On Fri, May 29, 2015 at 10:38:41AM +0200, Martin Kosek wrote:
> Hello all,
> 
> I would like to discuss the scope needed for ticket 4905 [1]. This is mostly
> question for Sumit as he is working on the SSSD SC support. The main minimal
> target is to allow SSSD get a ticket for a user once he authenticates with
> his SC with certificates tracked in FreeIPA as agreed in [2].
> 
> Sumit, Simo or others, what changes are required in order to do this? In
> [1], I so far identified:
> 
> * Support of Smart Cards in SSSD (​upstream ticket)
> * API/CLI for configuring the trusted CA certificate in KDC (related - #616)
> 
> as the base. What else is needed? Any krb5.conf changes on the
> server/clients? Or even generating the certs/keys as mentioned in [3]?

currently I would say krb5.conf both on IPA clients and servers already
have all the needed entries.

> 
> In current code base, we still have the disabled pkinit plugin [4], but I
> assume this is not what we want.

I think this is only for anonymous pkinit. The general pkinit preauth
plugin is automatically available as long as the krb5-pkinit package is
installed. The package contains both client and server side of the
plugin, so it must be available on IPA clients and servers.

> 
> Thanks for help and advise. Based on what is found out in this thread, we
> will see what's realistic for FreeIPA 4.2 or FreeIPA 4.2.x.

My understanding is that the current version of the MIT Kerberos pkinit
plugin needs a id-pkinit-san entry in the Subject Alternatives Names of
the certificate with the Kerberos principal of the given user. 

I think it would be good to add this entry to user certificates IPA
generates on its own. The pkinit RFC 4556 mentioned that the KDC can do
the mapping between the certificate and the user principal on its own.
But given that afaik there is currently no support for this scheme in
the MIT pkinit plugin and hence it would require enhancements in the MIT
code and maybe in the IPA KDB backend as well I think the support for
certificates without a id-pkinit-san entry is out-of-scope for 4.2.
Nevertheless client side authentication would still work only the user
will not have a valid Kerberos TGT after logging in.

HTH

bye,
Sumit

> 
> [1] https://fedorahosted.org/freeipa/ticket/4905
> [2] http://www.freeipa.org/page/V4/User_Certificates
> [3] https://fedorahosted.org/freeipa/ticket/55#comment:3
> [4] 
> https://git.fedorahosted.org/cgit/freeipa.git/tree/ipalib/plugins/pkinit.py
> 
> -- 
> Martin Kosek <mko...@redhat.com>
> Supervisor, Software Engineering - Identity Management Team
> Red Hat Inc.

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to