[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

Hello,

Okay. That concludes al of the test cases as successful. 
Thank you for your support once again!



BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Mon, Mar 30, 2020 at 02:22:44PM -, Hristina Marosevic wrote:
> Hello,
> 
> I successfuly added the CRL list  into nssdb. CRL list is in DER format.
> So, I tested the last scenario, which was vaidation of the revoked user 
> certificate used for authenticatiion  using offline CRL list instead of using 
> OCSP. So, just giving info about this:
> In the [sssd] section of the sssd.conf file, option certificate_validation 
> has value "no_ocsp" and in the log file recorded using strace, this lines 
> were generated: 
> write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761 
> [do_verification] (0x0040): Certificate [(null)][CN=test_sssd_revoked.] 
> not valid [-8102][Certificate key usage inadequate for attempted 
> operation.].\n", 228) = 228
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761 [do_work] 
> (0x0400): Certificate is NOT valid.\n", 100) = 100
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761 [main] 
> (0x0040): do_work failed.\n", 87) = 87
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761 [main] 
> (0x0020): p11_child failed!\n", 89) = 89
> close(1)= 0
> exit_group(1)   = ?
> +++ exited with 1 +++
> 
> 
> So, the authentication did not pass, which was excpected. 
> Please confirm that this is the answer that the p11_child should give in case 
> of revoked user certificate. 

Hi,

yes, in the way SSSD is using NSS '[-8102][Certificate key usage
inadequate for attempted operation.]' is often returned instead of a
more specific error message when certificate validation fails.

bye,
Sumit

> If it is like that, by this step I can confirm that SSSD PKI authentication 
> works properly i.e successfuly verifies trust/time validity/revocation status 
> of the user certificate.
> 
> BR,
> Hristina
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

Hello,

I successfuly added the CRL list  into nssdb. CRL list is in DER format.
So, I tested the last scenario, which was vaidation of the revoked user 
certificate used for authenticatiion  using offline CRL list instead of using 
OCSP. So, just giving info about this:
In the [sssd] section of the sssd.conf file, option certificate_validation has 
value "no_ocsp" and in the log file recorded using strace, this lines were 
generated: 
write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761 
[do_verification] (0x0040): Certificate [(null)][CN=test_sssd_revoked.] not 
valid [-8102][Certificate key usage inadequate for attempted operation.].\n", 
228) = 228
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761 [do_work] 
(0x0400): Certificate is NOT valid.\n", 100) = 100
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761 [main] 
(0x0040): do_work failed.\n", 87) = 87
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Mon Mar 30 16:12:12 2020) [[sssd[p11_child[25761 [main] 
(0x0020): p11_child failed!\n", 89) = 89
close(1)= 0
exit_group(1)   = ?
+++ exited with 1 +++


So, the authentication did not pass, which was excpected. 
Please confirm that this is the answer that the p11_child should give in case 
of revoked user certificate. 
If it is like that, by this step I can confirm that SSSD PKI authentication 
works properly i.e successfuly verifies trust/time validity/revocation status 
of the user certificate.

BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Thu, Mar 26, 2020 at 08:16:31AM -, Hristina Marosevic wrote:
> > On Wed, Mar 25, 2020 at 10:49:55AM -, Hristina Marosevic wrote:
> > 
> > Hi,
> > 
> > glad to hear it is working now. Thanks for your patience.
> > 
> > bye,
> > Sumit
> 
> 
> Hello,
> 
> As I was planning, I tried to login with an expired certificate and the 
> authentication failed with error: 
> write(2, "(Wed Mar 25 16:28:59 2020) [[sssd[p11_child[10489 
> [do_verification] (0x0040): Certificate [(null)][CN=test_sssd,.] not 
> valid [-8181][Peer's Certificate has expired.].\n", 194) = 194
> I also, in some way tested authentication using certificate signed by 
> untrusted authorities  i.e. when the root and intermediate CA certificates 
> were not imported correctly I got the error: " Certificate not valid. 
> .Peer's Certificate is not recognized"
> This seems to be working properly. 
> 
> The last scenario which I would like to test is CRL status, but if possiible 
> using offline CRL list instead of OCSP responder. 
> I guess certificate_verification=no_ocsp stays in the sssd section of the 
> sssd configuration, but what else should I do to make sssd chek the 
> revocation status of a user certificate using an offline CRL list, stored 
> somewhere on the machine? 
> This is like that because our lab environment is not connected to internet, 
> and I can not use the OCSP URL given in the user's certificate. Is this 
> workaround possible?

Hi,

please use crlutil to import a CRL into the NSS database, see man
crlutil for details.

HTH

bye,
Sumit

> 
> BR,
> Hristina
>  
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

> On Wed, Mar 25, 2020 at 10:49:55AM -, Hristina Marosevic wrote:
> 
> Hi,
> 
> glad to hear it is working now. Thanks for your patience.
> 
> bye,
> Sumit


Hello,

As I was planning, I tried to login with an expired certificate and the 
authentication failed with error: 
write(2, "(Wed Mar 25 16:28:59 2020) [[sssd[p11_child[10489 
[do_verification] (0x0040): Certificate [(null)][CN=test_sssd,.] not valid 
[-8181][Peer's Certificate has expired.].\n", 194) = 194
I also, in some way tested authentication using certificate signed by untrusted 
authorities  i.e. when the root and intermediate CA certificates were not 
imported correctly I got the error: " Certificate not valid. .Peer's 
Certificate is not recognized"
This seems to be working properly. 

The last scenario which I would like to test is CRL status, but if possiible 
using offline CRL list instead of OCSP responder. 
I guess certificate_verification=no_ocsp stays in the sssd section of the sssd 
configuration, but what else should I do to make sssd chek the revocation 
status of a user certificate using an offline CRL list, stored somewhere on the 
machine? 
This is like that because our lab environment is not connected to internet, and 
I can not use the OCSP URL given in the user's certificate. Is this workaround 
possible?

