On 11/28/18 11:29 PM, Sumit Bose wrote:
On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote:
> I configured a YubiKey on Windows using the YubiKey minidriver with the
> following certificates:
>
> - my "orion" certificate - went into slot 9a PIV Auth
> - A MacOS keychain cert per their docs - when into slot 9d Key Management
> - Another auth certificate for "orion-admin" - went into slot 82
>
> I'm able to authenticate on Windows as either orion or orion-admin, but on
> Linux with sssd it does not see the orion-admin certificate. What needs to
> happen to support this?
Which version of SSSD are you using?
sssd-1.16.2-13.el7_5
Can you sent the output of
p11tool --list-all --provider opensc-pkcs11.so
$ p11tool --list-all --provider /usr/lib64/opensc-pkcs11.so
Object 0:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%01;object=PIV%20AUTH%20pubkey;type=public
Type: Public key
Label: PIV AUTH pubkey
Flags: CKA_WRAP/UNWRAP;
ID: 01
Object 1:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert
Type: X.509 Certificate
Label: Certificate for PIV Authentication
ID: 01
Object 2:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=KEY%20MAN%20pubkey;type=public
Type: Public key
Label: KEY MAN pubkey
ID: 03
Object 3:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=Certificate%20for%20Key%20Management;type=cert
Type: X.509 Certificate
Label: Certificate for Key Management
ID: 03
Object 4:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Card%20Capability%20Container;type=data
Type: Data
Label: Card Capability Container
ID:
Object 5:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Card%20Holder%20Unique%20Identifier;type=data
Type: Data
Label: Card Holder Unique Identifier
ID:
Object 6:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Unsigned%20Card%20Holder%20Unique%20Identifier;type=data
Type: Data
Label: Unsigned Card Holder Unique Identifier
ID:
Object 7:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20PIV%20Authentication;type=data
Type: Data
Label: X.509 Certificate for PIV Authentication
ID:
Object 8:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Digital%20Signature;type=data
Type: Data
Label: X.509 Certificate for Digital Signature
ID:
Object 9:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Key%20Management;type=data
Type: Data
Label: X.509 Certificate for Key Management
ID:
Object 10:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Card%20Authentication;type=data
Type: Data
Label: X.509 Certificate for Card Authentication
ID:
Object 11:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Security%20Object;type=data
Type: Data
Label: Security Object
ID:
Object 12:
URL:
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Discovery%20Object;type=data
Type: Data
Label: Discovery Object
ID:
and
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
$ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
(Thu Nov 29 13:31:29:125830 2018) [[sssd[p11_child[2569]]]] [main] (0x0400):
p11_child started.
(Thu Nov 29 13:31:29:126388 2018) [[sssd[p11_child[2569]]]] [main] (0x2000):
Running in [pre-auth] mode.
(Thu Nov 29 13:31:29:126426 2018) [[sssd[p11_child[2569]]]] [main] (0x2000):
Running with effective IDs: [22603][22603].
(Thu Nov 29 13:31:29:126459 2018) [[sssd[p11_child[2569]]]] [main] (0x2000):
Running with real IDs [22603][22603].
(Thu Nov 29 13:31:29:341356 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): Default Module List:
(Thu Nov 29 13:31:29:341396 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): common name: [NSS Internal PKCS #11 Module].
(Thu Nov 29 13:31:29:341415 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): dll name: [(null)].
(Thu Nov 29 13:31:29:341433 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): common name: [OpenSC].
(Thu Nov 29 13:31:29:341451 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): dll name: [/usr/lib64/opensc-pkcs11.so].
(Thu Nov 29 13:31:29:341468 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): Dead Module List:
(Thu Nov 29 13:31:29:341485 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): DB Module List:
(Thu Nov 29 13:31:29:341503 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): common name: [NSS Internal Module].
(Thu Nov 29 13:31:29:341520 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): dll name: [(null)].
(Thu Nov 29 13:31:29:341537 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): common name: [Policy File].
(Thu Nov 29 13:31:29:341554 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): dll name: [(null)].
(Thu Nov 29 13:31:29:367703 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): Description [NSS User Private Key and Certificate Services
Mozilla Foundation ] Manufacturer [Mozilla Foundation
] flags [1].
(Thu Nov 29 13:31:29:367790 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): Description [NSS Internal Cryptographic Services
Mozilla Foundation ] Manufacturer [Mozilla
Foundation ] flags [9].
