I configured a YubiKey on Windows using the YubiKey minidriver with the following certificates:
- my "orion" certificate - went into slot 9a PIV Auth - A MacOS keychain cert per their docs - when into slot 9d Key Management - Another auth certificate for "orion-admin" - went into slot 82
I'm able to authenticate on Windows as either orion or orion-admin, but on Linux with sssd it does not see the orion-admin certificate. What needs to happen to support this?
Thanks!
On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote:
I configured a YubiKey on Windows using the YubiKey minidriver with the following certificates:
- my "orion" certificate - went into slot 9a PIV Auth
- A MacOS keychain cert per their docs - when into slot 9d Key Management
- Another auth certificate for "orion-admin" - went into slot 82
I'm able to authenticate on Windows as either orion or orion-admin, but on Linux with sssd it does not see the orion-admin certificate. What needs to happen to support this?
Which version of SSSD are you using?
Can you sent the output of
p11tool --list-all --provider opensc-pkcs11.so
and
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
(in case you use a very recent OpenSSL build of SSSD please use '--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem' or the place where your CA certifcates are stored).
bye, Sumit
Thanks!
-- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On 11/28/18 11:29 PM, Sumit Bose wrote:
On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote:
I configured a YubiKey on Windows using the YubiKey minidriver with the following certificates:
- my "orion" certificate - went into slot 9a PIV Auth
- A MacOS keychain cert per their docs - when into slot 9d Key Management
- Another auth certificate for "orion-admin" - went into slot 82
I'm able to authenticate on Windows as either orion or orion-admin, but on Linux with sssd it does not see the orion-admin certificate. What needs to happen to support this?
Which version of SSSD are you using?
sssd-1.16.2-13.el7_5
Can you sent the output of
p11tool --list-all --provider opensc-pkcs11.so
$ p11tool --list-all --provider /usr/lib64/opensc-pkcs11.so Object 0: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%01;object=PIV%20AUTH%20pubkey;type=public Type: Public key Label: PIV AUTH pubkey Flags: CKA_WRAP/UNWRAP; ID: 01
Object 1: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert Type: X.509 Certificate Label: Certificate for PIV Authentication ID: 01
Object 2: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=KEY%20MAN%20pubkey;type=public Type: Public key Label: KEY MAN pubkey ID: 03
Object 3: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=Certificate%20for%20Key%20Management;type=cert Type: X.509 Certificate Label: Certificate for Key Management ID: 03
Object 4: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Card%20Capability%20Container;type=data Type: Data Label: Card Capability Container ID:
Object 5: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Card%20Holder%20Unique%20Identifier;type=data Type: Data Label: Card Holder Unique Identifier ID:
Object 6: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Unsigned%20Card%20Holder%20Unique%20Identifier;type=data Type: Data Label: Unsigned Card Holder Unique Identifier ID:
Object 7: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20PIV%20Authentication;type=data Type: Data Label: X.509 Certificate for PIV Authentication ID:
Object 8: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Digital%20Signature;type=data Type: Data Label: X.509 Certificate for Digital Signature ID:
Object 9: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Key%20Management;type=data Type: Data Label: X.509 Certificate for Key Management ID:
Object 10: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Card%20Authentication;type=data Type: Data Label: X.509 Certificate for Card Authentication ID:
Object 11: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Security%20Object;type=data Type: Data Label: Security Object ID:
Object 12: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Discovery%20Object;type=data Type: Data Label: Discovery Object ID:
and
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
$ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre (Thu Nov 29 13:31:29:125830 2018) [[sssd[p11_child[2569]]]] [main] (0x0400): p11_child started. (Thu Nov 29 13:31:29:126388 2018) [[sssd[p11_child[2569]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Nov 29 13:31:29:126426 2018) [[sssd[p11_child[2569]]]] [main] (0x2000): Running with effective IDs: [22603][22603]. (Thu Nov 29 13:31:29:126459 2018) [[sssd[p11_child[2569]]]] [main] (0x2000): Running with real IDs [22603][22603]. (Thu Nov 29 13:31:29:341356 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Default Module List: (Thu Nov 29 13:31:29:341396 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): common name: [NSS Internal PKCS #11 Module]. (Thu Nov 29 13:31:29:341415 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): dll name: [(null)]. (Thu Nov 29 13:31:29:341433 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): common name: [OpenSC]. (Thu Nov 29 13:31:29:341451 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): dll name: [/usr/lib64/opensc-pkcs11.so]. (Thu Nov 29 13:31:29:341468 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Dead Module List: (Thu Nov 29 13:31:29:341485 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): DB Module List: (Thu Nov 29 13:31:29:341503 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): common name: [NSS Internal Module]. (Thu Nov 29 13:31:29:341520 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): dll name: [(null)]. (Thu Nov 29 13:31:29:341537 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): common name: [Policy File]. (Thu Nov 29 13:31:29:341554 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): dll name: [(null)]. (Thu Nov 29 13:31:29:367703 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [1]. (Thu Nov 29 13:31:29:367790 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [9]. (Thu Nov 29 13:31:29:368358 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Description [Yubico Yubikey 4 OTP+U2F+CCID 00 00 Yubico ] Manufacturer [Yubico ] flags [7]. (Thu Nov 29 13:31:29:368416 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Found [Orion Poplawski] in slot [Yubico Yubikey 4 OTP+U2F+CCID 00 00][0] of module [2][/usr/lib64/opensc-pkcs11.so]. (Thu Nov 29 13:31:29:368455 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Token is NOT friendly. (Thu Nov 29 13:31:29:368488 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Trying to switch to friendly to read certificate. (Thu Nov 29 13:31:29:368517 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Login required. (Thu Nov 29 13:31:29:368544 2018) [[sssd[p11_child[2569]]]] [do_card] (0x0020): Login required but no PIN available, continue. (Thu Nov 29 13:31:29:369245 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): found cert[Orion Poplawski:Certificate for PIV Authentication][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] (Thu Nov 29 13:31:29:369296 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): found cert[Orion Poplawski:Certificate for Key Management][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] (Thu Nov 29 13:31:29:369332 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Filtered certificates: (Thu Nov 29 13:31:29:369364 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): found cert[Orion Poplawski:Certificate for PIV Authentication][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] (Thu Nov 29 13:31:29:370948 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): (null) /usr/lib64/opensc-pkcs11.so (null) Orion Poplawski (null) (null). (Thu Nov 29 13:31:29:371002 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): found cert[Orion Poplawski:Certificate for Key Management][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] (Thu Nov 29 13:31:29:371049 2018) [[sssd[p11_child[2569]]]] [do_verification] (0x0040): Certificate [Orion Poplawski:Certificate for Key Management][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] not valid [-8102][Certificate key usage inadequate for attempted operation.]