BR,
Hristina
 
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Wed, Mar 25, 2020 at 10:49:55AM -, Hristina Marosevic wrote:
> > On Tue, Mar 24, 2020 at 02:20:17PM -, Hristina Marosevic wrote:
> > 
> > Hi,
> > 
> > did you change the 'ca_db' option in sssd.conf? If looks like a wrong
> > path '/home/oracle' is used for the NSS database.
> > 
> > bye,
> > Sumit
> 
> 
> Hello,
> 
> It was anold configuration - thank you for noticing!
> After deleting the ca_db option value from the sssd configuration i.e. now, 
> when it has the default value - /etc/pki/nssdb user authentication passed 
> successfully.
> 
> /var/log/sssd/sssd_ssh.log
> ...
> (Wed Mar 25 11:34:44 2020) [sssd[ssh]] [child_sig_handler] (0x1000): Waiting 
> for child [20372].
> (Wed Mar 25 11:34:44 2020) [sssd[ssh]] [child_sig_handler] (0x0100): child 
> [20372] finished successfully.
> (Wed Mar 25 11:34:44 2020) [sssd[ssh]] [cert_to_ssh_key_done] (0x1000): 
> Certificate 
> [MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVo
>  
> q80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCCsGAQUFBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2FfdGVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2RfcnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuzoV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DPX06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpOBvGEQptEHItx4YiEZTQuvdCtlW585kUyol39sK
>  
> v2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M20BMUh+SiGoL/kJAi2XdM922U3po9a2FbULvJfOlsFY2Z6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdlufS8M/YWxAWw=]
>  is valid.
> (Wed Mar 25 11:34:44 2020) [sssd[ssh]] [ssh_protocol_done] (0x4000): Sending 
> reply: success
> (Wed Mar 25 11:34:44 2020) [sssd[ssh]] [client_recv] (0x0200): Client 
> disconnected!
> (Wed Mar 25 11:34:44 2020) [sssd[ssh]] [client_close_fn] (0x2000): Terminated 
> client [0x561dbac3a190][18]
> 
> 
> p11_child-log
> # log file 2...
> write(2, "(Wed Mar 25 11:34:44 2020) [[sssd[p11_child[20372 [do_work] 
> (0x0400): Certificate is valid.\n", 96) = 96
> # log file 1...
> write(7, "(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [child_sig_handler] 
> (0x1000): Waiting for child [20372].\n", 96) = 96
> wait4(20372, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG, NULL) = 20372
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(7, "(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [child_sig_handler] 
> (0x0100): child [20372] finished successfully.\n", 106) = 106
> close(19)   = 0
> close(22)   = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(7, "(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [cert_to_ssh_key_done] 
> (0x1000): Certificate 
> 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

> On Tue, Mar 24, 2020 at 02:20:17PM -, Hristina Marosevic wrote:
> 
> Hi,
> 
> did you change the 'ca_db' option in sssd.conf? If looks like a wrong
> path '/home/oracle' is used for the NSS database.
> 
> bye,
> Sumit


Hello,

It was anold configuration - thank you for noticing!
After deleting the ca_db option value from the sssd configuration i.e. now, 
when it has the default value - /etc/pki/nssdb user authentication passed 
successfully.

/var/log/sssd/sssd_ssh.log
...
(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [child_sig_handler] (0x1000): Waiting 
for child [20372].
(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [child_sig_handler] (0x0100): child 
[20372] finished successfully.
(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [cert_to_ssh_key_done] (0x1000): 
Certificate 
[MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVo
 
q80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCCsGAQUFBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2FfdGVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2RfcnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuzoV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DPX06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpOBvGEQptEHItx4YiEZTQuvdCtlW585kUyol39sK
 
v2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M20BMUh+SiGoL/kJAi2XdM922U3po9a2FbULvJfOlsFY2Z6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdlufS8M/YWxAWw=]
 is valid.
(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [ssh_protocol_done] (0x4000): Sending 
reply: success
(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [client_recv] (0x0200): Client 
disconnected!
(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [client_close_fn] (0x2000): Terminated 
client [0x561dbac3a190][18]


p11_child-log
# log file 2...
write(2, "(Wed Mar 25 11:34:44 2020) [[sssd[p11_child[20372 [do_work] 
(0x0400): Certificate is valid.\n", 96) = 96
# log file 1...
write(7, "(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [child_sig_handler] (0x1000): 
Waiting for child [20372].\n", 96) = 96
wait4(20372, [{WIFEXITED(s) && WEXITSTATUS(s) == 0}], WNOHANG, NULL) = 20372
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(7, "(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [child_sig_handler] (0x0100): 
child [20372] finished successfully.\n", 106) = 106
close(19)   = 0
close(22)   = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(7, "(Wed Mar 25 11:34:44 2020) [sssd[ssh]] [cert_to_ssh_key_done] 
(0x1000): Certificate 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Tue, Mar 24, 2020 at 02:20:17PM -, Hristina Marosevic wrote:
> > On Wed, Mar 18, 2020 at 10:42:52AM -, Hristina Marosevic wrote:
> > 
> > Hi,
> > 
> > can you send the output of
> > 
> > ls -al /etc/pki/nssdb
> > 
> > and
> > 
> > certutil -L -d /etc/pki/nssdb -h all
> > 
> > bye,
> > Sumit
> 
> 
> Hello Sumit,
> 
> Somehow, today I didn't get any error when executing certutil command. In 
> meanwhile I didn't do anything different, except for the sssd and sshd 
> restart.
> Few days ago, I couldn't add nor list the existing certificates in the nssdb 
> using certutil.
> Now, when this is working, I added the two CA certs in the chain of the 
> user's public certificate. One is intermediate, and one is root CA.
> Too add the intermediate and root CA certs in the nssdb, I used der fomrats 
> of the certificates and the following command for each one of them:
> certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d 
> /etc/pki/nssdb
> 
> You asked me to list the nssdb directory. Here is the result:
> $ ls -al /etc/pki/nssdb
> total 132
> drwxr-xr-x.  2 root root  4096 Mar  6 10:34 .
> drwxr-xr-x. 10 root root  4096 Jan 24  2019 ..
> -rw-r--r--   1 root root 65536 Aug  7  2019 cert8.db
> -rw-r--r--.  1 root root  9216 Jan 24  2019 cert9.db
> -rw-r--r--   1 root root 0 Mar  6 10:34 i#uiap
> -rw-r--r--   1 root root 16384 Aug  7  2019 key3.db
> -rw-r--r--.  1 root root 11264 Jan 24  2019 key4.db
> -rw-r--r--   1 root root   451 Aug  7  2019 pkcs11.txt
> -rw-r--r--   1 root root 16384 Aug  7  2019 secmod.db
> 
> After adding the certificates from the chain of the user's public 
> certificate, following command:
> certutil -L -d /etc/pki/nssdb -h all
> resulted with:
> 
> Certificate Nickname Trust Attributes
>  
> SSL,S/MIME,JAR/XPI
> 
> root_KZ   C,C,C
> intermediate_KZ  C,C,C
> 
> 
> In the sssd section of the sssd.conf file the value for 
> certificate_verification is no_ocsp. Using strace, recorded log of the 
> p11_child about the pki authentication attempt  is:
> 
> .
> stat("/home/oracle/secmod.db", 0x7ffcf6ee2350) = -1 ENOENT (No such file or 
> directory)
> open("/home/oracle/secmod.db", O_RDONLY) = -1 ENOENT (No such file or 
> directory)
> open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
> 0x7f2379ad3000
> read(4, "0\n", 1024)= 2
> close(4)= 0
> munmap(0x7f2379ad3000, 4096)= 0
> stat("/home/oracle/cert8.db", 0x7ffcf6ee1f30) = -1 ENOENT (No such file or 
> directory)
> open("/home/oracle/cert8.db", O_RDONLY) = -1 ENOENT (No such file or 
> directory)
> stat("/home/oracle/cert7.db", 0x7ffcf6ee1f50) = -1 ENOENT (No such file or 
> directory)
> open("/home/oracle/cert7.db", O_RDONLY) = -1 ENOENT (No such file or 
> directory)