(Thu Nov 29 13:31:29:368358 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): Description [Yubico Yubikey 4 OTP+U2F+CCID 00 00
Yubico ] Manufacturer [Yubico
] flags [7].
(Thu Nov 29 13:31:29:368416 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): Found [Orion Poplawski] in slot [Yubico Yubikey 4 OTP+U2F+CCID 00
00][0] of module [2][/usr/lib64/opensc-pkcs11.so].
(Thu Nov 29 13:31:29:368455 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): Token is NOT friendly.
(Thu Nov 29 13:31:29:368488 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): Trying to switch to friendly to read certificate.
(Thu Nov 29 13:31:29:368517 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): Login required.
(Thu Nov 29 13:31:29:368544 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x0020): Login required but no PIN available, continue.
(Thu Nov 29 13:31:29:369245 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): found cert[Orion Poplawski:Certificate for PIV
Authentication][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com]
(Thu Nov 29 13:31:29:369296 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): found cert[Orion Poplawski:Certificate for Key Management][CN=Orion
Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com]
(Thu Nov 29 13:31:29:369332 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): Filtered certificates:
(Thu Nov 29 13:31:29:369364 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): found cert[Orion Poplawski:Certificate for PIV
Authentication][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com]
(Thu Nov 29 13:31:29:370948 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): (null) /usr/lib64/opensc-pkcs11.so (null) Orion Poplawski (null) (null).
(Thu Nov 29 13:31:29:371002 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): found cert[Orion Poplawski:Certificate for Key Management][CN=Orion
Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com]
(Thu Nov 29 13:31:29:371049 2018) [[sssd[p11_child[2569]]]] [do_verification]
(0x0040): Certificate [Orion Poplawski:Certificate for Key
Management][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] not valid
[-8102][Certificate key usage inadequate for attempted operation.].
(Thu Nov 29 13:31:29:371109 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x0040): Certificate [Orion Poplawski:Certificate for Key
Management][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] not valid, skipping.
(Thu Nov 29 13:31:29:430991 2018) [[sssd[p11_child[2569]]]] [do_card]
(0x4000): Found certificate has key id [01].
Orion Poplawski
/usr/lib64/opensc-pkcs11.so
01
Certificate for PIV Authentication
MIIH5TCCBc2gAwIBAgITdgAAAczbsI5xA5LqwgAAAAABzDANBgkqhkiG9w0BAQ0FADBcMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMRswGQYDVQQDExJhZC1BRC1TRUFUVExFMDEtQ0EwHhcNMTgxMTIxMTc1MjA4WhcNMjAxMTIxMTgwMjA4WjBoMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMQ0wCwYDVQQLEwROV1JBMRgwFgYDVQQDEw9PcmlvbiBQb3BsYXdza2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0rbm0RJlpt16T8hM4TJauyh+1pQZI6tzlMPMAvljpo52KNXof9zf5z21kn+fmWmESkuHi32Ddzx5u+QoOu7YngDa+Ek/vfMpoLCpc2ioyJTXyOSArj3PLllNzSRewm5LJYxhKYqz7PegfTR9m0+NpNYh6vOIm9rzLFmG5+MZJdkv8zwZoIYbcON+ZAZDczGxinTSU5qK/G8c20CdDJbNyu+YWnd2B0owhgXlq7faddG/aXEpIT3FDJtTcX0EjHLyh1Zr2IIZiMvRlRLdTl2Kq4ujNYJcYSiQGkAfXo5KEyC2iZh5k2m+7qyE7v82m+MXUdVtcFtuw4fTj1edSnOBvAgMBAAGjggOSMIIDjjA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiD5Jojg6WiQ4GNnRCBnuAagaqGBoEywalyhtXJewIBZAIBBTAfBgNVHSUEGDAWBgorBgEEAYI3FAICBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwKQYJKwYBBAGCNxUKBBwwGjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMCMIGUBgkqhkiG9w0BCQ8EgYYwgYMwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEARYwCwYJYIZIAWUDBAEZMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwCgYIKoZIhvcNAwcwBwYFKw4DAgcwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgICADAdBgNVHQ4EFgQUrBhZaZYc5ALsWmG+76SqDPYr4cIwHwYDVR0jBBgwFoAUfNJMaZA8k520zkPFvv5Hfl4MDTkwggEgBgNVHR8EggEXMIIBEzCCAQ+gggELoIIBB4ZBaHR0cDovL0FELVNFQVRUTEUwMS5hZC5ud3JhLmNvbS9DZXJ0RW5yb2xsL2FkLUFELVNFQVRUTEUwMS1DQS5jcmyGgcFsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BRC1TRUFUVExFMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWQsREM9bndyYSxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHHBggrBgEFBQcBAQSBujCBtzCBtAYIKwYBBQUHMAKGgadsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZCxEQz1ud3JhLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAsBgNVHREEJTAjoCEGCisGAQQBgjcUAgOgEwwRb3Jpb25AYWQubndyYS5jb20wDQYJKoZIhvcNAQENBQADggIBAJLuzfAPsiBf9VLIbevGMYRDoG0IgArZVSpd9LtW8gGjvta6zPfq9WrGGzPu8fclNE8PHVeV8YnkJpLFyu4Z8PjUwZZrN4Jt//yTxuMMa2srE5VEtnqulb/Hmyh5PKBTeN2HdDnX5o85btZruAvazfv3N8gmlQWOrkPWWW83uQKoritnpA+20hkQc6P6ojt51ViYZQKMpp+nCbjBKZ8ybWL0zwIM9Hd0iHFp2ZhuuQz5UpzuVGPgI4zu8CyVo3gfP2N1e8dBHz/OGtNDU3sXHEMjSay1EP2A+eKYelRQq0Dh2fs78AUEaOMaimgX24d7gH6WiuPjgfUxLy4DP7qq/aFpjEeDJo0IplfY4RxGSUe63GivmGGOGXklcq6ZU8aycY2C8QJtLmfAD7SKhzxmwScb9MKM0U4naP25VzOheE6V6e2RN4pGA5h9PJyI5+/Pbf82FuLsq4mVOjmLcD7gzSdjkMbysoqz/gLbhytDJ4Eh8FTg3YncqXWb4r8gcRKBZXuoLCrGDliYaHsJFsbAsX7vJ0Tp1DnvX7wWGXWGDxHtPRetmtq+cauKeHIXmSI3R7zueMDL2Gt3089NBJh/Hp2qAWwShR3TuO2tffConFJS9LLX5SBlNA2Lkybxsh/FAbPjFbzC5oCeGO0g5zuaago7WEm4CuiLQtvfimO9GNKe
And just for comparison:
$ yubico-piv-tool -a status
CHUID:
3019d4e739da739ced39ce739d836858210842108421384210c3f53410072180727c4b0c30d75c91b27c25efbd350832303330303130313e00fe00
CCC:
f015a000000116ff022b6532e39b0c782d8ec7b26efca5f10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00
Slot 9a:
Algorithm: RSA2048
Subject DN: DC=com, DC=nwra, DC=ad, OU=NWRA, CN=Orion Poplawski
Issuer DN: DC=com, DC=nwra, DC=ad, CN=ad-AD-SEATTLE01-CA
Fingerprint:
5a73f59cc4e93ef40012aedf0268abd0cf8fd260fbb243563f56271edf9fc99f
Not Before: Nov 21 17:52:08 2018 GMT
Not After: Nov 21 18:02:08 2020 GMT
Slot 9d:
Algorithm: RSA2048
Subject DN: DC=com, DC=nwra, DC=ad, OU=NWRA, CN=Orion Poplawski
Issuer DN: DC=com, DC=nwra, DC=ad, CN=ad-AD-SEATTLE01-CA
Fingerprint:
9c6ae38156c501a4ef033dd54e509053dbf06640f6f6b5d5fcaeced20c815290
Not Before: Nov 21 17:52:39 2018 GMT
Not After: Nov 21 18:02:39 2020 GMT
Slot 82:
Algorithm: RSA2048
Subject DN: DC=com, DC=nwra, DC=ad, OU=NWRA, OU=Admin-Accounts,
CN=Orion Poplawski
Issuer DN: DC=com, DC=nwra, DC=ad, CN=ad-AD-SEATTLE01-CA
Fingerprint:
8565497be7c56c7595ee7389d7781b8830fe5f110917ee2b16227e831c164b00
Not Before: Nov 21 18:10:10 2018 GMT
Not After: Nov 21 18:20:10 2020 GMT
(in case you use a very recent OpenSSL build of SSSD please use
'--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem' or the place where your CA
certifcates are stored).
I'll try to run this on a Fedora system as well....
bye,
Sumit
>
> Thanks!
>
> --
> Orion Poplawski
> Manager of NWRA Technical Systems 720-772-5637
> NWRA, Boulder/CoRA Office FAX: 303-415-9702
> 3380 Mitchell Lane orion(a)nwra.com
> Boulder, CO 80301
https://www.nwra.com/
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301
https://www.nwra.com/