Hello.
Is it possible to replicate the digest mapping feature of pam_pkcs11 in sssd? We have built our infrastructure around the notion of mapping users to certificates based on the certificate digest. With the removal of pam_pkcs11 from recent distros (including RHEL 8) we are faced with either changing our mapping scheme (potentially a lot of work) or making this work in sssd. This is a snippet of what we do today:
--- snip pam_pkcs11.conf --- # digest - elaborate certificate digest and map it into a file mapper digest { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/digest_mapper.so; # algorithm used to evaluate certificate digest # Select one of: # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" algorithm = "sha1"; mapfile = file:///etc/pam_pkcs11/digest_mapping; # mapfile = "none"; } --- snip ---
# snippet of digest_mapping file (the values have been obfuscated)
[root@friday-vm]# grep jim digest_mapping
11:BC:53:F1:EF:24:B4:9C:47:ED:7D:EC:2B:82:CB:93:61:F8:88:4F -> jim
On Mon, Jul 15, 2019 at 02:49:19PM -0000, James Trater wrote:
Hello.
Is it possible to replicate the digest mapping feature of pam_pkcs11 in sssd? We have built our infrastructure around the notion of mapping users to certificates based on the certificate digest. With the removal of pam_pkcs11 from recent distros (including RHEL 8) we are faced with either changing our mapping scheme (potentially a lot of work) or making this work in sssd. This is a snippet of what we do today:
Sumit, who primarily develops anything related to smart cards is on vacation and will be for another two weeks.
In the meantime I would suggest to file a bug against SSSD either in the upstream tracker, or, since you said RHEL removal also affects you, a RH support case (feel free to send me the case number, then).
--- snip pam_pkcs11.conf --- # digest - elaborate certificate digest and map it into a file mapper digest { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/digest_mapper.so; # algorithm used to evaluate certificate digest # Select one of: # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" algorithm = "sha1"; mapfile = file:///etc/pam_pkcs11/digest_mapping; # mapfile = "none"; } --- snip ---
# snippet of digest_mapping file (the values have been obfuscated)
[root@friday-vm]# grep jim digest_mapping
11:BC:53:F1:EF:24:B4:9C:47:ED:7D:EC:2B:82:CB:93:61:F8:88:4F -> jim
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
rhank you; comment added. so hopefully the case would turn into a bug report.
(This still does not mean the digest matching would be implemented, but it's the best way I can think of to track a missing functionality..)
On Mon, Jul 15, 2019 at 08:27:08PM -0000, James Trater wrote:
Thank you. I have opened case # 02426830 with Red Hat support.
In the meantime I would suggest to file a bug against SSSD either in the upstream tracker, or, since you said RHEL removal also affects you, a RH support case (feel free to send me the case number, then).
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org