Hi,

did you change the 'ca_db' option in sssd.conf? If looks like a wrong
path '/home/oracle' is used for the NSS database.

bye,
Sumit

> access("/etc/pki/nss-legacy/nss-rhel7.config", R_OK) = 0
> open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
> 0x7f2379ad3000
> read(4, "0\n", 1024)= 2
> close(4)= 0
> munmap(0x7f2379ad3000, 4096)= 0
> open("/etc/pki/nss-legacy/nss-rhel7.config", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0644, st_size=257, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
> 0x7f2379ad3000
> read(4, "# To re-enable legacy algorithms, edit this file\n# Note that the 
> last empty line in this file must be 
> preserved\nlibrary=\nname=Policy\nNSS=flags=policyOnly,moduleDB\nconfig=\"disallow=MD5:RC4
>  allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023:TLS-VERSION-MIN=tls1.0\"\n\n", 
> 4096) = 257
> stat("/etc/sysconfig/64bit_strstr_via_64bit_strstr_sse2_unaligned", 
> {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
> read(4, "", 4096)   = 0
> close(4)= 0
> munmap(0x7f2379ad3000, 4096)= 0
> open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
> 0x7f2379ad3000
> read(4, "0\n", 1024)= 2
> close(4)= 0
> munmap(0x7f2379ad3000, 4096)= 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538 
> 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

> On Tue, Mar 24, 2020 at 02:20:17PM -, Hristina Marosevic wrote:
> 
> Hi,
> 
> please try to add them with
> 
> certutil -A -n "CA cert nickname" -t CT,C,C -i /path/to/CA_cert_file -d
> /etc/pki/nssdb
> 
> (please note the additional 'T' for 'trusted CA for client
> authentication') and check if this makes a difference.
> 
> bye,
> Sumit




Hello,


I got the same error: 
write(2, "(Tue Mar 24 15:56:24 2020) [[sssd[p11_child[28171 
[do_verification] (0x0040): Certificate 
[(null)][givenName=\320\242\320\225\320\241\320\242\320\242\320\236\320\222\320\230\320\247,ST=\320\220\320\241\320\242\320\220\320\235\320\220,L=\320\220\320\241\320\242\320\220\320\235\320\220,C=KZ,serialNumber=IIN123456789012,SN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222,CN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222
 \320\242\320\225\320\241\320\242\320\242] not valid [-8179][Peer's Certificate 
issuer is not recognized.].\n", 310) = 310
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 24 15:56:24 2020) [[sssd[p11_child[28171 [do_work] 
(0x0400): Certificate is NOT valid.\n", 100) = 100
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 24 15:56:24 2020) [[sssd[p11_child[28171 [main] 
(0x0040): do_work failed.\n", 87) = 87
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 24 15:56:24 2020) [[sssd[p11_child[28171 [main] 
(0x0020): p11_child failed!\n", 89) = 89
close(1)= 0
exit_group(1)   = ?
+++ exited with 1 +++


What I did is: 
added the CA certs once again, as trusted: 

certutil -L -d /etc/pki/nssdb -h all  
Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

root_KZ   CT,C,C
intermediate_KZ  CT,C,C

and stoppped sssd, emptyed its cache, started sssd, restarted sshd, afterwards.


BR,
Hristina M.
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Tue, Mar 24, 2020 at 02:20:17PM -, Hristina Marosevic wrote:
> > On Wed, Mar 18, 2020 at 10:42:52AM -, Hristina Marosevic wrote:
> > 
> > Hi,
> > 
> > can you send the output of
> > 
> > ls -al /etc/pki/nssdb
> > 
> > and
> > 
> > certutil -L -d /etc/pki/nssdb -h all
> > 
> > bye,
> > Sumit
> 
> 
> Hello Sumit,
> 
> Somehow, today I didn't get any error when executing certutil command. In 
> meanwhile I didn't do anything different, except for the sssd and sshd 
> restart.
> Few days ago, I couldn't add nor list the existing certificates in the nssdb 
> using certutil.
> Now, when this is working, I added the two CA certs in the chain of the 
> user's public certificate. One is intermediate, and one is root CA.
> Too add the intermediate and root CA certs in the nssdb, I used der fomrats 
> of the certificates and the following command for each one of them:
> certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d 
> /etc/pki/nssdb

Hi,

please try to add them with

certutil -A -n "CA cert nickname" -t CT,C,C -i /path/to/CA_cert_file -d 
/etc/pki/nssdb

(please note the additional 'T' for 'trusted CA for client
authentication') and check if this makes a difference.

bye,
Sumit

> 
> You asked me to list the nssdb directory. Here is the result:
> $ ls -al /etc/pki/nssdb
> total 132
> drwxr-xr-x.  2 root root  4096 Mar  6 10:34 .
> drwxr-xr-x. 10 root root  4096 Jan 24  2019 ..
> -rw-r--r--   1 root root 65536 Aug  7  2019 cert8.db
> -rw-r--r--.  1 root root  9216 Jan 24  2019 cert9.db
> -rw-r--r--   1 root root 0 Mar  6 10:34 i#uiap
> -rw-r--r--   1 root root 16384 Aug  7  2019 key3.db
> -rw-r--r--.  1 root root 11264 Jan 24  2019 key4.db
> -rw-r--r--   1 root root   451 Aug  7  2019 pkcs11.txt
> -rw-r--r--   1 root root 16384 Aug  7  2019 secmod.db
> 
> After adding the certificates from the chain of the user's public 
> certificate, following command:
> certutil -L -d /etc/pki/nssdb -h all
> resulted with:
> 
> Certificate Nickname Trust Attributes
>  
> SSL,S/MIME,JAR/XPI
> 
> root_KZ   C,C,C
> intermediate_KZ  C,C,C
> 
> 
> In the sssd section of the sssd.conf file the value for 
> certificate_verification is no_ocsp. Using strace, recorded log of the 
> p11_child about the pki authentication attempt  is:
> 
> .
> stat("/home/oracle/secmod.db", 0x7ffcf6ee2350) = -1 ENOENT (No such file or 
> directory)
> open("/home/oracle/secmod.db", O_RDONLY) = -1 ENOENT (No such file or 
> directory)
> open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
> 0x7f2379ad3000
> read(4, "0\n", 1024)= 2
> close(4)= 0
> munmap(0x7f2379ad3000, 4096)= 0
> stat("/home/oracle/cert8.db", 0x7ffcf6ee1f30) = -1 ENOENT (No such file or 
> directory)
> open("/home/oracle/cert8.db", O_RDONLY) = -1 ENOENT (No such file or 
> directory)
> stat("/home/oracle/cert7.db", 0x7ffcf6ee1f50) = -1 ENOENT (No such file or 
> directory)
> open("/home/oracle/cert7.db", O_RDONLY) = -1 ENOENT (No such file or 
> directory)
> access("/etc/pki/nss-legacy/nss-rhel7.config", R_OK) = 0
> open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
> 0x7f2379ad3000
> read(4, "0\n", 1024)= 2
> close(4)= 0
> munmap(0x7f2379ad3000, 4096)= 0
> open("/etc/pki/nss-legacy/nss-rhel7.config", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0644, st_size=257, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
> 0x7f2379ad3000
> read(4, "# To re-enable legacy algorithms, edit this file\n# Note that the 
> last empty line in this file must be 
> preserved\nlibrary=\nname=Policy\nNSS=flags=policyOnly,moduleDB\nconfig=\"disallow=MD5:RC4
>  allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023:TLS-VERSION-MIN=tls1.0\"\n\n", 
> 4096) = 257
> stat("/etc/sysconfig/64bit_strstr_via_64bit_strstr_sse2_unaligned", 
> {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
> read(4, "", 4096)   = 0
> close(4)= 0
> munmap(0x7f2379ad3000, 4096)= 0
> open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
> fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
> 0x7f2379ad3000
> read(4, "0\n", 1024)= 2
> close(4)= 0
> munmap(0x7f2379ad3000, 4096)= 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