. (Thu Nov 29 13:31:29:371109 2018) [[sssd[p11_child[2569]]]] [do_card] (0x0040): Certificate [Orion Poplawski:Certificate for Key Management][CN=Orion Poplawski,OU=NWRA,DC=ad,DC=nwra,DC=com] not valid, skipping. (Thu Nov 29 13:31:29:430991 2018) [[sssd[p11_child[2569]]]] [do_card] (0x4000): Found certificate has key id [01]. Orion Poplawski /usr/lib64/opensc-pkcs11.so 01 Certificate for PIV Authentication MIIH5TCCBc2gAwIBAgITdgAAAczbsI5xA5LqwgAAAAABzDANBgkqhkiG9w0BAQ0FADBcMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMRswGQYDVQQDExJhZC1BRC1TRUFUVExFMDEtQ0EwHhcNMTgxMTIxMTc1MjA4WhcNMjAxMTIxMTgwMjA4WjBoMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMQ0wCwYDVQQLEwROV1JBMRgwFgYDVQQDEw9PcmlvbiBQb3BsYXdza2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0rbm0RJlpt16T8hM4TJauyh+1pQZI6tzlMPMAvljpo52KNXof9zf5z21kn+fmWmESkuHi32Ddzx5u+QoOu7YngDa+Ek/vfMpoLCpc2ioyJTXyOSArj3PLllNzSRewm5LJYxhKYqz7PegfTR9m0+NpNYh6vOIm9rzLFmG5+MZJdkv8zwZoIYbcON+ZAZDczGxinTSU5qK/G8c20CdDJbNyu+YWnd2B0owhgXlq7faddG/aXEpIT3FDJtTcX0EjHLyh1Zr2IIZiMvRlRLdTl2Kq4ujNYJcYSiQGkAfXo5KEyC2iZh5k2m+7qyE7v82m+MXUdVtcFtuw4fTj1edSnOBvAgMBAAGjggOSMIIDjjA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiD5Jojg6WiQ4GNnRCBnuAagaqGBoEywalyhtXJewIBZAIBBTAfBgNVHSUEGDAWBgorBgEEAYI3FAICBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwKQYJKwYBBAGCNxUKBBwwGjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMCMIGUBgkqhkiG9w0BCQ8EgYYwgYMwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEARYwCwYJYIZIAWUDBAEZMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwCgYIKoZIhvcNAwcwBwYFKw4DAgcwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgICADAdBgNVHQ4EFgQUrBhZaZYc5ALsWmG+76SqDPYr4cIwHwYDVR0jBBgwFoAUfNJMaZA8k520zkPFvv5Hfl4MDTkwggEgBgNVHR8EggEXMIIBEzCCAQ+gggELoIIBB4ZBaHR0cDovL0FELVNFQVRUTEUwMS5hZC5ud3JhLmNvbS9DZXJ0RW5yb2xsL2FkLUFELVNFQVRUTEUwMS1DQS5jcmyGgcFsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BRC1TRUFUVExFMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWQsREM9bndyYSxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHHBggrBgEFBQcBAQSBujCBtzCBtAYIKwYBBQUHMAKGgadsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZCxEQz1ud3JhLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAsBgNVHREEJTAjoCEGCisGAQQBgjcUAgOgEwwRb3Jpb25AYWQubndyYS5jb20wDQYJKoZIhvcNAQENBQADggIBAJLuzfAPsiBf9VLIbevGMYRDoG0IgArZVSpd9LtW8gGjvta6zPfq9WrGGzPu8fclNE8PHVeV8YnkJpLFyu4Z8PjUwZZrN4Jt//yTxuMMa2srE5VEtnqulb/Hmyh5PKBTeN2HdDnX5o85btZruAvazfv3N8gmlQWOrkPWWW83uQKoritnpA+20hkQc6P6ojt51ViYZQKMpp+nCbjBKZ8ybWL0zwIM9Hd0iHFp2ZhuuQz5UpzuVGPgI4zu8CyVo3gfP2N1e8dBHz/OGtNDU3sXHEMjSay1EP2A+eKYelRQq0Dh2fs78AUEaOMaimgX24d7gH6WiuPjgfUxLy4DP7qq/aFpjEeDJo0IplfY4RxGSUe63GivmGGOGXklcq6ZU8aycY2C8QJtLmfAD7SKhzxmwScb9MKM0U4naP25VzOheE6V6e2RN4pGA5h9PJyI5+/Pbf82FuLsq4mVOjmLcD7gzSdjkMbysoqz/gLbhytDJ4Eh8FTg3YncqXWb4r8gcRKBZXuoLCrGDliYaHsJFsbAsX7vJ0Tp1DnvX7wWGXWGDxHtPRetmtq+cauKeHIXmSI3R7zueMDL2Gt3089NBJh/Hp2qAWwShR3TuO2tffConFJS9LLX5SBlNA2Lkybxsh/FAbPjFbzC5oCeGO0g5zuaago7WEm4CuiLQtvfimO9GNKe
And just for comparison:
$ yubico-piv-tool -a status CHUID: 3019d4e739da739ced39ce739d836858210842108421384210c3f53410072180727c4b0c30d75c91b27c25efbd350832303330303130313e00fe00 CCC: f015a000000116ff022b6532e39b0c782d8ec7b26efca5f10121f20121f300f40100f50110f600f700fa00fb00fc00fd00fe00 Slot 9a: Algorithm: RSA2048 Subject DN: DC=com, DC=nwra, DC=ad, OU=NWRA, CN=Orion Poplawski Issuer DN: DC=com, DC=nwra, DC=ad, CN=ad-AD-SEATTLE01-CA Fingerprint: 5a73f59cc4e93ef40012aedf0268abd0cf8fd260fbb243563f56271edf9fc99f Not Before: Nov 21 17:52:08 2018 GMT Not After: Nov 21 18:02:08 2020 GMT Slot 9d: Algorithm: RSA2048 Subject DN: DC=com, DC=nwra, DC=ad, OU=NWRA, CN=Orion Poplawski Issuer DN: DC=com, DC=nwra, DC=ad, CN=ad-AD-SEATTLE01-CA Fingerprint: 9c6ae38156c501a4ef033dd54e509053dbf06640f6f6b5d5fcaeced20c815290 Not Before: Nov 21 17:52:39 2018 GMT Not After: Nov 21 18:02:39 2020 GMT Slot 82: Algorithm: RSA2048 Subject DN: DC=com, DC=nwra, DC=ad, OU=NWRA, OU=Admin-Accounts, CN=Orion Poplawski Issuer DN: DC=com, DC=nwra, DC=ad, CN=ad-AD-SEATTLE01-CA Fingerprint: 8565497be7c56c7595ee7389d7781b8830fe5f110917ee2b16227e831c164b00 Not Before: Nov 21 18:10:10 2018 GMT Not After: Nov 21 18:20:10 2020 GMT
(in case you use a very recent OpenSSL build of SSSD please use '--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem' or the place where your CA certifcates are stored).
I'll try to run this on a Fedora system as well....
bye, Sumit
Thanks!
-- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On 11/28/18 11:29 PM, Sumit Bose wrote:
On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote:
I configured a YubiKey on Windows using the YubiKey minidriver with the following certificates:
- my "orion" certificate - went into slot 9a PIV Auth
- A MacOS keychain cert per their docs - when into slot 9d Key Management
- Another auth certificate for "orion-admin" - went into slot 82
I'm able to authenticate on Windows as either orion or orion-admin, but on Linux with sssd it does not see the orion-admin certificate. What needs to happen to support this?
Which version of SSSD are you using?
On F29:
sssd-2.0.0-4.fc29.x86_64
I get somewhat different behavior. First the gdm login screen presents two certificates:
- Certificate for Key Management - Certificate for PIV Authentication
but still does not list the admin cert. Also, I don't believe it should list the Key Management cert because it is not flagged for smart card authentication.
Can you sent the output of
p11tool --list-all --provider opensc-pkcs11.so
# p11tool --list-all --provider opensc-pkcs11.so Object 0: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%01;object=PIV%20AUTH%20pubkey;type=public Type: Public key (RSA-2048) Label: PIV AUTH pubkey Flags: CKA_WRAP/UNWRAP; ID: 01
Object 1: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert Type: X.509 Certificate (RSA-2048) Expires: Sat Nov 21 11:02:08 2020 Label: Certificate for PIV Authentication ID: 01
Object 2: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=KEY%20MAN%20pubkey;type=public Type: Public key (RSA-2048) Label: KEY MAN pubkey Flags: CKA_WRAP/UNWRAP; ID: 03
Object 3: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=Certificate%20for%20Key%20Management;type=cert Type: X.509 Certificate (RSA-2048) Expires: Sat Nov 21 11:02:39 2020 Label: Certificate for Key Management ID: 03
Object 4: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Card%20Capability%20Container;type=data Type: Data Label: Card Capability Container ID:
Object 5: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Card%20Holder%20Unique%20Identifier;type=data Type: Data Label: Card Holder Unique Identifier ID:
Object 6: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Unsigned%20Card%20Holder%20Unique%20Identifier;type=data Type: Data Label: Unsigned Card Holder Unique Identifier ID:
Object 7: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20PIV%20Authentication;type=data Type: Data Label: X.509 Certificate for PIV Authentication ID:
Object 8: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Digital%20Signature;type=data Type: Data Label: X.509 Certificate for Digital Signature ID:
Object 9: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Key%20Management;type=data Type: Data Label: X.509 Certificate for Key Management ID:
Object 10: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Card%20Authentication;type=data Type: Data Label: X.509 Certificate for Card Authentication ID:
Object 11: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Security%20Object;type=data Type: Data Label: Security Object ID:
Object 12: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Discovery%20Object;type=data Type: Data Label: Discovery Object ID:
and
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
(in case you use a very recent OpenSSL build of SSSD please use '--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem' or the place where your CA certifcates are stored).
# /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre (Thu Nov 29 14:01:57:597372 2018) [[sssd[p11_child[3338]]]] [main] (0x0400): p11_child started. (Thu Nov 29 14:01:57:597666 2018) [[sssd[p11_child[3338]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Nov 29 14:01:57:597858 2018) [[sssd[p11_child[3338]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Nov 29 14:01:57:598246 2018) [[sssd[p11_child[3338]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Nov 29 14:01:57:601833 2018) [[sssd[p11_child[3338]]]] [init_verification] (0x0040): X509_LOOKUP_load_file failed [185090184][error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found]. (Thu Nov 29 14:01:57:602056 2018) [[sssd[p11_child[3338]]]] [do_work] (0x0040): init_verification failed. (Thu Nov 29 14:01:57:602358 2018) [[sssd[p11_child[3338]]]] [main] (0x0040): do_work failed. (Thu Nov 29 14:01:57:602651 2018) [[sssd[p11_child[3338]]]] [main] (0x0020): p11_child failed! root@vmf29.cora.nwra.com [~]# /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --pre (Thu Nov 29 14:02:14:096983 2018) [[sssd[p11_child[3376]]]] [main] (0x0400): p11_child started. (Thu Nov 29 14:02:14:097325 2018) [[sssd[p11_child[3376]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Nov 29 14:02:14:097558 2018) [[sssd[p11_child[3376]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Nov 29 14:02:14:097815 2018) [[sssd[p11_child[3376]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Nov 29 14:02:14:520623 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Module List: (Thu Nov 29 14:02:14:520694 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): common name: [p11-kit-trust]. (Thu Nov 29 14:02:14:520704 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. (Thu Nov 29 14:02:14:520735 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Description [/etc/pki/ca-trust/source PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (Thu Nov 29 14:02:14:520753 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Description [/usr/share/pki/ca-trust-source PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (Thu Nov 29 14:02:14:520764 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): common name: [opensc]. (Thu Nov 29 14:02:14:520771 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so]. (Thu Nov 29 14:02:14:521689 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Description [Yubico Yubikey 4 OTP+U2F+CCID 00 00 Yubico ] Manufacturer [Yubico ] flags [7] removable [true] token present [true]. (Thu Nov 29 14:02:14:538790 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Found [Orion Poplawski] in slot [Yubico Yubikey 4 OTP+U2F+CCID 00 00][0] of module [1][/usr/lib64/pkcs11/opensc-pkcs11.so]. (Thu Nov 29 14:02:14:538824 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Login NOT required. (Thu Nov 29 14:02:14:539066 2018) [[sssd[p11_child[3376]]]] [read_certs] (0x4000): found cert[Certificate for PIV Authentication][/DC=com/DC=nwra/DC=ad/OU=NWRA/CN=Orion Poplawski] (Thu Nov 29 14:02:14:539770 2018) [[sssd[p11_child[3376]]]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. (Thu Nov 29 14:02:14:539891 2018) [[sssd[p11_child[3376]]]] [read_certs] (0x4000): found cert[Certificate for Key Management][/DC=com/DC=nwra/DC=ad/OU=NWRA/CN=Orion Poplawski] (Thu Nov 29 14:02:14:540279 2018) [[sssd[p11_child[3376]]]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. (Thu Nov 29 14:02:14:540299 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): (null) /usr/lib64/pkcs11/opensc-pkcs11.so (null) Orion Poplawski (null) 03. (Thu Nov 29 14:02:14:540308 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): (null) /usr/lib64/pkcs11/opensc-pkcs11.so (null) Orion Poplawski (null) 01. (Thu Nov 29 14:02:14:540377 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Yubico%20Yubikey%204%20OTP%2bU2F%2bCCID%2000%2000;slot-manufacturer=Yubico;slot-id=0;model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert. (Thu Nov 29 14:02:14:540417 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Yubico%20Yubikey%204%20OTP%2bU2F%2bCCID%2000%2000;slot-manufacturer=Yubico;slot-id=0;model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=Certificate%20for%20Key%20Management;type=cert. (Thu Nov 29 14:02:14:540430 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Found certificate has key id [01]. (Thu Nov 29 14:02:14:540457 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Found certificate has key id [03]. Orion Poplawski /usr/lib64/pkcs11/opensc-pkcs11.so 01 Certificate for PIV Authentication MIIH5TCCBc2gAwIBAgITdgAAAczbsI5xA5LqwgAAAAABzDANBgkqhkiG9w0BAQ0FADBcMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMRswGQYDVQQDExJhZC1BRC1TRUFUVExFMDEtQ0EwHhcNMTgxMTIxMTc1MjA4WhcNMjAxMTIxMTgwMjA4WjBoMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMQ0wCwYDVQQLEwROV1JBMRgwFgYDVQQDEw9PcmlvbiBQb3BsYXdza2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0rbm0RJlpt16T8hM4TJauyh+1pQZI6tzlMPMAvljpo52KNXof9zf5z21kn+fmWmESkuHi32Ddzx5u+QoOu7YngDa+Ek/vfMpoLCpc2ioyJTXyOSArj3PLllNzSRewm5LJYxhKYqz7PegfTR9m0+NpNYh6vOIm9rzLFmG5+MZJdkv8zwZoIYbcON+ZAZDczGxinTSU5qK/G8c20CdDJbNyu+YWnd2B0owhgXlq7faddG/aXEpIT3FDJtTcX0EjHLyh1Zr2IIZiMvRlRLdTl2Kq4ujNYJcYSiQGkAfXo5KEyC2iZh5k2m+7qyE7v82m+MXUdVtcFtuw4fTj1edSnOBvAgMBAAGjggOSMIIDjjA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiD5Jojg6WiQ4GNnRCBnuAagaqGBoEywalyhtXJewIBZAIBBTAfBgNVHSUEGDAWBgorBgEEAYI3FAICBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwKQYJKwYBBAGCNxUKBBwwGjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMCMIGUBgkqhkiG9w0BCQ8EgYYwgYMwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEARYwCwYJYIZIAWUDBAEZMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwCgYIKoZIhvcNAwcwBwYFKw4DAgcwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgICADAdBgNVHQ4EFgQUrBhZaZYc5ALsWmG+76SqDPYr4cIwHwYDVR0jBBgwFoAUfNJMaZA8k520zkPFvv5Hfl4MDTkwggEgBgNVHR8EggEXMIIBEzCCAQ+gggELoIIBB4ZBaHR0cDovL0FELVNFQVRUTEUwMS5hZC5ud3JhLmNvbS9DZXJ0RW5yb2xsL2FkLUFELVNFQVRUTEUwMS1DQS5jcmyGgcFsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BRC1TRUFUVExFMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWQsREM9bndyYSxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHHBggrBgEFBQcBAQSBujCBtzCBtAYIKwYBBQUHMAKGgadsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZCxEQz1ud3JhLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAsBgNVHREEJTAjoCEGCisGAQQBgjcUAgOgEwwRb3Jpb25AYWQubndyYS5jb20wDQYJKoZIhvcNAQENBQADggIBAJLuzfAPsiBf9VLIbevGMYRDoG0IgArZVSpd9LtW8gGjvta6zPfq9WrGGzPu8fclNE8PHVeV8YnkJpLFyu4Z8PjUwZZrN4Jt//yTxuMMa2srE5VEtnqulb/Hmyh5PKBTeN2HdDnX5o85btZruAvazfv3N8gmlQWOrkPWWW83uQKoritnpA+20hkQc6P6ojt51ViYZQKMpp+nCbjBKZ8ybWL0zwIM9Hd0iHFp2ZhuuQz5UpzuVGPgI4zu8CyVo3gfP2N1e8dBHz/OGtNDU3sXHEMjSay1EP2A+eKYelRQq0Dh2fs78AUEaOMaimgX24d7gH6WiuPjgfUxLy4DP7qq/aFpjEeDJo0IplfY4RxGSUe63GivmGGOGXklcq6ZU8aycY2C8QJtLmfAD7SKhzxmwScb9MKM0U4naP25VzOheE6V6e2RN4pGA5h9PJyI5+/Pbf82FuLsq4mVOjmLcD7gzSdjkMbysoqz/gLbhytDJ4Eh8FTg3YncqXWb4r8gcRKBZXuoLCrGDliYaHsJFsbAsX7vJ0Tp1DnvX7wWGXWGDxHtPRetmtq+cauKeHIXmSI3R7zueMDL2Gt3089NBJh/Hp2qAWwShR3TuO2tffConFJS9LLX5SBlNA2Lkybxsh/FAbPjFbzC5oCeGO0g5zuaago7WEm4CuiLQtvfimO9GNKe Orion Poplawski /usr/lib64/pkcs11/opensc-pkcs11.so 03 Certificate for Key Management MIIH0DCCBbigAwIBAgITdgAAAc1+AMfS7zlhnwAAAAABzTANBgkqhkiG9w0BAQ0FADBcMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMRswGQYDVQQDExJhZC1BRC1TRUFUVExFMDEtQ0EwHhcNMTgxMTIxMTc1MjM5WhcNMjAxMTIxMTgwMjM5WjBoMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMQ0wCwYDVQQLEwROV1JBMRgwFgYDVQQDEw9PcmlvbiBQb3BsYXdza2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT4bc6zf6EVUgyCqKYnMatK6qtiL+yjGnhHRl0nCoeN/TWmY47f23Nb/CjGW5W9T+i2jVM4HE2pijoEFcLQQnLkWQLSNeYQ+HKMY8kdmcT+aYDk5N5scDRKg5mIN1HaMqQqRYgXfgdlMh46u6kzVVHM+iuGnrHOTIV6b84PNHU3xLHidhqPZF6IRcuSmfLYGiKrQj2RuR0gD+19c1Gi2iupsMSCBAwJAukoY/gMK01n+srjIidgNT8lufajIA52b4w7GsYfQrByY9ChBH/tORRMaR6PDA7P6YIv0r6BlIvgTIeA4VOEXVFXtr8waY/WI3Lvn9oVeSBmu6Z6Owajl+3AgMBAAGjggN9MIIDeTA+BgkrBgEEAYI3FQcEMTAvBicrBgEEAYI3FQiD5Jojg6WiQ4GNnRCBnuAagaqGBoEyh6mmD4GZshECAWQCAQcwFQYDVR0lBA4wDAYKKwYBBAGCNwoDBDAOBgNVHQ8BAf8EBAMCBSAwHQYJKwYBBAGCNxUKBBAwDjAMBgorBgEEAYI3CgMEMIGUBgkqhkiG9w0BCQ8EgYYwgYMwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEARYwCwYJYIZIAWUDBAEZMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwCgYIKoZIhvcNAwcwBwYFKw4DAgcwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgICADAdBgNVHQ4EFgQULZA/coMUaYGWcNN2uD+kmQ5ctP0wHwYDVR0jBBgwFoAUfNJMaZA8k520zkPFvv5Hfl4MDTkwggEgBgNVHR8EggEXMIIBEzCCAQ+gggELoIIBB4ZBaHR0cDovL0FELVNFQVRUTEUwMS5hZC5ud3JhLmNvbS9DZXJ0RW5yb2xsL2FkLUFELVNFQVRUTEUwMS1DQS5jcmyGgcFsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BRC1TRUFUVExFMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWQsREM9bndyYSxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHHBggrBgEFBQcBAQSBujCBtzCBtAYIKwYBBQUHMAKGgadsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZCxEQz1ud3JhLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAsBgNVHREEJTAjoCEGCisGAQQBgjcUAgOgEwwRb3Jpb25AYWQubndyYS5jb20wDQYJKoZIhvcNAQENBQADggIBAHAScbtpgzQJajb8HlAIhH05SxU51vjigvIu5LH5VBvuIuMlWsIbvo5k3vf7bkNUaJgrpl/6qzsXm4Y4hwv7C6EJL5PjClfMtj7R7HHfQFFtbmhdfJs2yvik7rU6NzHKdCQ16ZeG/J3ZMUpnjqLO2xBN6UYb/0zf8YjrHcIDHx/yQplsulKA76tTCJ5mtG7yodPqhIC7pfcusqHaK+XOPNyO5nL7N0uSOILcS5Z0dsUS/ZLz4nce1Wle46Ni/ybzt7uaJJwTABlb4ZkHE5Co1wy6yFUPe3YDSNB8JWetMCwtKBD5u5m2gGynfQNGTUW1CDtoLFSBvG0EKqjkeZpPsotbJK/475HJFLrsL78H6x588fc80fMQyBHR0o4kYn/Qv/AdS72ZocF10tn84UuTwqNOAJi8aKHd3D/1ztunH5HTTdimsZq1cNsYi/ZL3bojhhJS0AaPCjmpbTr0M7m4ZLtn6pmigCRbZEsUoO8qwUDt5D/aGOxORA6H9j/TzV1ER9n6h7kRRwFPn5zZXaAqzfl3dkQZIkjvYyNYaxkI5fBw5JFNLFRJNZdY9vyqGTbzUWl8pKOReWoSLK89IN2B/Mh2gwworha4SZ5ldNobMElNAXTYyh5T9QDk4Vl6sKN2kKhruKmz5vy+lxScQR1kAoxe2x58KEGyv3DhrsSLqUna
bye, Sumit
Thanks!
-- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
On Thu, Nov 29, 2018 at 02:03:09PM -0700, Orion Poplawski wrote:
On 11/28/18 11:29 PM, Sumit Bose wrote:
On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote:
I configured a YubiKey on Windows using the YubiKey minidriver with the following certificates:
- my "orion" certificate - went into slot 9a PIV Auth
- A MacOS keychain cert per their docs - when into slot 9d Key Management
- Another auth certificate for "orion-admin" - went into slot 82
I'm able to authenticate on Windows as either orion or orion-admin, but on Linux with sssd it does not see the orion-admin certificate. What needs to happen to support this?
Which version of SSSD are you using?
On F29:
sssd-2.0.0-4.fc29.x86_64
I get somewhat different behavior. First the gdm login screen presents two certificates:
- Certificate for Key Management
- Certificate for PIV Authentication
but still does not list the admin cert. Also, I don't believe it should list the Key Management cert because it is not flagged for smart card authentication.
Do you mean the labels 'Certificate for PIV Authentication' and 'Certificate for Key Management' by 'flagged'?
SSSD only looks at the content of the certificate and by default uses everything with key usage digitalSignature and extended key usage clientAuth. With F29 you can modify this by adding mapping and matching rules to sssd.conf, see the 'CERTIFICATE MAPPING SECTION' in man sssd.conf for details.
