Hi everyone,
I have a CentOS8 FreeIPA 4.8.0 test environment with a CentOS8 client. I'm
enforcing smart card authentication on the client by setting the
"authentication indicator" to "pkinit" with the command "ipa host-mod
--auth-ind=pkinit". This works fine to restrict SSH, GDM and Console lo
Hi Alexander,
Thanks for the prompt reply!
I tried the suggestion you made about p11-kit remoting. I got the forwarding
working and I can see token on the remote machine when I run:
p11tool --provider /usr/lib64/pkcs11/p11-kit-client.so --list-tokens
and I can also see the module listed when I
Hi Alexander,
Here's what I'm seeing over Console:
ipaclient login: user
PIN for PIV_II:
ipaclient$ p11tool --list-tokens
Token 0:
URL:
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Fla
Hi Sumit,
Ya, root doesn't see it.
Here's the result:
[user@ipaclient][~]$ p11tool --list-tokens
Token 0:
URL:
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
Label: System Trust
Type: Trust module
Flags: uPIN uninitialized
Sumit,
If I manually set the XDG_RUNTIME_DIR for root pointing to my user's one it
works:
[user@ipaclient][~]$ env|grep RUNTIME
XDG_RUNTIME_DIR=/run/user/
[user@ipaclient][~]$ su -
Password:
[root@ipaclient ~]# export XDG_RUNTIME_DIR=/run/user/
[root@ipaclient ~]# p11tool --provider=/usr/lib64/
Hi,
Linking works for listing tokens:
[root@ipaclient 0]# env|grep RUNTIME
[root@ipaclient 0]# pwd
/run/user/0
[root@ipaclient 0]# ls -l
total 0
lrwxrwxrwx. 1 root root 22 Feb 14 14:28 p11-kit -> /run/user//p11-kit
[root@ipaclient 0]# p11tool --provider=/usr/lib64/pkcs11/p11-kit-client.so
--list
Hi Sumit,
Actually, I just got it working without forwarding card:
yum install -y pam_ssh_agent_auth
~/.ssh/config:
ForwardAgent yes
/etc/sudoers:
Defaultsenv_keep += "SSH_AUTH_SOCK"
/etc/pam.d/sudo:
#%PAM-1.0
auth sufficient pam_ssh_agent_auth.so
authorized_keys_command=/usr/b
Not sure why that line wrapped on the pam.d/sudo file:
#%PAM-1.0
auth sufficient pam_ssh_agent_auth.so
authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys
auth include system-auth
account include system-auth
password include system-auth
session include system-auth