> On Wed, Mar 18, 2020 at 10:42:52AM -, Hristina Marosevic wrote:
> 
> Hi,
> 
> can you send the output of
> 
> ls -al /etc/pki/nssdb
> 
> and
> 
> certutil -L -d /etc/pki/nssdb -h all
> 
> bye,
> Sumit


Hello Sumit,

Somehow, today I didn't get any error when executing certutil command. In 
meanwhile I didn't do anything different, except for the sssd and sshd restart.
Few days ago, I couldn't add nor list the existing certificates in the nssdb 
using certutil.
Now, when this is working, I added the two CA certs in the chain of the user's 
public certificate. One is intermediate, and one is root CA.
Too add the intermediate and root CA certs in the nssdb, I used der fomrats of 
the certificates and the following command for each one of them:
certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d 
/etc/pki/nssdb

You asked me to list the nssdb directory. Here is the result:
$ ls -al /etc/pki/nssdb
total 132
drwxr-xr-x.  2 root root  4096 Mar  6 10:34 .
drwxr-xr-x. 10 root root  4096 Jan 24  2019 ..
-rw-r--r--   1 root root 65536 Aug  7  2019 cert8.db
-rw-r--r--.  1 root root  9216 Jan 24  2019 cert9.db
-rw-r--r--   1 root root 0 Mar  6 10:34 i#uiap
-rw-r--r--   1 root root 16384 Aug  7  2019 key3.db
-rw-r--r--.  1 root root 11264 Jan 24  2019 key4.db
-rw-r--r--   1 root root   451 Aug  7  2019 pkcs11.txt
-rw-r--r--   1 root root 16384 Aug  7  2019 secmod.db

After adding the certificates from the chain of the user's public certificate, 
following command:
certutil -L -d /etc/pki/nssdb -h all
resulted with:

Certificate Nickname Trust Attributes
 SSL,S/MIME,JAR/XPI

root_KZ   C,C,C
intermediate_KZ  C,C,C


In the sssd section of the sssd.conf file the value for 
certificate_verification is no_ocsp. Using strace, recorded log of the 
p11_child about the pki authentication attempt  is:

.
stat("/home/oracle/secmod.db", 0x7ffcf6ee2350) = -1 ENOENT (No such file or 
directory)
open("/home/oracle/secmod.db", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f2379ad3000
read(4, "0\n", 1024)= 2
close(4)= 0
munmap(0x7f2379ad3000, 4096)= 0
stat("/home/oracle/cert8.db", 0x7ffcf6ee1f30) = -1 ENOENT (No such file or 
directory)
open("/home/oracle/cert8.db", O_RDONLY) = -1 ENOENT (No such file or directory)
stat("/home/oracle/cert7.db", 0x7ffcf6ee1f50) = -1 ENOENT (No such file or 
directory)
open("/home/oracle/cert7.db", O_RDONLY) = -1 ENOENT (No such file or directory)
access("/etc/pki/nss-legacy/nss-rhel7.config", R_OK) = 0
open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f2379ad3000
read(4, "0\n", 1024)= 2
close(4)= 0
munmap(0x7f2379ad3000, 4096)= 0
open("/etc/pki/nss-legacy/nss-rhel7.config", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=257, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f2379ad3000
read(4, "# To re-enable legacy algorithms, edit this file\n# Note that the last 
empty line in this file must be 
preserved\nlibrary=\nname=Policy\nNSS=flags=policyOnly,moduleDB\nconfig=\"disallow=MD5:RC4
 allow=DH-MIN=1023:DSA-MIN=1023:RSA-MIN=1023:TLS-VERSION-MIN=tls1.0\"\n\n", 
4096) = 257
stat("/etc/sysconfig/64bit_strstr_via_64bit_strstr_sse2_unaligned", 
{st_mode=S_IFREG|0644, st_size=0, ...}) = 0
read(4, "", 4096)   = 0
close(4)= 0
munmap(0x7f2379ad3000, 4096)= 0
open("/proc/sys/crypto/fips_enabled", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 
0x7f2379ad3000
read(4, "0\n", 1024)= 2
close(4)= 0
munmap(0x7f2379ad3000, 4096)= 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
write(2, "(Tue Mar 24 13:36:19 2020) [[sssd[p11_child[5538 
[do_verification] (0x0040): Certificate 
[(null)][givenName=\320\242\320\225\320\241\320\242\320\242\320\236\320\222\320\230\320\247,ST=\320\220\320\241\320\242\320\220\320\235\320\220,L=\320\220\320\241\320\242\320\220\320\235\320\220,C=KZ,serialNumber=IIN123456789012,SN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222,CN=\320\242\320\225\320\241\320\242\320\242\320\236\320\222
 \320\242\320\225\320\241\320\242\320\242] not valid 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Wed, Mar 18, 2020 at 10:42:52AM -, Hristina Marosevic wrote:
> > On Tue, Mar 17, 2020 at 02:17:06PM -, Hristina Marosevic wrote:
> > 
> > Hi,
> > 
> > about 'certificate_verification = no_verification', there is an issue
> > which was fixed by
> > https://pagure.io/SSSD/sssd/c/31ebf912d6426aea446b2bdae919d4e33b0c95be
> > but the fix is not in the build you are using. So better continue with
> > 'certificate_verification = no_ocsp'.
> > 
> > 
> > Please add all CA certificates to the NSS database /etc/pki/nssdb with
> > the help of the certutil command:
> > 
> > certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d
> > /etc/pki/nssdb
> > 
> > each CA certificate should get an individual nickname. If your
> > CA_cert_file is in PEM format (with BEGIN CERTIFICATE and END
> > CERTIFICATE lines) you might need to add a '-a' option as well.
> > 
> > If there are still issues please send the strace output.
> > 
> > HTH
> > 
> > bye,
> > Sumit
> 
> 
> Hello, 
> 
> I just tried to add the certificates (intermediate and root CA) to the 
> database and I got the error: "certutil: function failed: 
> SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, 
> unsupported format." for each one.

