increased various sssd timeouts to work around this bug in sssd
that was derailing the nss responder:
#4103 slow smartcard interactions break sssd when PKINIT is configured
https://pagure.io/SSSD/sssd/issue/4103
I'd been considering opening my own bug against pcscd (pcsc-lite?) because of the long
delays caused by accessing the card. (Seems like this could be cached.)
I'm open to suggestions for anything that I missed.
The thing that solved pkinit for me when logging in on RHEL 7 was the p11_child_timeout in
sssd.conf:
[pam]
p11_child_timeout = 90
Strangely, RHEL 8 did not require that timeout value to be set. The built-in default
value is 6 seconds, IIRC.
Hope that's helpful, and I'd be interested in hearing about any gotchas you solve
along the way.
V/r,
James Cassell