Can you sent the output of
p11tool --list-all --provider opensc-pkcs11.so
The slots for the retired keys are not visible. I've found https://github.com/OpenSC/OpenSC/issues/847#issuecomment-238119888 with a command which made the slots visible for PKCS#11 on my Yubikey. Nevertheless the type is still data even after importing a certificate with 'yubico-piv-tool -a import-certificate'. Maybe this is different when using the Windows driver?
Since you already reached out to Yubico you might want to ask as well what needs to be done to make the certificates and private keys stored in the retired slots properly available as certificate and private key on the PKCS#11 level.
bye, Sumit
# p11tool --list-all --provider opensc-pkcs11.so Object 0: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%01;object=PIV%20AUTH%20pubkey;type=public Type: Public key (RSA-2048) Label: PIV AUTH pubkey Flags: CKA_WRAP/UNWRAP; ID: 01
Object 1: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert Type: X.509 Certificate (RSA-2048) Expires: Sat Nov 21 11:02:08 2020 Label: Certificate for PIV Authentication ID: 01
Object 2: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=KEY%20MAN%20pubkey;type=public Type: Public key (RSA-2048) Label: KEY MAN pubkey Flags: CKA_WRAP/UNWRAP; ID: 03
Object 3: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=Certificate%20for%20Key%20Management;type=cert Type: X.509 Certificate (RSA-2048) Expires: Sat Nov 21 11:02:39 2020 Label: Certificate for Key Management ID: 03
Object 4: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Card%20Capability%20Container;type=data Type: Data Label: Card Capability Container ID:
Object 5: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Card%20Holder%20Unique%20Identifier;type=data Type: Data Label: Card Holder Unique Identifier ID:
Object 6: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Unsigned%20Card%20Holder%20Unique%20Identifier;type=data Type: Data Label: Unsigned Card Holder Unique Identifier ID:
Object 7: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20PIV%20Authentication;type=data Type: Data Label: X.509 Certificate for PIV Authentication ID:
Object 8: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Digital%20Signature;type=data Type: Data Label: X.509 Certificate for Digital Signature ID:
Object 9: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Key%20Management;type=data Type: Data Label: X.509 Certificate for Key Management ID:
Object 10: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=X.509%20Certificate%20for%20Card%20Authentication;type=data Type: Data Label: X.509 Certificate for Card Authentication ID:
Object 11: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Security%20Object;type=data Type: Data Label: Security Object ID:
Object 12: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;object=Discovery%20Object;type=data Type: Data Label: Discovery Object ID:
and
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
(in case you use a very recent OpenSSL build of SSSD please use '--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem' or the place where your CA certifcates are stored).
# /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre (Thu Nov 29 14:01:57:597372 2018) [[sssd[p11_child[3338]]]] [main] (0x0400): p11_child started. (Thu Nov 29 14:01:57:597666 2018) [[sssd[p11_child[3338]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Nov 29 14:01:57:597858 2018) [[sssd[p11_child[3338]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Nov 29 14:01:57:598246 2018) [[sssd[p11_child[3338]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Nov 29 14:01:57:601833 2018) [[sssd[p11_child[3338]]]] [init_verification] (0x0040): X509_LOOKUP_load_file failed [185090184][error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found]. (Thu Nov 29 14:01:57:602056 2018) [[sssd[p11_child[3338]]]] [do_work] (0x0040): init_verification failed. (Thu Nov 29 14:01:57:602358 2018) [[sssd[p11_child[3338]]]] [main] (0x0040): do_work failed. (Thu Nov 29 14:01:57:602651 2018) [[sssd[p11_child[3338]]]] [main] (0x0020): p11_child failed! root@vmf29.cora.nwra.com [~]# /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --pre (Thu Nov 29 14:02:14:096983 2018) [[sssd[p11_child[3376]]]] [main] (0x0400): p11_child started. (Thu Nov 29 14:02:14:097325 2018) [[sssd[p11_child[3376]]]] [main] (0x2000): Running in [pre-auth] mode. (Thu Nov 29 14:02:14:097558 2018) [[sssd[p11_child[3376]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Thu Nov 29 14:02:14:097815 2018) [[sssd[p11_child[3376]]]] [main] (0x2000): Running with real IDs [0][0]. (Thu Nov 29 14:02:14:520623 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Module List: (Thu Nov 29 14:02:14:520694 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): common name: [p11-kit-trust]. (Thu Nov 29 14:02:14:520704 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): dll name: [/usr/lib64/pkcs11/p11-kit-trust.so]. (Thu Nov 29 14:02:14:520735 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Description [/etc/pki/ca-trust/source PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (Thu Nov 29 14:02:14:520753 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Description [/usr/share/pki/ca-trust-source PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (Thu Nov 29 14:02:14:520764 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): common name: [opensc]. (Thu Nov 29 14:02:14:520771 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so]. (Thu Nov 29 14:02:14:521689 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Description [Yubico Yubikey 4 OTP+U2F+CCID 00 00 Yubico ] Manufacturer [Yubico ] flags [7] removable [true] token present [true]. (Thu Nov 29 14:02:14:538790 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Found [Orion Poplawski] in slot [Yubico Yubikey 4 OTP+U2F+CCID 00 00][0] of module [1][/usr/lib64/pkcs11/opensc-pkcs11.so]. (Thu Nov 29 14:02:14:538824 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Login NOT required. (Thu Nov 29 14:02:14:539066 2018) [[sssd[p11_child[3376]]]] [read_certs] (0x4000): found cert[Certificate for PIV Authentication][/DC=com/DC=nwra/DC=ad/OU=NWRA/CN=Orion Poplawski] (Thu Nov 29 14:02:14:539770 2018) [[sssd[p11_child[3376]]]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. (Thu Nov 29 14:02:14:539891 2018) [[sssd[p11_child[3376]]]] [read_certs] (0x4000): found cert[Certificate for Key Management][/DC=com/DC=nwra/DC=ad/OU=NWRA/CN=Orion Poplawski] (Thu Nov 29 14:02:14:540279 2018) [[sssd[p11_child[3376]]]] [do_ocsp] (0x0020): No OCSP URL in certificate and no default responder defined, skipping OCSP check. (Thu Nov 29 14:02:14:540299 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): (null) /usr/lib64/pkcs11/opensc-pkcs11.so (null) Orion Poplawski (null) 03. (Thu Nov 29 14:02:14:540308 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): (null) /usr/lib64/pkcs11/opensc-pkcs11.so (null) Orion Poplawski (null) 01. (Thu Nov 29 14:02:14:540377 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Yubico%20Yubikey%204%20OTP%2bU2F%2bCCID%2000%2000;slot-manufacturer=Yubico;slot-id=0;model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert. (Thu Nov 29 14:02:14:540417 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.19;slot-description=Yubico%20Yubikey%204%20OTP%2bU2F%2bCCID%2000%2000;slot-manufacturer=Yubico;slot-id=0;model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=Certificate%20for%20Key%20Management;type=cert. (Thu Nov 29 14:02:14:540430 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Found certificate has key id [01]. (Thu Nov 29 14:02:14:540457 2018) [[sssd[p11_child[3376]]]] [do_card] (0x4000): Found certificate has key id [03]. Orion Poplawski /usr/lib64/pkcs11/opensc-pkcs11.so 01 Certificate for PIV Authentication