Hi,

can you send the output of

ls -al /etc/pki/nssdb

and

certutil -L -d /etc/pki/nssdb -h all

bye,
Sumit

> 
> The confirugation in sssd is still not changed and no other step is executed 
> due to this error. I think it is important to solve this problem first, and 
> that this one is not related to the sssd configuration and option 
> certificate_verification in the config file. 
> Can you propose me a solution for this? 
> 
> 
> BR,
> Hristina
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

> On Tue, Mar 17, 2020 at 02:17:06PM -, Hristina Marosevic wrote:
> 
> Hi,
> 
> about 'certificate_verification = no_verification', there is an issue
> which was fixed by
> https://pagure.io/SSSD/sssd/c/31ebf912d6426aea446b2bdae919d4e33b0c95be
> but the fix is not in the build you are using. So better continue with
> 'certificate_verification = no_ocsp'.
> 
> 
> Please add all CA certificates to the NSS database /etc/pki/nssdb with
> the help of the certutil command:
> 
> certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d
> /etc/pki/nssdb
> 
> each CA certificate should get an individual nickname. If your
> CA_cert_file is in PEM format (with BEGIN CERTIFICATE and END
> CERTIFICATE lines) you might need to add a '-a' option as well.
> 
> If there are still issues please send the strace output.
> 
> HTH
> 
> bye,
> Sumit


Hello, 

I just tried to add the certificates (intermediate and root CA) to the database 
and I got the error: "certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The 
certificate/key database is in an old, unsupported format." for each one.

The confirugation in sssd is still not changed and no other step is executed 
due to this error. I think it is important to solve this problem first, and 
that this one is not related to the sssd configuration and option 
certificate_verification in the config file. 
Can you propose me a solution for this? 


BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Tue, Mar 17, 2020 at 02:17:06PM -, Hristina Marosevic wrote:
> > On Tue, Mar 17, 2020 at 11:17:34AM -, Hristina Marosevic wrote:
> > 
> > 
> > Hi,
> > 
> > I'm sorry, I haven't read one of your earlier emails carefully enough,
> > please do not use "certificate_verification = no_ocsp, no_verification"
> > but only
> > 
> > certificate_verification = no_verification
> > 
> > 'no_ocsp' implies verification but without OCSP so using both options is
> > an inconsistency.
> > 
> > bye,
> > Sumit

Hi,

about 'certificate_verification = no_verification', there is an issue
which was fixed by
https://pagure.io/SSSD/sssd/c/31ebf912d6426aea446b2bdae919d4e33b0c95be
but the fix is not in the build you are using. So better continue with
'certificate_verification = no_ocsp'.

> 
> 
> Besides this, I thought of another scenario which may help me validate the 
> certificate. I can add certificate_verification=no_ocsp instead of 
> certificate_verification=no_verification in [sssd] section of sssd.conf file, 
> and store the trust on the server - in that case, where should I store the 
> trust and is it enought just to provide the root CA certificate, or it is 
> needed to store the intermediate CAs certificates? Also, in which format?

Please add all CA certificates to the NSS database /etc/pki/nssdb with
the help of the certutil command:

certutil -A -n "CA cert nickname" -t C,C,C -i /path/to/CA_cert_file -d 
/etc/pki/nssdb

each CA certificate should get an individual nickname. If your
CA_cert_file is in PEM format (with BEGIN CERTIFICATE and END
CERTIFICATE lines) you might need to add a '-a' option as well.

If there are still issues please send the strace output.

HTH

bye,
Sumit
> 
> If this won't work, I really have no idea of any other options for testing 
> the PKI based authentication, so if you have any other ideas, I will 
> appreciate if you share it. 
> 
> 
> Thank you for your help!
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

> On Tue, Mar 17, 2020 at 11:17:34AM -, Hristina Marosevic wrote:
> 
> 
> Hi,
> 
> I'm sorry, I haven't read one of your earlier emails carefully enough,
> please do not use "certificate_verification = no_ocsp, no_verification"
> but only
> 
> certificate_verification = no_verification
> 
> 'no_ocsp' implies verification but without OCSP so using both options is
> an inconsistency.
> 
> bye,
> Sumit


Besides this, I thought of another scenario which may help me validate the 
certificate. I can add certificate_verification=no_ocsp instead of 
certificate_verification=no_verification in [sssd] section of sssd.conf file, 
and store the trust on the server - in that case, where should I store the 
trust and is it enought just to provide the root CA certificate, or it is 
needed to store the intermediate CAs certificates? Also, in which format?

If this won't work, I really have no idea of any other options for testing the 
PKI based authentication, so if you have any other ideas, I will appreciate if 
you share it. 


Thank you for your help!
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Tue, Mar 17, 2020 at 11:17:34AM -, Hristina Marosevic wrote:
> > On Tue, Mar 17, 2020 at 09:41:16AM -, Hristina Marosevic wrote:
> > 
> > 
> > Hi,
> > 
> > so p11_child is really called but as you said earlier there are no logs.
> > 
> > This might e.g. be a permission issue, please check the permissions on
> > /var/log/sssd if you see anything odd. For me it looks like:
> > 
> > drwxr-x---.  2 root root  system_u:object_r:sssd_var_log_t:s04096 
> > Mar 17 09:09 .
> > drwxr-xr-x. 12 root root  system_u:object_r:var_log_t:s0 4096 
> > Mar 15 03:27 ..
> > -rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0  221452 
> > Mar 17 09:19
> > krb5_child.log
> > -rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0 1069023 
> > Mar 17 11:16
> > ldap_child.log
> > -rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0   0 
> > Mar 16 10:31
> > p11_child.log
> > -rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0   14816 
> > Mar 17 09:19
> > selinux_child.log
> > -rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0 623 
> > Mar 16 10:31
> > sssd.log
> > -rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0   0 
> > Mar 16 10:31
> > sssd_nss.log
> > -rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0   0 
> > Mar 16 10:31
> > sssd_pac.log
> > -rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0  490679 
> > Mar 17 11:18
> > sssd_pam.log
> > -rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0 6723166 
> > Mar 17 11:18
> > sssd_ipa.devel.log
> > -rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0   0 
> > Mar 16 10:31
> > sssd_ssh.log
> > -rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0   0 
> > Mar 16 10:31
> > sssd_sudo.log
> > 
> > 
> > The next step would be to check what failed with strace. For this call
> > 
> > mkdir /tmp/strace_data
> > strace -ff -s 1024 -o /tmp/strace_data/strace_ -p $(pidof 
> > /usr/libexec/sssd/sssd_ssh)
> > 
> > in one terminal can call 'sss_ssh_authorizedkeys IIN321' in a 
> > different
> > terminal. After calling sss_ssh_authorizedkeys you can stop the strace 
> > command
> > with CTRL-C. In /tmp/strace_data there should be at least 2 files, one of 
> > the
> > main sssd_ssh process and the other for p11_child, please send both (if 
> > there
> > are more than 2 please send all).
> > 
> > bye,
> > Sumit
> 
> 
> There are two files:
> 
> after executing strace -ff -s 1024 -o /tmp/strace_data/strace_ -p $(pidof 
> /usr/libexec/sssd/sssd_ssh) strace_.24180 was generated. 

