On pe, 10 maalis 2017, Sumit Bose wrote:
On Fri, Mar 10, 2017 at 01:39:27PM +0200, Alexander Bokovoy wrote:
On pe, 10 maalis 2017, Sumit Bose wrote:
> On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote:
> > On pe, 10 maalis 2017, Sumit Bose wrote:
> > > Hi,
> > >
> > > with the recent addition of PKINIT support there is now a second method
> > > available to Smartcard authentication besides local authentication.
> > >
> > > I was about to add some sssd.conf option which can control the fallback
> > > to local authentication if PKINIT fails. Currently there is only a
> > > fallback to local authentication if the backend is offline or if PKINIT
> > > is not available because either the client or the server side do not
> > > support it.
> > >
> > > It came to my mind that it might be more flexible to add the fallback
> > > scheme to the certificate matching rules discussed earlier on this list.
> > > With this it would be possible e.g. to require PKINIT for a set of
> > > certificates and allow local authentication to a different set.
> > >
> > > Do you think this would make sense or is it sufficient an option in
> > > sssd.conf which covers all certificates?
> > Interesting idea. If we were to define it as a part of a certificate
> > matching rule, would we be able to deny using a matching certificate for
> > local authentication in case only PKINIT is allowed?
>
> Yes, SSSD first checks in the backend if PKINIT is available and tries
> it. If this fails the backend can tell the frontend to try local
> authentication or fail.
Ok. I'd prefer to have this possibility then -- a certificate matching
rule including a flag to require PKINIT.

I think it should be a bit more than a single flag.

- PKINIT and newer fall back to local authentication
s/newer/never/, I'd guess?

- PKINIT and fall back to local authentication when offline or PKINIT is
 not available
- PKINIT and fall back in all errors
- no PKINIT only local authentication.
Otherwise looks good.
--
/ Alexander Bokovoy

--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to