On Sun, Oct 20, 2019 at 8:54 PM James Cassell fedoraproject@cyberpear.com wrote:
Even if local authentication works w/o the userCertificate attribute, SSH authentication using the Smart Card inherently requires the userCertificate attribute because the certificate is not sent over the SSH session.
When you say "SSH authentication using the Smart Card", what exactly do you mean?
If you mean being able to ssh to another host after one has logged in, we don't care about that, because we use gssapi-with-mic/gssapi-keyex authentication, which bypasses the PAM auth stack entirely.
A use case we would like to be able to make work is the ability for Windows users to ssh into Linux hosts. But we expect we will be unable to get that to work, because:
1) There is no Windows SSH client implementation that we know of that can both perform gssapi-with-mic/gssapi-keyex *and* delegate the Kerberos credentials. For example, PuTTY can do the former, but we've never been able to get it to do the latter, which means that if the user logs in from Windows using PuTTY, they will have no home directory, because we use autofs-mounted NFSv4 home directories with auth=krb5p. (No TGT, no home directory.)
2) I have no idea if a Windows SSH client exists that can proxy the smartcard protocol, as la p11-kit:
https://p11-glue.github.io/p11-glue/p11-kit/manual/remoting.html
nssdb is likely to be required for SSH Smart Card authentication
Again, I don't think we care about this.
There's a subtle bug in OpenSC that breaks CoolKey-based cards using 2048-bit RSA certificates (which is what we're using):
aha! Did you add the coolkey driver to the nssdb? That could be your issue.
No, I didn't, because I saw nothing in any documentation that stated this was necessary.
The easiest way I know to do that is to install the `opensc` package then:
# pkcs11-switch coolkey
opensc should be used instead of coolkey, as coolkey is deprecated in RHEL7, and has been removed from RHEL8 entirely.
I can't test in our production environment at the moment, but I have a test environment that is configured as close to our production environment as I can make it, and in our test environment:
$ pkcs11-switch; echo EOF
EOF
So, no, /etc/pki/nssdb is not configured to use a PKCS#11 module at all.
$ pkcs11-switch opensc; echo EOF
WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue:
Module "OpenSC PKCS #11 Module" added to database. ERROR: Failed to delete module "CoolKey PKCS #11 Module". EOF
$ pkcs11-switch; echo EOF opensc EOF
And, lo and behold, in the test environment gdm now detects a smartcard insertion and prompts for the pin.
(In our test environment, PKINIT fails because our AD KDCs aren't properly configured for it, so I can't be sure this is the last hurdle until I replicate this to our production environment.)
I still can't get /usr/bin/login on a virtual console to correctly perform smartcard authentication, though. Have you managed to get that working?
was it trivial to recompile [pkinit] w/ debug flags?
Yes. I've attached the two patches I created. Apply them against the latest upstream c7 branch:
$ git clone https://git.centos.org/git/rpms/krb5.git $ git clone https://git.centos.org/git/centos-git-common.git
…then mockbuild as usual.
WARNING: we found that installing the resulting krb5 packages with debugging enabled will *break* authentication. Only install the debugging packages locally while you are testing kinit, and "yum downgrade" back to the non-debugging packages immediately after you are done.
On Mon, Oct 21, 2019 at 5:39 AM Sumit Bose sbose@redhat.com wrote:
This [smartcard prompting] is a feature of GDM which requires the dconf setting as you mentioned before and that the PKCS#11 module (OpenSC or Coolkey) is added to /etc/pki/nssdb.
Yes, I realize that now. But this requirement is documented nowhere that I encountered it.
The latter should be done automatically during the installation of the related package.
No %post script on the system calls pkcs11-switch:
$ rpm -qa --scripts | grep pkcs11-switch
That includes opensc:
$ rpm -q --scripts opensc postinstall program: /sbin/ldconfig postuninstall program: /sbin/ldconfig
Not a single document I could find anywhere on gnome.org mentions this requirement, either.
If something was supposed to automatically perform this step for me, I don't know what it is.
About dconf, how did you add the Smartcard authentication option?
We maintain dconf settings via Puppet.
But as James Cassell noted, it's the default, anyway.
/etc/pki/nssdb on RHEL7 (or /etc/sssd/pki/sssd_auth_ca_db.pem on RHEL8) should contain the CA certificates needed to verify the user certificate.
Is this necessary for PKINIT authentication? Or just for SSH authentication?
We would like to avoid having to do this, because update-ca-trust(8) does not maintain /etc/pki/nssdb, which means we will have to come up with a mechanism to maintain /etc/pki/nssdb automatically on our hosts.
(If we can't automate it, we don't do it.)
I commented in the pagure ticket and mentioned a work-around.
I saw; thanks. I'll respond in the ticket.
Thank you both for helping to improve the documentation about Smartcard authentication with real-world examples.
You're welcome.
With the rise of multi-factor authentication (MFA) solutions like Google Authenticator and Duo, using smartcards for MFA is clearly on the decline. (And it was never that popular to begin with.)
But, alas, there are some environments where smartcard MFA is mandated. So hopefully documenting how to get this to work will be useful to others.