> write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539 
> [parse_cert_verify_opts] (0x4000): Found 'no_ocsp' option, disabling 
> OCSP.\n", 128) = 128
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539 
> [parse_cert_verify_opts] (0x0020): Found 'no_verification' option, disabling 
> verification completely. This should not be used in production.\n", 194) = 194
> write(2, "Cannot run verification with option 'no_verification'.\n", 55) = 55

Hi,

I'm sorry, I haven't read one of your earlier emails carefully enough,
please do not use "certificate_verification = no_ocsp, no_verification"
but only

certificate_verification = no_verification

'no_ocsp' implies verification but without OCSP so using both options is
an inconsistency.

bye,
Sumit

> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=1931, ...}) = 0
> write(2, "(Tue Mar 17 12:09:26 2020) [[sssd[p11_child[5539 [main] 
> (0x0020): p11_child failed!\n", 88) = 88
> close(1)= 0
> exit_group(1)   = ?
> +++ exited with 1 +++
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Tue, Mar 17, 2020 at 09:41:16AM -, Hristina Marosevic wrote:
> > On Thu, Mar 12, 2020 at 03:13:57PM -, Hristina Marosevic wrote:
> > 
> > Hi,
> > 
> > the file should be in the SSSD log directory, so typically
> > /var/log/sssd/p11_child.log.
> > 
> > Since it does not exists, p11_child was not called to validate the
> > certificates. In this case sssd_ssh.log is the only source of
> > information. Feel free to send the file or the part of the log file
> > which covers the time where sss_ssh_authorized_keys was called.
> > 
> > bye,
> > Sumit
> 
> 
> 
> Hello,
> 
> command: /usr/bin/sss_ssh_authorizedkeys IIN321
> 
> output:
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [get_client_cred] (0x4000): Client 
> creds: euid[0] egid[0] pid[24441].
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [get_client_cred] (0x0080): The 
> following failure is expected to happen in case SELinux is disabled:
> SELINUX_getpeercon failed [92][Protocol not available].
> Please, consider enabling SELinux in your system.
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [setup_client_idle_timer] (0x4000): 
> Idle timer re-set for client [0x55e6a3217350][18]
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [accept_fd_handler] (0x0400): Client 
> connected!
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [sss_cmd_get_version] (0x0200): 
> Received client version [0].
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [sss_cmd_get_version] (0x0200): 
> Offered version [0].
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ssh_protocol_parse_request] (0x0400): 
> Requested domain []
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ssh_cmd_get_user_pubkeys] (0x0400): 
> Requesting SSH user public keys for [IIN321] from []

> 
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [child_handler_setup] (0x2000): 
> Setting up signal handler up for pid [24442]
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [child_handler_setup] (0x2000): Signal 
> handler set up for pid [24442]
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [child_sig_handler] (0x1000): Waiting 
> for child [24442].
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [child_sig_handler] (0x0020): child 
> [24442] failed with status [1].
> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cert_to_ssh_key_done] (0x0040): 
> /usr/libexec/sssd/p11_child failed with status [256]

Hi,

so p11_child is really called but as you said earlier there are no logs.

This might e.g. be a permission issue, please check the permissions on
/var/log/sssd if you see anything odd. For me it looks like:

drwxr-x---.  2 root root  system_u:object_r:sssd_var_log_t:s04096 Mar 
17 09:09 .
drwxr-xr-x. 12 root root  system_u:object_r:var_log_t:s0 4096 Mar 
15 03:27 ..
-rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0  221452 Mar 
17 09:19 krb5_child.log
-rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0 1069023 Mar 
17 11:16 ldap_child.log
-rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0   0 Mar 
16 10:31 p11_child.log
-rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0   14816 Mar 
17 09:19 selinux_child.log
-rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0 623 Mar 
16 10:31 sssd.log
-rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0   0 Mar 
16 10:31 sssd_nss.log
-rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0   0 Mar 
16 10:31 sssd_pac.log
-rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0  490679 Mar 
17 11:18 sssd_pam.log
-rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0 6723166 Mar 
17 11:18 sssd_ipa.devel.log
-rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0   0 Mar 
16 10:31 sssd_ssh.log
-rw---.  1 root root  system_u:object_r:sssd_var_log_t:s0   0 Mar 
16 10:31 sssd_sudo.log


The next step would be to check what failed with strace. For this call

mkdir /tmp/strace_data
strace -ff -s 1024 -o /tmp/strace_data/strace_ -p $(pidof 
/usr/libexec/sssd/sssd_ssh)

in one terminal can call 'sss_ssh_authorizedkeys IIN321' in a different
terminal. After calling sss_ssh_authorizedkeys you can stop the strace command
with CTRL-C. In /tmp/strace_data there should be at least 2 files, one of the
main sssd_ssh process and the other for p11_child, please send both (if there
are more than 2 please send all).

bye,
Sumit

> (Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cert_to_ssh_key_done] (0x0080): 
> Certificate 
> 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

> On Thu, Mar 12, 2020 at 4:52 PM Sumit Bose  
> log file
> and the records
> were actually stored in parent process log.
> 
> Fixed in commit 30d0ccd49


Hello Tomas, 

Can you please send me link of the commit? 
About the paret p11 log file - I am not sure, which log process is the parent 
process? Where should I look for p11 child logs? 

BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

> On Thu, Mar 12, 2020 at 03:13:57PM -, Hristina Marosevic wrote:
> 
> Hi,
> 
> the file should be in the SSSD log directory, so typically
> /var/log/sssd/p11_child.log.
> 
> Since it does not exists, p11_child was not called to validate the
> certificates. In this case sssd_ssh.log is the only source of
> information. Feel free to send the file or the part of the log file
> which covers the time where sss_ssh_authorized_keys was called.
> 
> bye,
> Sumit



Hello,

command: /usr/bin/sss_ssh_authorizedkeys IIN321

output:
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [get_client_cred] (0x4000): Client 
creds: euid[0] egid[0] pid[24441].
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [get_client_cred] (0x0080): The 
following failure is expected to happen in case SELinux is disabled:
SELINUX_getpeercon failed [92][Protocol not available].
Please, consider enabling SELinux in your system.
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [setup_client_idle_timer] (0x4000): Idle 
timer re-set for client [0x55e6a3217350][18]
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [accept_fd_handler] (0x0400): Client 
connected!
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Received 
client version [0].
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [sss_cmd_get_version] (0x0200): Offered 
version [0].
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ssh_protocol_parse_request] (0x0400): 
Requested domain []
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ssh_cmd_get_user_pubkeys] (0x0400): 
Requesting SSH user public keys for [IIN321] from []
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_set_plugin] (0x2000): CR #0: 
Setting "User by name" plugin
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_send] (0x0400): CR #0: New 
request 'User by name'
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_process_input] (0x0400): CR 
#0: Parsing input name [IIN321]
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [sss_parse_name_for_domains] (0x0200): 
name 'IIN321' matched without domain, user is IIN321
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_set_name] (0x0400): CR #0: 
Setting name [IIN321]
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_select_domains] (0x0400): CR 
#0: Performing a multi-domain search
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_search_domains] (0x0400): CR 
#0: Search will check the cache and check the data provider
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_validate_domain_type] 
(0x2000): Request type POSIX-only for domain LDAP type POSIX is valid
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_set_domain] (0x0400): CR #0: 
Using domain [LDAP]
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_prepare_domain_data] 
(0x0400): CR #0: Preparing input data for domain [LDAP] rules
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_search_send] (0x0400): CR #0: 
Looking up IIN321@ldap
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_search_ncache] (0x0400): CR 
#0: Checking negative cache for [IIN321@ldap]
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [sss_ncache_check_str] (0x2000): 
Checking negative cache for [NCE/USER/LDAP/IIN321@ldap]
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_search_ncache] (0x0400): CR 
#0: [IIN321@ldap] is not present in negative cache
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_search_cache] (0x0400): CR 
#0: Looking up [IIN321@ldap] in cache
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x55e6a321fcd0

(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x55e6a321fda0

(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ldb] (0x4000): Running timer event 
0x55e6a321fcd0 "ltdb_callback"

(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 
0x55e6a321fda0 "ltdb_timeout"

(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 
0x55e6a321fcd0 "ltdb_callback"

(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ldb] (0x4000): Added timed event 
"ltdb_callback": 0x55e6a321fc00

(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ldb] (0x4000): Added timed event 
"ltdb_timeout": 0x55e6a321fcd0

(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ldb] (0x4000): Running timer event 
0x55e6a321fc00 "ltdb_callback"

(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 
0x55e6a321fcd0 "ltdb_timeout"

(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [ldb] (0x4000): Destroying timer event 
0x55e6a321fc00 "ltdb_callback"

(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_search_send] (0x0400): CR #0: 
Returning [IIN321@ldap] from cache
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_search_ncache_filter] 
(0x0400): CR #0: This request type does not support filtering result by 
negative cache
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_create_and_add_result] 
(0x0400): CR #0: Found 1 entries in domain LDAP
(Tue Mar 17 10:39:34 2020) [sssd[ssh]] [cache_req_done] (0x0400): CR #0: 
Finished: Success
(Tue Mar 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Tomas Halman]

On Thu, Mar 12, 2020 at 4:52 PM Sumit Bose  wrote:

> Hi,
>
> the file should be in the SSSD log directory, so typically
> /var/log/sssd/p11_child.log.
>
> Since it does not exists, p11_child was not called to validate the
> certificates. In this case sssd_ssh.log is the only source of
> information. Feel free to send the file or the part of the log file
> which covers the time where sss_ssh_authorized_keys was called.
>
> bye,
> Sumit
>
> Just for the record, there was a bug that caused not creating p11_child
log file and the records
were actually stored in parent process log.

Fixed in commit 30d0ccd49

-- 
Tomas Halman
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Thu, Mar 12, 2020 at 03:13:57PM -, Hristina Marosevic wrote:
> > On Fri, Mar 06, 2020 at 12:44:35PM -, Hristina Marosevic wrote:
> > 
> > Hi,
> > 
> > no [pam] is not needed for your use case, access via ssh.
> > 
> > 
> > This command looks for certificates from a Smartcard connected to the
> > local system. However p11_child is used to validate the certificates for
> > the ssh key generation as well. You should add debug_level = 9 to the
> > [ssh] section of sssd.conf and then check sssd_ssh.log and p11_child.log
> > after calling sss_ssh_authorized_keys.
> > 
> > HTH
> > 
> > bye,
> > Sumit
> 
> 
> I can not find a file named p11_child.log (i searched everything from the 
> root directory)
> The only thing related to p11_child is executable /usr/libexec/sssd/p11_child 
> - should I use it to generate log? 
> Can you please help me with this?

Hi,

the file should be in the SSSD log directory, so typically
/var/log/sssd/p11_child.log.

Since it does not exists, p11_child was not called to validate the
certificates. In this case sssd_ssh.log is the only source of
information. Feel free to send the file or the part of the log file
which covers the time where sss_ssh_authorized_keys was called.

bye,
Sumit

> 
> BR,
> Hristina
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

> On Fri, Mar 06, 2020 at 12:44:35PM -, Hristina Marosevic wrote:
> 
> Hi,
> 
> no [pam] is not needed for your use case, access via ssh.
> 
> 
> This command looks for certificates from a Smartcard connected to the
> local system. However p11_child is used to validate the certificates for
> the ssh key generation as well. You should add debug_level = 9 to the
> [ssh] section of sssd.conf and then check sssd_ssh.log and p11_child.log
> after calling sss_ssh_authorized_keys.
> 
> HTH
> 
> bye,
> Sumit


I can not find a file named p11_child.log (i searched everything from the root 
directory)
The only thing related to p11_child is executable /usr/libexec/sssd/p11_child - 
should I use it to generate log? 
Can you please help me with this?

BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Fri, Mar 06, 2020 at 12:44:35PM -, Hristina Marosevic wrote:
> Hello, 
> 
> I added: "certificate_verification = no_ocsp, no_verification" in [sssd] part 
> of the sssd configuration and I didn't add the CA certs because the 
> certification validation is disabled, but I am getting the same error 
> "certificate is not valid" in the sssd_ssh.log
> SSSD version that I am using is (yum package version):
> 1.16.4-21.0.1.el7_7.1
> Somewhere on the internet, I saw this in the [pam] part of the sssd 
> configuration: "pam_cert_auth = True" - should I add this line in my config 
> file?

Hi,

no [pam] is not needed for your use case, access via ssh.

> and I found the following command for the p11_child log (by you):
> /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre --nssdb=/etc/pki/nssdb

This command looks for certificates from a Smartcard connected to the
local system. However p11_child is used to validate the certificates for
the ssh key generation as well. You should add debug_level = 9 to the
[ssh] section of sssd.conf and then check sssd_ssh.log and p11_child.log
after calling sss_ssh_authorized_keys.

