On Fri, Mar 10, 2017 at 01:39:27PM +0200, Alexander Bokovoy wrote: > On pe, 10 maalis 2017, Sumit Bose wrote: > > On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote: > > > On pe, 10 maalis 2017, Sumit Bose wrote: > > > > Hi, > > > > > > > > with the recent addition of PKINIT support there is now a second method > > > > available to Smartcard authentication besides local authentication. > > > > > > > > I was about to add some sssd.conf option which can control the fallback > > > > to local authentication if PKINIT fails. Currently there is only a > > > > fallback to local authentication if the backend is offline or if PKINIT > > > > is not available because either the client or the server side do not > > > > support it. > > > > > > > > It came to my mind that it might be more flexible to add the fallback > > > > scheme to the certificate matching rules discussed earlier on this list. > > > > With this it would be possible e.g. to require PKINIT for a set of > > > > certificates and allow local authentication to a different set. > > > > > > > > Do you think this would make sense or is it sufficient an option in > > > > sssd.conf which covers all certificates? > > > Interesting idea. If we were to define it as a part of a certificate > > > matching rule, would we be able to deny using a matching certificate for > > > local authentication in case only PKINIT is allowed? > > > > Yes, SSSD first checks in the backend if PKINIT is available and tries > > it. If this fails the backend can tell the frontend to try local > > authentication or fail. > Ok. I'd prefer to have this possibility then -- a certificate matching > rule including a flag to require PKINIT.
I think it should be a bit more than a single flag. - PKINIT and newer fall back to local authentication - PKINIT and fall back to local authentication when offline or PKINIT is not available - PKINIT and fall back in all errors - no PKINIT only local authentication. bye, Sumit > > -- > / Alexander Bokovoy -- Manage your subscription for the Freeipa-devel mailing list: https://www.redhat.com/mailman/listinfo/freeipa-devel Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code