[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ master: * 0569c02f17f853d97280f52f4a7fefecc72cf45d Extend the advice printing code by some useful abstractions * e418e9a4ca747886c53d05ae80597834f1d3d021 Prepare advise plugin for smart card auth configuration ipa-4-5: * 7ea7ee4326679c098d3e4e4d6a2bc743707708ca Extend the advice printing code by some useful abstractions * 84ca9761bd47f28b72581d1fe6bd8cfa824b6df3 Prepare advise plugin for smart card auth configuration """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-308390829 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth flo-renaud commented: """ Hi @martbab Thank you for the fix. Works as expected. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-308363482 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth abbra commented: """ @martbab, definitely `authconfig` in fc25 is too old for this. On F26 I have version 7.0.1-1. It does announce support for SSSD smartcard enablement. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307440827 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ Also I get the following error when running authconfig: ```console authconfig: Authentication module /lib64/security/pam_pkcs11.so is missing. Authentication process might not work correctly. ``` It is understandable, since I have removed pam_pkcs11 package as per documentation, but it still puzzles me. It may be that I have an old version of authconfig, as I am developing this on F25 where I have authconfig-6.2.10-14.fc25.x86_64. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307427676 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth abbra commented: """ Note that "directly" may actually mean using a virtualized remote smart card access which is provided via virtualized USB pass-through done by your virtualization environment. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307427085 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth abbra commented: """ @martbab, this actually makes full sense -- if you want to increase the security of your IPA masters, you might force using smart cards only to do ssh login. We are not there yet by default but I can see it being a mandate for organizations that enforce industry or governmental requirements. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307426705 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @flo regarding enabling Smart Card login ( add PKCS#11 module, configure SSSD and such), do we really need to setup this on server? I do not expect somebody logging directly to machine hosting FreeIPA server using smard card reader. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307424330 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @flo ah sorry I missed that. I will incorporate it into advise then. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307360499 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth flo-renaud commented: """ Hi @martbab I think @abbra was referring to this [section](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards-advanced.html#sc-clients-config) running authconfig --enablesmartcard --smartcardmodule=sssd --updateall This command will update sssd.conf with pam_cert_auth=True. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307360284 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ That section[1] only instructs to configure `pam_cert_auth=true` in the SSSD's `pam` section which is already done on both server and client, see `enable_pam_auth_in_sssd` method. Am I missing something? [1] https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/idm-smart-cards.html """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307358447 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth abbra commented: """ It is all documented in https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/smart-cards.html (notice 7-Beta, this is a new material for RHEL 7.4 beta), section 22.5.1.3. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307354137 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @abbra thanks for review. Is `pam_pkcs11` removal necessary for client? Also what option does the recipe need to pass to `authconfig` to properly configure smart card auth? isn't it enough to configure SSSD? """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307352108 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth abbra commented: """ Thanks. Comments so far: * client configuration does not make sure to ask for a removal of `pam_pkcs11` package * client configuration does not call for the `authconfig` to configure PAM stack. It seems to me that we either need a second recipe that enables IPA client system for a remote logon or need to integrate it in the same recipe * there are few places in the server plugin that do an explicit 'if ... ' command. This probably would be better to replace with `commands_on_predicate` like in the client case """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307340749 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org
[Freeipa-devel] [freeipa PR#854][comment] server-side and client-side advises for configuring smart card auth
URL: https://github.com/freeipa/freeipa/pull/854 Title: #854: server-side and client-side advises for configuring smart card auth martbab commented: """ @flo @abbra I have rebased PR and included also a recipe for client configuration for the sake of completeness. """ See the full comment at https://github.com/freeipa/freeipa/pull/854#issuecomment-307326811 ___ FreeIPA-devel mailing list -- freeipa-devel@lists.fedorahosted.org To unsubscribe send an email to freeipa-devel-le...@lists.fedorahosted.org