MIIH5TCCBc2gAwIBAgITdgAAAczbsI5xA5LqwgAAAAABzDANBgkqhkiG9w0BAQ0FADBcMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMRswGQYDVQQDExJhZC1BRC1TRUFUVExFMDEtQ0EwHhcNMTgxMTIxMTc1MjA4WhcNMjAxMTIxMTgwMjA4WjBoMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMQ0wCwYDVQQLEwROV1JBMRgwFgYDVQQDEw9PcmlvbiBQb3BsYXdza2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0rbm0RJlpt16T8hM4TJauyh+1pQZI6tzlMPMAvljpo52KNXof9zf5z21kn+fmWmESkuHi32Ddzx5u+QoOu7YngDa+Ek/vfMpoLCpc2ioyJTXyOSArj3PLllNzSRewm5LJYxhKYqz7PegfTR9m0+NpNYh6vOIm9rzLFmG5+MZJdkv8zwZoIYbcON+ZAZDczGxinTSU5qK/G8c20CdDJbNyu+YWnd2B0owhgXlq7faddG/aXEpIT3FDJtTcX0EjHLyh1Zr2IIZiMvRlRLdTl2Kq4ujNYJcYSiQGkAfXo5KEyC2iZh5k2m+7qyE7v82m+MXUdVtcFtuw4fTj1edSnOBvAgMBAAGjggOSMIIDjjA9BgkrBgEEAYI3FQcEMDAuBiYrBgEEAYI3FQiD5Jojg6WiQ4GNnRCBnuAagaqGBoEywalyhtXJewIBZAIBBTAfBgNVHSUEGDAWBgorBgEEAYI3FAICBggrBgEFBQcDAjAOBgNVHQ8BAf8EBAMCBaAwKQYJKwYBBAGCNxUKBBwwGjAMBgorBgEEAYI3FAICMAoGCCsGAQUFBwMCMIGUBgkqhkiG9w0BCQ8EgYYwgYMwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEARYwCwYJYIZIAWUDBAEZMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwCgYIKoZIhvcNAwcwBwYFKw4DAgcwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgICADAdBgNVHQ4EFgQUrBhZaZYc5ALsWmG+76SqDPYr4cIwHwYDVR0jBBgwFoAUfNJMaZA8k520zkPFvv5Hfl4MDTkwggEgBgNVHR8EggEXMIIBEzCCAQ+gggELoIIBB4ZBaHR0cDovL0FELVNFQVRUTEUwMS5hZC5ud3JhLmNvbS9DZXJ0RW5yb2xsL2FkLUFELVNFQVRUTEUwMS1DQS5jcmyGgcFsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BRC1TRUFUVExFMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWQsREM9bndyYSxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHHBggrBgEFBQcBAQSBujCBtzCBtAYIKwYBBQUHMAKGgadsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZCxEQz1ud3JhLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAsBgNVHREEJTAjoCEGCisGAQQBgjcUAgOgEwwRb3Jpb25AYWQubndyYS5jb20wDQYJKoZIhvcNAQENBQADggIBAJLuzfAPsiBf9VLIbevGMYRDoG0IgArZVSpd9LtW8gGjvta6zPfq9WrGGzPu8fclNE8PHVeV8YnkJpLFyu4Z8PjUwZZrN4Jt//yTxuMMa2srE5VEtnqulb/Hmyh5PKBTeN2HdDnX5o85btZruAvazfv3N8gmlQWOrkPWWW83uQKoritnpA+20hkQc6P6ojt51ViYZQKMpp+nCbjBKZ8ybWL0zwIM9Hd0iHFp2ZhuuQz5UpzuVGPgI4zu8CyVo3gfP2N1e8dBHz/OGtNDU3sXHEMjSay1EP2A+eKYelRQq0Dh2fs78AUEaOMaimgX24d7gH6WiuPjgfUxLy4DP7qq/aFpjEeDJo0IplfY4RxGSUe63GivmGGOGXklcq6ZU8aycY2C8QJtLmfAD7SKhzxmwScb9MKM0U4naP25VzOheE6V6e2RN4pGA5h9PJyI5+/Pbf82FuLsq4mVOjmLcD7gzSdjkMbysoqz/gLbhytDJ4Eh8FTg3YncqXWb4r8gcRKBZXuoLCrGDliYaHsJFsbAsX7vJ0Tp1DnvX7wWGXWGDxHtPRetmtq+cauKeHIXmSI3R7zueMDL2Gt3089NBJh/Hp2qAWwShR3TuO2tffConFJS9LLX5SBlNA2Lkybxsh/FAbPjFbzC5oCeGO0g5zuaago7WEm4CuiLQtvfimO9GNKe Orion Poplawski /usr/lib64/pkcs11/opensc-pkcs11.so 03 Certificate for Key Management MIIH0DCCBbigAwIBAgITdgAAAc1+AMfS7zlhnwAAAAABzTANBgkqhkiG9w0BAQ0FADBcMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMRswGQYDVQQDExJhZC1BRC1TRUFUVExFMDEtQ0EwHhcNMTgxMTIxMTc1MjM5WhcNMjAxMTIxMTgwMjM5WjBoMRMwEQYKCZImiZPyLGQBGRYDY29tMRQwEgYKCZImiZPyLGQBGRYEbndyYTESMBAGCgmSJomT8ixkARkWAmFkMQ0wCwYDVQQLEwROV1JBMRgwFgYDVQQDEw9PcmlvbiBQb3BsYXdza2kwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDT4bc6zf6EVUgyCqKYnMatK6qtiL+yjGnhHRl0nCoeN/TWmY47f23Nb/CjGW5W9T+i2jVM4HE2pijoEFcLQQnLkWQLSNeYQ+HKMY8kdmcT+aYDk5N5scDRKg5mIN1HaMqQqRYgXfgdlMh46u6kzVVHM+iuGnrHOTIV6b84PNHU3xLHidhqPZF6IRcuSmfLYGiKrQj2RuR0gD+19c1Gi2iupsMSCBAwJAukoY/gMK01n+srjIidgNT8lufajIA52b4w7GsYfQrByY9ChBH/tORRMaR6PDA7P6YIv0r6BlIvgTIeA4VOEXVFXtr8waY/WI3Lvn9oVeSBmu6Z6Owajl+3AgMBAAGjggN9MIIDeTA+BgkrBgEEAYI3FQcEMTAvBicrBgEEAYI3FQiD5Jojg6WiQ4GNnRCBnuAagaqGBoEyh6mmD4GZshECAWQCAQcwFQYDVR0lBA4wDAYKKwYBBAGCNwoDBDAOBgNVHQ8BAf8EBAMCBSAwHQYJKwYBBAGCNxUKBBAwDjAMBgorBgEEAYI3CgMEMIGUBgkqhkiG9w0BCQ8EgYYwgYMwCwYJYIZIAWUDBAEqMAsGCWCGSAFlAwQBLTALBglghkgBZQMEARYwCwYJYIZIAWUDBAEZMAsGCWCGSAFlAwQBAjALBglghkgBZQMEAQUwCgYIKoZIhvcNAwcwBwYFKw4DAgcwDgYIKoZIhvcNAwICAgCAMA4GCCqGSIb3DQMEAgICADAdBgNVHQ4EFgQULZA/coMUaYGWcNN2uD+kmQ5ctP0wHwYDVR0jBBgwFoAUfNJMaZA8k520zkPFvv5Hfl4MDTkwggEgBgNVHR8EggEXMIIBEzCCAQ+gggELoIIBB4ZBaHR0cDovL0FELVNFQVRUTEUwMS5hZC5ud3JhLmNvbS9DZXJ0RW5yb2xsL2FkLUFELVNFQVRUTEUwMS1DQS5jcmyGgcFsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BRC1TRUFUVExFMDEsQ049Q0RQLENOPVB1YmxpYyUyMEtleSUyMFNlcnZpY2VzLENOPVNlcnZpY2VzLENOPUNvbmZpZ3VyYXRpb24sREM9YWQsREM9bndyYSxEQz1jb20/Y2VydGlmaWNhdGVSZXZvY2F0aW9uTGlzdD9iYXNlP29iamVjdENsYXNzPWNSTERpc3RyaWJ1dGlvblBvaW50MIHHBggrBgEFBQcBAQSBujCBtzCBtAYIKwYBBQUHMAKGgadsZGFwOi8vL0NOPWFkLUFELVNFQVRUTEUwMS1DQSxDTj1BSUEsQ049UHVibGljJTIwS2V5JTIwU2VydmljZXMsQ049U2VydmljZXMsQ049Q29uZmlndXJhdGlvbixEQz1hZCxEQz1ud3JhLERDPWNvbT9jQUNlcnRpZmljYXRlP2Jhc2U/b2JqZWN0Q2xhc3M9Y2VydGlmaWNhdGlvbkF1dGhvcml0eTAsBgNVHREEJTAjoCEGCisGAQQBgjcUAgOgEwwRb3Jpb25AYWQubndyYS5jb20wDQYJKoZIhvcNAQENBQADggIBAHAScbtpgzQJajb8HlAIhH05SxU51vjigvIu5LH5VBvuIuMlWsIbvo5k3vf7bkNUaJgrpl/6qzsXm4Y4hwv7C6EJL5PjClfMtj7R7HHfQFFtbmhdfJs2yvik7rU6NzHKdCQ16ZeG/J3ZMUpnjqLO2xBN6UYb/0zf8YjrHcIDHx/yQplsulKA76tTCJ5mtG7yodPqhIC7pfcusqHaK+XOPNyO5nL7N0uSOILcS5Z0dsUS/ZLz4nce1Wle46Ni/ybzt7uaJJwTABlb4ZkHE5Co1wy6yFUPe3YDSNB8JWetMCwtKBD5u5m2gGynfQNGTUW1CDtoLFSBvG0EKqjkeZpPsotbJK/475HJFLrsL78H6x588fc80fMQyBHR0o4kYn/Qv/AdS72ZocF10tn84UuTwqNOAJi8aKHd3D/1ztunH5HTTdimsZq1cNsYi/ZL3bojhhJS0AaPCjmpbTr0M7m4ZLtn6pmigCRbZEsUoO8qwUDt5D/aGOxORA6H9j/TzV1ER9n6h7kRRwFPn5zZXaAqzfl3dkQZIkjvYyNYaxkI5fBw5JFNLFRJNZdY9vyqGTbzUWl8pKOReWoSLK89IN2B/Mh2gwworha4SZ5ldNobMElNAXTYyh5T9QDk4Vl6sKN2kKhruKmz5vy+lxScQR1kAoxe2x58KEGyv3DhrsSLqUna
bye, Sumit
Thanks!
-- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/ _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
-- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/
On 11/30/18 6:14 AM, Sumit Bose wrote:
On Thu, Nov 29, 2018 at 02:03:09PM -0700, Orion Poplawski wrote:
On 11/28/18 11:29 PM, Sumit Bose wrote:
On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote:
I configured a YubiKey on Windows using the YubiKey minidriver with the following certificates:
- my "orion" certificate - went into slot 9a PIV Auth
- A MacOS keychain cert per their docs - when into slot 9d Key Management
- Another auth certificate for "orion-admin" - went into slot 82
I'm able to authenticate on Windows as either orion or orion-admin, but on Linux with sssd it does not see the orion-admin certificate. What needs to happen to support this?
Which version of SSSD are you using?
On F29:
sssd-2.0.0-4.fc29.x86_64
I get somewhat different behavior. First the gdm login screen presents two certificates:
- Certificate for Key Management
- Certificate for PIV Authentication
but still does not list the admin cert. Also, I don't believe it should list the Key Management cert because it is not flagged for smart card authentication.
Do you mean the labels 'Certificate for PIV Authentication' and 'Certificate for Key Management' by 'flagged'?
SSSD only looks at the content of the certificate and by default uses everything with key usage digitalSignature and extended key usage clientAuth. With F29 you can modify this by adding mapping and matching rules to sssd.conf, see the 'CERTIFICATE MAPPING SECTION' in man sssd.conf for details.
The certificate in slot 9d Key Management is not flagged with key usage Digital Signature or Client Auth:
# p11tool --provider opensc-pkcs11.so --export 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=Certificate%20for%20Key%20Management;type=cert' | openssl x509 -in /dev/stdin -purpose -noout -text
X509v3 Extended Key Usage: Microsoft Encrypted File System X509v3 Key Usage: critical Key Encipherment
so it should not be listed. I don't have any certmap sections so I'm just using the default. Now - is gdm going through sssd to display the available certificates, or is it doing it's own thing?
Can you sent the output of
p11tool --list-all --provider opensc-pkcs11.so
The slots for the retired keys are not visible. I've found https://github.com/OpenSC/OpenSC/issues/847#issuecomment-238119888 with a command which made the slots visible for PKCS#11 on my Yubikey. Nevertheless the type is still data even after importing a certificate with 'yubico-piv-tool -a import-certificate'. Maybe this is different when using the Windows driver?
I'm sorry, I can't determine what needs to be done to make the slot visible from the link above.
Since you already reached out to Yubico you might want to ask as well what needs to be done to make the certificates and private keys stored in the retired slots properly available as certificate and private key on the PKCS#11 level.
