On Fri, Oct 18, 2019, at 9:58 PM, James Ralston wrote:
I am struggling to get smartcard authentication working on RHEL7, using sssd-1.16.4-21.el7 and krb5 PKINIT against Microsoft Active Directory KDCs.
Has anyone actually gotten this working? If so, what behavior differences do you see from various login mechanisms (gdm, login, et. al.)?
I've gotten it working.
Because I see *no* visual differences in any login mechanism. gdm, login, et. al. prompt for a username/password, exactly as before. Both after I enter the username, and after I enter the PIN (at the "password" prompt), there is a delay while sssd pokes at the card. I can also tell this from watching the light on the card reader blink.
I've seen it behave both ways, and I'm not sure what the difference was. Sometimes, the GDM login screen automatically shows the correct user when the Smart Card is inserted; other times, I must first enter the user name before being prompted for the PIN.
But then the login fails.
I mean, these documents:
https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_authentication_pkin... https://docs.pagure.org/SSSD.sssd/design_pages/smartcard_multiple_certificat...
…make it sound like the gdm login screen should prompt me to insert a smartcard, or least differentiate *somehow* that smartcard authentication is in play. Both features claim to be implemented in sssd-1.16.4-21.el7. But I see nothing that indicates these features are working.
I've not seen GDM prompt for a Smart Card, but I'm also not enforcing Smart Card-only login at this time.
If it's really the case that we have to train our users to type their username into the "username" prompt and enter their smartcard PIN into the "password" prompt, we can do that, but that doesn't seem to be how it's supposed to work based on the above documents. And that's going to seem completely horrible to users in contrast to how Windows works, where you walk up, insert your smartcard, and the login screen identifies you and then prompts for your PIN.
The PIN should not be entered into the "Password" prompt. Only the prompt that says "PIN"
I mean, I get it that /usr/bin/login running on a virtual console can't engage in a nifty interactive dialog like Windows does. But is really the case that gdm is that dumb with smartcards as well?
Or am I misunderstanding how gdm+sssd+smartcard+PKINIT is supposed to work?
I can supply (somewhat redacted) configuration files if need be, but I have everything set correctly that I know to set:
- krb5.conf is configured correctly; I can kinit using the smartcard+PIN.
This is correct if you can type the following and are prompted for a PIN: $ kinit username@REALM
In particular, you shouldn't have to pass any additional parameters to kinit.
Generally, the steps to make this work are to set these in krb5.conf: [libdefaults] pkinit_anchors = FILE:/etc/pki/tls/certs/ca-bundle.crt pkinit_identities = PKCS11: pkinit_cert_match = <EKU>msScLogin<KU>digitalSignature
[realms] EXAMPLE.COM = { pkinit_kdc_hostname = EXAMPLE.COM }
In particular, the `FILE:` part is important; you can't use just a path. (You can also use DIR:, etc.)
pkinit_kdc_hostname is needed because the AD CA generally doesn't have the id-pkinit-san attribute on its certificate.
- We use pam_sss.so in all of (password-auth, system-auth, smartcard-auth), so no matter how a program enters the PAM stack, it should get pam_sss.so and PKINIT.
AFAIK, there's no way in the RHEL 7 version of sssd to enforce PKINIT at the SSSD level, but it will perform PKINIT in the case that Smart Card auth is being performed.
- I touched /var/lib/sss/pubconf/pam_preauth_available into existence and restarted sssd.
There is no need to perform this step. This is performed automatically by sssd when configured with `pam_cert_auth = True`
- I set enable-smartcard-authentication to true in dconf (for org.gnome.login-screen).
I didn't have to change this from the default.
- I set "pam_cert_auth = true" in the [domain/example.org] section of /etc/sssd/sssd.conf.
This should be in the [pam] section of the sssd.conf
- I extracted the correct certificate from my smartcard (the one that krb5.conf is configured to find) and added it to my userCertificate attribute in Active Directory.
This is necessary if you want to use the Smart Card for SSH authentication. I'm unsure if it's necessary for authentication when the card is physically present at the machine. I know it's not necessary with the latest upstream version of SSSD, but not sure if it made it into RHEL.
- I even populated /etc/pki/nssdb with all of the same certificates that update-ca-trust maintains, even though I'm not sure that's necessary, as I think krb5 pkinit.so should handle that.
This is required for SSSD, but not for plain PKINIT.
I had to do this to add them to the nssdb store: # certutil -A -n example_ca -t CT,C,C -a -d /etc/pki/nssdb -i example_ca.crt
I increased various sssd timeouts to work around this bug in sssd that was derailing the nss responder:
#4103 slow smartcard interactions break sssd when PKINIT is configured https://pagure.io/SSSD/sssd/issue/4103
I'd been considering opening my own bug against pcscd (pcsc-lite?) because of the long delays caused by accessing the card. (Seems like this could be cached.)
I'm open to suggestions for anything that I missed.
The thing that solved pkinit for me when logging in on RHEL 7 was the p11_child_timeout in sssd.conf:
[pam] p11_child_timeout = 90
Strangely, RHEL 8 did not require that timeout value to be set. The built-in default value is 6 seconds, IIRC.
Hope that's helpful, and I'd be interested in hearing about any gotchas you solve along the way.
V/r, James Cassell