On Mon, Jul 15, 2019 at 02:49:19PM -0000, James Trater wrote:
Hello.
Is it possible to replicate the digest mapping feature of pam_pkcs11
in sssd? We have built our infrastructure around the notion of mapping
users to certificates based on the certificate digest. With the removal
of pam_pkcs11 from recent distros (including RHEL 8) we are faced with
either changing our mapping scheme (potentially a lot of work) or making
this work in sssd. This is a snippet of what we do today:
Sumit, who primarily develops anything related to smart cards is on
vacation and will be for another two weeks.
In the meantime I would suggest to file a bug against SSSD either in the
upstream tracker, or, since you said RHEL removal also affects you, a RH
support case (feel free to send me the case number, then).
>
> --- snip pam_pkcs11.conf ---
> # digest - elaborate certificate digest and map it into a file
> mapper digest {
> debug = false;
> module = internal;
> # module = /usr/$LIB/pam_pkcs11/digest_mapper.so;
> # algorithm used to evaluate certificate digest
> # Select one of:
> #
"null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
> algorithm = "sha1";
> mapfile = file:///etc/pam_pkcs11/digest_mapping;
> # mapfile = "none";
> }
> --- snip ---
>
>
> # snippet of digest_mapping file (the values have been obfuscated)
>
> [root@friday-vm]# grep jim digest_mapping
>
> 11:BC:53:F1:EF:24:B4:9C:47:ED:7D:EC:2B:82:CB:93:61:F8:88:4F -> jim
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...