The latest response from Yubico is:
If you enrolled certificates on a Windows system utilizing the YubiKey Smart Card Minidriver, this would explain why your certificates are showing in those slots. Microsoft doesn't follow the NIST standard when enrolling certificates to a Smart card, they rely on a container map file that records the location and EKU (OIDS) from a certificate to present to Windows what they are available to be used for authentication. this is how you can have multiple authentication certificates (9a) with the Minidriver vs without.
I have asked for clarification on thie "container map file".
On 11/30/18 6:14 AM, Sumit Bose wrote:
On Thu, Nov 29, 2018 at 02:03:09PM -0700, Orion Poplawski wrote:
On 11/28/18 11:29 PM, Sumit Bose wrote:
On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote:
I configured a YubiKey on Windows using the YubiKey minidriver with the following certificates:
- my "orion" certificate - went into slot 9a PIV Auth
- A MacOS keychain cert per their docs - when into slot 9d Key Management
- Another auth certificate for "orion-admin" - went into slot 82
I'm able to authenticate on Windows as either orion or orion-admin, but on Linux with sssd it does not see the orion-admin certificate. What needs to happen to support this?
Which version of SSSD are you using?
On F29:
sssd-2.0.0-4.fc29.x86_64
I get somewhat different behavior. First the gdm login screen presents two certificates:
- Certificate for Key Management
- Certificate for PIV Authentication
but still does not list the admin cert. Also, I don't believe it should list the Key Management cert because it is not flagged for smart card authentication.
Do you mean the labels 'Certificate for PIV Authentication' and 'Certificate for Key Management' by 'flagged'?
SSSD only looks at the content of the certificate and by default uses everything with key usage digitalSignature and extended key usage clientAuth. With F29 you can modify this by adding mapping and matching rules to sssd.conf, see the 'CERTIFICATE MAPPING SECTION' in man sssd.conf for details.
Can you sent the output of
p11tool --list-all --provider opensc-pkcs11.so
The slots for the retired keys are not visible. I've found https://github.com/OpenSC/OpenSC/issues/847#issuecomment-238119888 with a command which made the slots visible for PKCS#11 on my Yubikey. Nevertheless the type is still data even after importing a certificate with 'yubico-piv-tool -a import-certificate'. Maybe this is different when using the Windows driver?
I finally figured out the this was suggesting writing the key history object to the yubikey. However, we are using the Yubikeys in a mode where we don't have (or know) the management key - so I don't seem to be able to write the object.
Since you already reached out to Yubico you might want to ask as well what needs to be done to make the certificates and private keys stored in the retired slots properly available as certificate and private key on the PKCS#11 level.
I was hoping we could somehow make use of the Yubico PKCS#11 provider module? Using it appears to report all of the slots at least:
# p11tool --list-all --provider libykcs11.so Object 0: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20PIV%20Authentication%00 Type: Unknown Label: X.509 Certificate for PIV Authentication ID:
Object 1: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Card%20Authentication%00 Type: Unknown Label: X.509 Certificate for Card Authentication ID:
Object 2: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Digital%20Signature%00 Type: Unknown Label: X.509 Certificate for Digital Signature ID:
Object 3: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Key%20Management%00 Type: Unknown Label: X.509 Certificate for Key Management ID:
Object 4: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%201%00 Type: Unknown Label: X.509 Certificate for Retired Key 1 ID:
Object 5: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%202%00 Type: Unknown Label: X.509 Certificate for Retired Key 2 ID:
Object 6: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%203%00 Type: Unknown Label: X.509 Certificate for Retired Key 3 ID:
Object 7: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%204%00 Type: Unknown Label: X.509 Certificate for Retired Key 4 ID:
Object 8: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%205%00 Type: Unknown Label: X.509 Certificate for Retired Key 5 ID:
Object 9: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%206%00 Type: Unknown Label: X.509 Certificate for Retired Key 6 ID:
Object 10: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%207%00 Type: Unknown Label: X.509 Certificate for Retired Key 7 ID:
Object 11: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%208%00 Type: Unknown Label: X.509 Certificate for Retired Key 8 ID:
Object 12: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%209%00 Type: Unknown Label: X.509 Certificate for Retired Key 9 ID:
Object 13: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2010%00 Type: Unknown Label: X.509 Certificate for Retired Key 10 ID:
Object 14: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2011%00 Type: Unknown Label: X.509 Certificate for Retired Key 11 ID:
Object 15: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2012%00 Type: Unknown Label: X.509 Certificate for Retired Key 12 ID:
Object 16: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2013%00 Type: Unknown Label: X.509 Certificate for Retired Key 13 ID:
Object 17: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2014%00 Type: Unknown Label: X.509 Certificate for Retired Key 14 ID:
Object 18: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2015%00 Type: Unknown Label: X.509 Certificate for Retired Key 15 ID:
Object 19: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2016%00 Type: Unknown Label: X.509 Certificate for Retired Key 16 ID:
Object 20: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2017%00 Type: Unknown Label: X.509 Certificate for Retired Key 17 ID:
Object 21: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2018%00 Type: Unknown Label: X.509 Certificate for Retired Key 18 ID:
Object 22: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2019%00 Type: Unknown Label: X.509 Certificate for Retired Key 19 ID:
Object 23: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2020%00 Type: Unknown Label: X.509 Certificate for Retired Key 20 ID:
Object 24: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=Card%20Capability%20Container%00 Type: Unknown Label: Card Capability Container ID:
Object 25: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=Card%20Holder%20Unique%20Identifier%00 Type: Unknown Label: Card Holder Unique Identifier ID:
Object 26: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=Security%20Object%00 Type: Unknown Label: Security Object ID:
Object 27: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%00;object=X.509%20Certificate%20for%20PIV%20Authentication%00;type=cert Type: X.509 Certificate Label: X.509 Certificate for PIV Authentication ID: 00
Object 28: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%03;object=X.509%20Certificate%20for%20Key%20Management%00;type=cert Type: X.509 Certificate Label: X.509 Certificate for Key Management ID: 03
Object 29: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%00;object=Public%20key%20for%20PIV%20Authentication%00;type=public Type: Public key (RSA-2048) Label: Public key for PIV Authentication ID: 00
Object 30: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%03;object=Public%20key%20for%20Key%20Management%00;type=public Type: Public key (RSA-2048) Label: Public key for Key Management ID: 03
But sssd doesn't appear to like it:
# /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre (Fri Nov 30 14:38:04:069338 2018) [[sssd[p11_child[3904]]]] [main] (0x0400): p11_child started. (Fri Nov 30 14:38:04:069604 2018) [[sssd[p11_child[3904]]]] [main] (0x2000): Running in [pre-auth] mode. (Fri Nov 30 14:38:04:069853 2018) [[sssd[p11_child[3904]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Fri Nov 30 14:38:04:070075 2018) [[sssd[p11_child[3904]]]] [main] (0x2000): Running with real IDs [0][0]. (Fri Nov 30 14:38:04:073047 2018) [[sssd[p11_child[3904]]]] [init_verification] (0x0040): X509_LOOKUP_load_file failed [185090184][error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found]. (Fri Nov 30 14:38:04:073234 2018) [[sssd[p11_child[3904]]]] [do_work] (0x0040): init_verification failed. (Fri Nov 30 14:38:04:073469 2018) [[sssd[p11_child[3904]]]] [main] (0x0040): do_work failed. (Fri Nov 30 14:38:04:073682 2018) [[sssd[p11_child[3904]]]] [main] (0x0020): p11_child failed!
And indeed it seems to be an incomplete implementation:
# p11tool --export 'pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20PIV%20Authentication%00' --debug 100 --provider libykcs11.so .... |<3>| ASSERT: pkcs11.c[pkcs11_import_object]:2120 debug: ykcs11.c:1259 (C_GetAttributeValue): In debug: objects.c:398 (get_doa): For data object 0, get debug: objects.c:436 (get_doa): VALUE TODO!!! debug: ykcs11.c:1286 (C_GetAttributeValue): Unable to get attribute 0x11 of object 0 debug: ykcs11.c:1291 (C_GetAttributeValue): Out |<3>| ASSERT: pkcs11.c[pkcs11_import_object]:2134 debug: ykcs11.c:1460 (C_FindObjectsFinal): In debug: ykcs11.c:1485 (C_FindObjectsFinal): Out debug: ykcs11.c:663 (C_CloseSession): In debug: ykcs11.c:688 (C_CloseSession): Out |<3>| ASSERT: pkcs11.c[gnutls_pkcs11_obj_export3]:1376 Error in pkcs11_export:562: The requested data were not available.
I've filed https://github.com/Yubico/yubico-piv-tool/issues/175
On Fri, Nov 30, 2018 at 03:38:55PM -0700, Orion Poplawski wrote:
On 11/30/18 6:14 AM, Sumit Bose wrote:
On Thu, Nov 29, 2018 at 02:03:09PM -0700, Orion Poplawski wrote:
On 11/28/18 11:29 PM, Sumit Bose wrote:
On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote:
I configured a YubiKey on Windows using the YubiKey minidriver with the following certificates:
- my "orion" certificate - went into slot 9a PIV Auth
- A MacOS keychain cert per their docs - when into slot 9d Key Management
- Another auth certificate for "orion-admin" - went into slot 82
I'm able to authenticate on Windows as either orion or orion-admin, but on Linux with sssd it does not see the orion-admin certificate. What needs to happen to support this?
Which version of SSSD are you using?
On F29:
sssd-2.0.0-4.fc29.x86_64
I get somewhat different behavior. First the gdm login screen presents two certificates:
- Certificate for Key Management
- Certificate for PIV Authentication
but still does not list the admin cert. Also, I don't believe it should list the Key Management cert because it is not flagged for smart card authentication.
Do you mean the labels 'Certificate for PIV Authentication' and 'Certificate for Key Management' by 'flagged'?
SSSD only looks at the content of the certificate and by default uses everything with key usage digitalSignature and extended key usage clientAuth. With F29 you can modify this by adding mapping and matching rules to sssd.conf, see the 'CERTIFICATE MAPPING SECTION' in man sssd.conf for details.
Can you sent the output of
p11tool --list-all --provider opensc-pkcs11.so
The slots for the retired keys are not visible. I've found https://github.com/OpenSC/OpenSC/issues/847#issuecomment-238119888 with a command which made the slots visible for PKCS#11 on my Yubikey. Nevertheless the type is still data even after importing a certificate with 'yubico-piv-tool -a import-certificate'. Maybe this is different when using the Windows driver?
