[Freeipa-users] Authentication indicators smartcard, ssh and sudo

Hi everyone, I have a CentOS8 FreeIPA 4.8.0 test environment with a CentOS8 client. I'm enforcing smart card authentication on the client by setting the "authentication indicator" to "pkinit" with the command "ipa host-mod --auth-ind=pkinit". This works fine to restrict SSH, GDM and Console lo

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

Hi Alexander, Thanks for the prompt reply! I tried the suggestion you made about p11-kit remoting. I got the forwarding working and I can see token on the remote machine when I run: p11tool --provider /usr/lib64/pkcs11/p11-kit-client.so --list-tokens and I can also see the module listed when I

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

Hi Alexander, Here's what I'm seeing over Console: ipaclient login: user PIN for PIV_II: ipaclient$ p11tool --list-tokens Token 0: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust Label: System Trust Type: Trust module Fla

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

Hi Sumit, Ya, root doesn't see it. Here's the result: [user@ipaclient][~]$ p11tool --list-tokens Token 0: URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust Label: System Trust Type: Trust module Flags: uPIN uninitialized

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

Sumit, If I manually set the XDG_RUNTIME_DIR for root pointing to my user's one it works: [user@ipaclient][~]$ env|grep RUNTIME XDG_RUNTIME_DIR=/run/user/ [user@ipaclient][~]$ su - Password: [root@ipaclient ~]# export XDG_RUNTIME_DIR=/run/user/ [root@ipaclient ~]# p11tool --provider=/usr/lib64/

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

Hi, Linking works for listing tokens: [root@ipaclient 0]# env|grep RUNTIME [root@ipaclient 0]# pwd /run/user/0 [root@ipaclient 0]# ls -l total 0 lrwxrwxrwx. 1 root root 22 Feb 14 14:28 p11-kit -> /run/user//p11-kit [root@ipaclient 0]# p11tool --provider=/usr/lib64/pkcs11/p11-kit-client.so --list

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

Hi Sumit, Actually, I just got it working without forwarding card: yum install -y pam_ssh_agent_auth ~/.ssh/config: ForwardAgent yes /etc/sudoers: Defaultsenv_keep += "SSH_AUTH_SOCK" /etc/pam.d/sudo: #%PAM-1.0 auth sufficient pam_ssh_agent_auth.so authorized_keys_command=/usr/b

[Freeipa-users] Re: Authentication indicators smartcard, ssh and sudo

Not sure why that line wrapped on the pam.d/sudo file: #%PAM-1.0 auth sufficient pam_ssh_agent_auth.so authorized_keys_command=/usr/bin/sss_ssh_authorizedkeys auth include system-auth account include system-auth password include system-auth session include system-auth