URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented:
"""
master:
* 0569c02f17f853d97280f52f4a7fefecc72cf45d Extend the advice printing code by
some useful abstractions
*
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented:
"""
@martbab, definitely `authconfig` in fc25 is too old for this. On F26 I have
version 7.0.1-1. It does announce support for SSSD smartcard
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented:
"""
Also I get the following error when running authconfig:
```console
authconfig: Authentication module /lib64/security/pam_pkcs11.so is
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented:
"""
Note that "directly" may actually mean using a virtualized remote smart card
access which is provided via virtualized USB pass-through done by
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented:
"""
@martbab, this actually makes full sense -- if you want to increase the
security of your IPA masters, you might force using smart cards only to
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented:
"""
@flo ah sorry I missed that. I will incorporate it into advise then.
"""
See the full comment at
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented:
"""
That section[1] only instructs to configure `pam_cert_auth=true` in the SSSD's
`pam` section which is already done on both server and client,
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented:
"""
It is all documented in
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented:
"""
Thanks. Comments so far:
* client configuration does not make sure to ask for a removal of `pam_pkcs11`
package
* client configuration does not