I finally figured out the this was suggesting writing the key history object to the yubikey. However, we are using the Yubikeys in a mode where we don't have (or know) the management key - so I don't seem to be able to write the object.
Since you already reached out to Yubico you might want to ask as well what needs to be done to make the certificates and private keys stored in the retired slots properly available as certificate and private key on the PKCS#11 level.
I was hoping we could somehow make use of the Yubico PKCS#11 provider module? Using it appears to report all of the slots at least:
# p11tool --list-all --provider libykcs11.so Object 0: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20PIV%20Authentication%00 Type: Unknown Label: X.509 Certificate for PIV Authentication ID:
Object 1: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Card%20Authentication%00 Type: Unknown Label: X.509 Certificate for Card Authentication ID:
Object 2: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Digital%20Signature%00 Type: Unknown Label: X.509 Certificate for Digital Signature ID:
Object 3: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Key%20Management%00 Type: Unknown Label: X.509 Certificate for Key Management ID:
Object 4: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%201%00 Type: Unknown Label: X.509 Certificate for Retired Key 1 ID:
Object 5: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%202%00 Type: Unknown Label: X.509 Certificate for Retired Key 2 ID:
Object 6: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%203%00 Type: Unknown Label: X.509 Certificate for Retired Key 3 ID:
Object 7: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%204%00 Type: Unknown Label: X.509 Certificate for Retired Key 4 ID:
Object 8: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%205%00 Type: Unknown Label: X.509 Certificate for Retired Key 5 ID:
Object 9: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%206%00 Type: Unknown Label: X.509 Certificate for Retired Key 6 ID:
Object 10: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%207%00 Type: Unknown Label: X.509 Certificate for Retired Key 7 ID:
Object 11: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%208%00 Type: Unknown Label: X.509 Certificate for Retired Key 8 ID:
Object 12: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%209%00 Type: Unknown Label: X.509 Certificate for Retired Key 9 ID:
Object 13: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2010%00 Type: Unknown Label: X.509 Certificate for Retired Key 10 ID:
Object 14: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2011%00 Type: Unknown Label: X.509 Certificate for Retired Key 11 ID:
Object 15: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2012%00 Type: Unknown Label: X.509 Certificate for Retired Key 12 ID:
Object 16: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2013%00 Type: Unknown Label: X.509 Certificate for Retired Key 13 ID:
Object 17: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2014%00 Type: Unknown Label: X.509 Certificate for Retired Key 14 ID:
Object 18: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2015%00 Type: Unknown Label: X.509 Certificate for Retired Key 15 ID:
Object 19: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2016%00 Type: Unknown Label: X.509 Certificate for Retired Key 16 ID:
Object 20: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2017%00 Type: Unknown Label: X.509 Certificate for Retired Key 17 ID:
Object 21: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2018%00 Type: Unknown Label: X.509 Certificate for Retired Key 18 ID:
Object 22: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2019%00 Type: Unknown Label: X.509 Certificate for Retired Key 19 ID:
Object 23: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20Retired%20Key%2020%00 Type: Unknown Label: X.509 Certificate for Retired Key 20 ID:
Object 24: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=Card%20Capability%20Container%00 Type: Unknown Label: Card Capability Container ID:
Object 25: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=Card%20Holder%20Unique%20Identifier%00 Type: Unknown Label: Card Holder Unique Identifier ID:
Object 26: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=Security%20Object%00 Type: Unknown Label: Security Object ID:
Object 27: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%00;object=X.509%20Certificate%20for%20PIV%20Authentication%00;type=cert Type: X.509 Certificate Label: X.509 Certificate for PIV Authentication ID: 00
Object 28: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%03;object=X.509%20Certificate%20for%20Key%20Management%00;type=cert Type: X.509 Certificate Label: X.509 Certificate for Key Management ID: 03
Object 29: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%00;object=Public%20key%20for%20PIV%20Authentication%00;type=public Type: Public key (RSA-2048) Label: Public key for PIV Authentication ID: 00
Object 30: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%03;object=Public%20key%20for%20Key%20Management%00;type=public Type: Public key (RSA-2048) Label: Public key for Key Management ID: 03
But sssd doesn't appear to like it:
# /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre (Fri Nov 30 14:38:04:069338 2018) [[sssd[p11_child[3904]]]] [main] (0x0400): p11_child started. (Fri Nov 30 14:38:04:069604 2018) [[sssd[p11_child[3904]]]] [main] (0x2000): Running in [pre-auth] mode. (Fri Nov 30 14:38:04:069853 2018) [[sssd[p11_child[3904]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Fri Nov 30 14:38:04:070075 2018) [[sssd[p11_child[3904]]]] [main] (0x2000): Running with real IDs [0][0]. (Fri Nov 30 14:38:04:073047 2018) [[sssd[p11_child[3904]]]] [init_verification] (0x0040): X509_LOOKUP_load_file failed [185090184][error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found].
I guess you tried this on F29 where the OpenSSL build is used. Here you have to use '--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem' or to a different file which contains your CA certificates.
Additionally it looks like libykcs11.so does not come with a p11-kit config file, so you have to add something like
cat > /usr/share/p11-kit/modules/ykcs11.module << END_END module: /usr/lib64/libykcs11.so.1 END_END
One RHEL/CentOS 7 you have to add it to /etc/pki/nssdb.
HTH
bye, Sumit
(Fri Nov 30 14:38:04:073234 2018) [[sssd[p11_child[3904]]]] [do_work] (0x0040): init_verification failed. (Fri Nov 30 14:38:04:073469 2018) [[sssd[p11_child[3904]]]] [main] (0x0040): do_work failed. (Fri Nov 30 14:38:04:073682 2018) [[sssd[p11_child[3904]]]] [main] (0x0020): p11_child failed!
And indeed it seems to be an incomplete implementation:
# p11tool --export 'pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20PIV%20Authentication%00' --debug 100 --provider libykcs11.so .... |<3>| ASSERT: pkcs11.c[pkcs11_import_object]:2120 debug: ykcs11.c:1259 (C_GetAttributeValue): In debug: objects.c:398 (get_doa): For data object 0, get debug: objects.c:436 (get_doa): VALUE TODO!!! debug: ykcs11.c:1286 (C_GetAttributeValue): Unable to get attribute 0x11 of object 0 debug: ykcs11.c:1291 (C_GetAttributeValue): Out |<3>| ASSERT: pkcs11.c[pkcs11_import_object]:2134 debug: ykcs11.c:1460 (C_FindObjectsFinal): In debug: ykcs11.c:1485 (C_FindObjectsFinal): Out debug: ykcs11.c:663 (C_CloseSession): In debug: ykcs11.c:688 (C_CloseSession): Out |<3>| ASSERT: pkcs11.c[gnutls_pkcs11_obj_export3]:1376 Error in pkcs11_export:562: The requested data were not available.
I've filed https://github.com/Yubico/yubico-piv-tool/issues/175
-- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/
On 12/1/18 3:29 AM, Sumit Bose wrote:
On Fri, Nov 30, 2018 at 03:38:55PM -0700, Orion Poplawski wrote:
On 11/30/18 6:14 AM, Sumit Bose wrote:
On Thu, Nov 29, 2018 at 02:03:09PM -0700, Orion Poplawski wrote:
On 11/28/18 11:29 PM, Sumit Bose wrote:
On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote:
I configured a YubiKey on Windows using the YubiKey minidriver with the following certificates:
- my "orion" certificate - went into slot 9a PIV Auth
- A MacOS keychain cert per their docs - when into slot 9d Key Management
- Another auth certificate for "orion-admin" - went into slot 82
I'm able to authenticate on Windows as either orion or orion-admin, but on Linux with sssd it does not see the orion-admin certificate. What needs to happen to support this?
Which version of SSSD are you using?
On F29:
sssd-2.0.0-4.fc29.x86_64
I get somewhat different behavior. First the gdm login screen presents two certificates:
- Certificate for Key Management
- Certificate for PIV Authentication
but still does not list the admin cert. Also, I don't believe it should list the Key Management cert because it is not flagged for smart card authentication.
Do you mean the labels 'Certificate for PIV Authentication' and 'Certificate for Key Management' by 'flagged'?
SSSD only looks at the content of the certificate and by default uses everything with key usage digitalSignature and extended key usage clientAuth. With F29 you can modify this by adding mapping and matching rules to sssd.conf, see the 'CERTIFICATE MAPPING SECTION' in man sssd.conf for details.
Can you sent the output of
p11tool --list-all --provider opensc-pkcs11.so
The slots for the retired keys are not visible. I've found https://github.com/OpenSC/OpenSC/issues/847#issuecomment-238119888 with a command which made the slots visible for PKCS#11 on my Yubikey. Nevertheless the type is still data even after importing a certificate with 'yubico-piv-tool -a import-certificate'. Maybe this is different when using the Windows driver?
I finally figured out the this was suggesting writing the key history object to the yubikey. However, we are using the Yubikeys in a mode where we don't have (or know) the management key - so I don't seem to be able to write the object.
Since you already reached out to Yubico you might want to ask as well what needs to be done to make the certificates and private keys stored in the retired slots properly available as certificate and private key on the PKCS#11 level.
I was hoping we could somehow make use of the Yubico PKCS#11 provider module? Using it appears to report all of the slots at least:
# p11tool --list-all --provider libykcs11.so Object 0: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20PIV%20Authentication%00 Type: Unknown Label: X.509 Certificate for PIV Authentication ID:
...
Object 30: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%03;object=Public%20key%20for%20Key%20Management%00;type=public Type: Public key (RSA-2048) Label: Public key for Key Management ID: 03
But sssd doesn't appear to like it:
# /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre (Fri Nov 30 14:38:04:069338 2018) [[sssd[p11_child[3904]]]] [main] (0x0400): p11_child started. (Fri Nov 30 14:38:04:069604 2018) [[sssd[p11_child[3904]]]] [main] (0x2000): Running in [pre-auth] mode. (Fri Nov 30 14:38:04:069853 2018) [[sssd[p11_child[3904]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Fri Nov 30 14:38:04:070075 2018) [[sssd[p11_child[3904]]]] [main] (0x2000): Running with real IDs [0][0]. (Fri Nov 30 14:38:04:073047 2018) [[sssd[p11_child[3904]]]] [init_verification] (0x0040): X509_LOOKUP_load_file failed [185090184][error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found].
I guess you tried this on F29 where the OpenSSL build is used. Here you have to use '--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem' or to a different file which contains your CA certificates.
Additionally it looks like libykcs11.so does not come with a p11-kit config file, so you have to add something like
cat > /usr/share/p11-kit/modules/ykcs11.module << END_END module: /usr/lib64/libykcs11.so.1 END_END
One RHEL/CentOS 7 you have to add it to /etc/pki/nssdb.
yeah, I started work on p11-kit integration and filed https://github.com/Yubico/yubico-piv-tool/pull/176 to do that. But the real issue is that libykcs11.so is not a (fully) working PKCS#11 implementation. It appears to support being a ssh-agent plugin but that's about it. See below again for more info. So I'm back to trying to figure out how to get the Key History object added to our keys.
Thanks again.
(Fri Nov 30 14:38:04:073234 2018) [[sssd[p11_child[3904]]]] [do_work] (0x0040): init_verification failed. (Fri Nov 30 14:38:04:073469 2018) [[sssd[p11_child[3904]]]] [main] (0x0040): do_work failed. (Fri Nov 30 14:38:04:073682 2018) [[sssd[p11_child[3904]]]] [main] (0x0020): p11_child failed!
And indeed it seems to be an incomplete implementation:
# p11tool --export 'pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20PIV%20Authentication%00' --debug 100 --provider libykcs11.so .... |<3>| ASSERT: pkcs11.c[pkcs11_import_object]:2120 debug: ykcs11.c:1259 (C_GetAttributeValue): In debug: objects.c:398 (get_doa): For data object 0, get debug: objects.c:436 (get_doa): VALUE TODO!!! debug: ykcs11.c:1286 (C_GetAttributeValue): Unable to get attribute 0x11 of object 0 debug: ykcs11.c:1291 (C_GetAttributeValue): Out |<3>| ASSERT: pkcs11.c[pkcs11_import_object]:2134 debug: ykcs11.c:1460 (C_FindObjectsFinal): In debug: ykcs11.c:1485 (C_FindObjectsFinal): Out debug: ykcs11.c:663 (C_CloseSession): In debug: ykcs11.c:688 (C_CloseSession): Out |<3>| ASSERT: pkcs11.c[gnutls_pkcs11_obj_export3]:1376 Error in pkcs11_export:562: The requested data were not available.
I've filed https://github.com/Yubico/yubico-piv-tool/issues/175
On Mon, Dec 03, 2018 at 11:54:44AM -0700, Orion Poplawski wrote:
On 12/1/18 3:29 AM, Sumit Bose wrote:
On Fri, Nov 30, 2018 at 03:38:55PM -0700, Orion Poplawski wrote:
On 11/30/18 6:14 AM, Sumit Bose wrote:
On Thu, Nov 29, 2018 at 02:03:09PM -0700, Orion Poplawski wrote:
On 11/28/18 11:29 PM, Sumit Bose wrote:
On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote: > I configured a YubiKey on Windows using the YubiKey minidriver with the > following certificates: > > - my "orion" certificate - went into slot 9a PIV Auth > - A MacOS keychain cert per their docs - when into slot 9d Key Management > - Another auth certificate for "orion-admin" - went into slot 82 > > I'm able to authenticate on Windows as either orion or orion-admin, but on > Linux with sssd it does not see the orion-admin certificate. What needs to > happen to support this?
Which version of SSSD are you using?
On F29:
sssd-2.0.0-4.fc29.x86_64
I get somewhat different behavior. First the gdm login screen presents two certificates:
- Certificate for Key Management
- Certificate for PIV Authentication
but still does not list the admin cert. Also, I don't believe it should list the Key Management cert because it is not flagged for smart card authentication.
Do you mean the labels 'Certificate for PIV Authentication' and 'Certificate for Key Management' by 'flagged'?
SSSD only looks at the content of the certificate and by default uses everything with key usage digitalSignature and extended key usage clientAuth. With F29 you can modify this by adding mapping and matching rules to sssd.conf, see the 'CERTIFICATE MAPPING SECTION' in man sssd.conf for details.
Can you sent the output of
p11tool --list-all --provider opensc-pkcs11.so
The slots for the retired keys are not visible. I've found https://github.com/OpenSC/OpenSC/issues/847#issuecomment-238119888 with a command which made the slots visible for PKCS#11 on my Yubikey. Nevertheless the type is still data even after importing a certificate with 'yubico-piv-tool -a import-certificate'. Maybe this is different when using the Windows driver?
I finally figured out the this was suggesting writing the key history object to the yubikey. However, we are using the Yubikeys in a mode where we don't have (or know) the management key - so I don't seem to be able to write the object.
Since you already reached out to Yubico you might want to ask as well what needs to be done to make the certificates and private keys stored in the retired slots properly available as certificate and private key on the PKCS#11 level.
I was hoping we could somehow make use of the Yubico PKCS#11 provider module? Using it appears to report all of the slots at least:
# p11tool --list-all --provider libykcs11.so Object 0: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20PIV%20Authentication%00 Type: Unknown Label: X.509 Certificate for PIV Authentication ID:
...
Object 30: URL: pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;id=%03;object=Public%20key%20for%20Key%20Management%00;type=public Type: Public key (RSA-2048) Label: Public key for Key Management ID: 03
But sssd doesn't appear to like it:
# /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre (Fri Nov 30 14:38:04:069338 2018) [[sssd[p11_child[3904]]]] [main] (0x0400): p11_child started. (Fri Nov 30 14:38:04:069604 2018) [[sssd[p11_child[3904]]]] [main] (0x2000): Running in [pre-auth] mode. (Fri Nov 30 14:38:04:069853 2018) [[sssd[p11_child[3904]]]] [main] (0x2000): Running with effective IDs: [0][0]. (Fri Nov 30 14:38:04:070075 2018) [[sssd[p11_child[3904]]]] [main] (0x2000): Running with real IDs [0][0]. (Fri Nov 30 14:38:04:073047 2018) [[sssd[p11_child[3904]]]] [init_verification] (0x0040): X509_LOOKUP_load_file failed [185090184][error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found].
I guess you tried this on F29 where the OpenSSL build is used. Here you have to use '--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem' or to a different file which contains your CA certificates.
Additionally it looks like libykcs11.so does not come with a p11-kit config file, so you have to add something like
cat > /usr/share/p11-kit/modules/ykcs11.module << END_END module: /usr/lib64/libykcs11.so.1 END_END
One RHEL/CentOS 7 you have to add it to /etc/pki/nssdb.
yeah, I started work on p11-kit integration and filed https://github.com/Yubico/yubico-piv-tool/pull/176 to do that. But the real issue is that libykcs11.so is not a (fully) working PKCS#11 implementation. It appears to support being a ssh-agent plugin but that's about it. See below again for more info. So I'm back to trying to figure out how to get the Key History object added to our keys.
Thanks again.
(Fri Nov 30 14:38:04:073234 2018) [[sssd[p11_child[3904]]]] [do_work] (0x0040): init_verification failed. (Fri Nov 30 14:38:04:073469 2018) [[sssd[p11_child[3904]]]] [main] (0x0040): do_work failed. (Fri Nov 30 14:38:04:073682 2018) [[sssd[p11_child[3904]]]] [main] (0x0020): p11_child failed!
And indeed it seems to be an incomplete implementation:
# p11tool --export 'pkcs11:model=YubiKey%20YK4;manufacturer=Yubico;serial=1234;token=YubiKey%20PIV;object=X.509%20Certificate%20for%20PIV%20Authentication%00' --debug 100 --provider libykcs11.so .... |<3>| ASSERT: pkcs11.c[pkcs11_import_object]:2120 debug: ykcs11.c:1259 (C_GetAttributeValue): In debug: objects.c:398 (get_doa): For data object 0, get debug: objects.c:436 (get_doa): VALUE TODO!!! debug: ykcs11.c:1286 (C_GetAttributeValue): Unable to get attribute 0x11 of object 0 debug: ykcs11.c:1291 (C_GetAttributeValue): Out |<3>| ASSERT: pkcs11.c[pkcs11_import_object]:2134 debug: ykcs11.c:1460 (C_FindObjectsFinal): In debug: ykcs11.c:1485 (C_FindObjectsFinal): Out debug: ykcs11.c:663 (C_CloseSession): In debug: ykcs11.c:688 (C_CloseSession): Out |<3>| ASSERT: pkcs11.c[gnutls_pkcs11_obj_export3]:1376 Error in pkcs11_export:562: The requested data were not available.
I've filed https://github.com/Yubico/yubico-piv-tool/issues/175
Which object to do want to export #0 or #27? Both objects match the PKCS#11 URI you used:
debug: ykcs11.c:1385 (C_FindObjectsInit): Removing object 91 from the list debug: ykcs11.c:1395 (C_FindObjectsInit): 2 object(s) left after attribute matching
and object #0 is picked:
debug: ykcs11.c:1399 (C_FindObjectsInit): Out debug: ykcs11.c:1410 (C_FindObjects): In debug: ykcs11.c:1435 (C_FindObjects): Can return 1 object(s) debug: ykcs11.c:1451 (C_FindObjects): Returning object 0
However I guess that the object you were looking for is #27. To select this you should add the id or the type to the URI.
In general I think it would be best if Yubico can work with OpenSC upstream to allow OpenSC to access the full potential of the Yubikeys in an easy way.
bye, Sumit
-- Orion Poplawski Manager of NWRA Technical Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/
On 11/28/18 4:57 PM, Orion Poplawski wrote:
I configured a YubiKey on Windows using the YubiKey minidriver with the following certificates:
- my "orion" certificate - went into slot 9a PIV Auth
- A MacOS keychain cert per their docs - when into slot 9d Key Management
- Another auth certificate for "orion-admin" - went into slot 82
I'm able to authenticate on Windows as either orion or orion-admin, but on Linux with sssd it does not see the orion-admin certificate. What needs to happen to support this?
Thanks!
After reading some of:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-73-4.pdf
I'm very curious as to why the admin key and certificate went into slot 82. From my understanding slots 82-95 are for "Retired Key Management" - i.e. keys that have been retired/expired/replaced. Unless this specification has been abandoned in some way?
I've asked the above question of Yubico - perhaps they will have an answer. In any case this is definitely a non-standard application.
sssd-users@lists.fedorahosted.org