HTH

bye,
Sumit

> 
> The output on my machine was:
> $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre --nssdb=/etc/pki/nssdb
> (Fri Mar  6 13:33:30:652007 2020) [[sssd[p11_child[8855 [main] (0x0400): 
> p11_child started.
> (Fri Mar  6 13:33:30:652310 2020) [[sssd[p11_child[8855 [main] (0x2000): 
> Running in [pre-auth] mode.
> (Fri Mar  6 13:33:30:652517 2020) [[sssd[p11_child[8855 [main] (0x2000): 
> Running with effective IDs: [0][0].
> (Fri Mar  6 13:33:30:652758 2020) [[sssd[p11_child[8855 [main] (0x2000): 
> Running with real IDs [0][0].
> (Fri Mar  6 13:33:30:710650 2020) [[sssd[p11_child[8855 [do_card] 
> (0x4000): Default Module List:
> (Fri Mar  6 13:33:30:710904 2020) [[sssd[p11_child[8855 [do_card] 
> (0x4000): common name: [NSS Internal PKCS #11 Module].
> (Fri Mar  6 13:33:30:711013 2020) [[sssd[p11_child[8855 [do_card] 
> (0x4000): dll name: [(null)].
> (Fri Mar  6 13:33:30:76 2020) [[sssd[p11_child[8855 [do_card] 
> (0x4000): Dead Module List:
> (Fri Mar  6 13:33:30:711218 2020) [[sssd[p11_child[8855 [do_card] 
> (0x4000): DB Module List:
> (Fri Mar  6 13:33:30:711320 2020) [[sssd[p11_child[8855 [do_card] 
> (0x4000): common name: [NSS Internal Module].
> (Fri Mar  6 13:33:30:711434 2020) [[sssd[p11_child[8855 [do_card] 
> (0x4000): dll name: [(null)].
> (Fri Mar  6 13:33:30:711564 2020) [[sssd[p11_child[8855 [do_card] 
> (0x4000): common name: [Policy File].
> (Fri Mar  6 13:33:30:711768 2020) [[sssd[p11_child[8855 [do_card] 
> (0x4000): dll name: [(null)].
> (Fri Mar  6 13:33:30:711890 2020) [[sssd[p11_child[8855 [do_card] 
> (0x4000): Description [NSS User Private Key and Certificate Services  
>  Mozilla Foundation  ] Manufacturer [Mozilla Foundation   
>] flags [1].
> (Fri Mar  6 13:33:30:712016 2020) [[sssd[p11_child[8855 [do_card] 
> (0x4000): Description [NSS Internal Cryptographic Services
>  Mozilla Foundation ] Manufacturer [Mozilla 
> Foundation   ] flags [9].
> (Fri Mar  6 13:33:30:712335 2020) [[sssd[p11_child[8855 [do_card] 
> (0x0040): No removable slots found.
> (Fri Mar  6 13:33:30:712448 2020) [[sssd[p11_child[8855 [main] (0x0040): 
> do_work failed.
> (Fri Mar  6 13:33:30:712595 2020) [[sssd[p11_child[8855 [main] (0x0020): 
> p11_child failed!
> 
> 
> BR,
> Hristina
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

> On Fri, Mar 06, 2020 at 08:09:59AM -, Hristina Marosevic wrote:
> 
> Hi,
> 
> this looks like some progress. Please check p11_child.log which might
> contain detail why SSSD thinks the certificate is not valid. By default
> SSSD will check the certificate with the help of the CA certificates and
> does OCSP if the certificate contains the needed OCSP data.
> 
> To disable OCSP, since your system cannot reach the OCSP responder,
> please add
> 
> certificate_verification = no_ocsp
> 
> to the [sssd] section of sssd.conf and restart SSSD. For testing you can
> even use 'no_verification' but this is should not be used in production
> (see man sssd.conf for details).
> 
> Which version of SSSD are you using? Depending on the version you might
> have to add the CA certificates to different locations, please check the
> 'ca_db' option described in man sssd.conf for details as well.
> 
> bye,
> Sumit


Can you please check the comment bellow? 
(I didn't quote your text there, so I am not sure if you got a notification for 
my comment)

BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

Hello, 

I added: "certificate_verification = no_ocsp, no_verification" in [sssd] part 
of the sssd configuration and I didn't add the CA certs because the 
certification validation is disabled, but I am getting the same error 
"certificate is not valid" in the sssd_ssh.log
SSSD version that I am using is (yum package version):
1.16.4-21.0.1.el7_7.1
Somewhere on the internet, I saw this in the [pam] part of the sssd 
configuration: "pam_cert_auth = True" - should I add this line in my config 
file?
and I found the following command for the p11_child log (by you):
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre --nssdb=/etc/pki/nssdb

The output on my machine was:
$ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --pre --nssdb=/etc/pki/nssdb
(Fri Mar  6 13:33:30:652007 2020) [[sssd[p11_child[8855 [main] (0x0400): 
p11_child started.
(Fri Mar  6 13:33:30:652310 2020) [[sssd[p11_child[8855 [main] (0x2000): 
Running in [pre-auth] mode.
(Fri Mar  6 13:33:30:652517 2020) [[sssd[p11_child[8855 [main] (0x2000): 
Running with effective IDs: [0][0].
(Fri Mar  6 13:33:30:652758 2020) [[sssd[p11_child[8855 [main] (0x2000): 
Running with real IDs [0][0].
(Fri Mar  6 13:33:30:710650 2020) [[sssd[p11_child[8855 [do_card] (0x4000): 
Default Module List:
(Fri Mar  6 13:33:30:710904 2020) [[sssd[p11_child[8855 [do_card] (0x4000): 
common name: [NSS Internal PKCS #11 Module].
(Fri Mar  6 13:33:30:711013 2020) [[sssd[p11_child[8855 [do_card] (0x4000): 
dll name: [(null)].
(Fri Mar  6 13:33:30:76 2020) [[sssd[p11_child[8855 [do_card] (0x4000): 
Dead Module List:
(Fri Mar  6 13:33:30:711218 2020) [[sssd[p11_child[8855 [do_card] (0x4000): 
DB Module List:
(Fri Mar  6 13:33:30:711320 2020) [[sssd[p11_child[8855 [do_card] (0x4000): 
common name: [NSS Internal Module].
(Fri Mar  6 13:33:30:711434 2020) [[sssd[p11_child[8855 [do_card] (0x4000): 
dll name: [(null)].
(Fri Mar  6 13:33:30:711564 2020) [[sssd[p11_child[8855 [do_card] (0x4000): 
common name: [Policy File].
(Fri Mar  6 13:33:30:711768 2020) [[sssd[p11_child[8855 [do_card] (0x4000): 
dll name: [(null)].
(Fri Mar  6 13:33:30:711890 2020) [[sssd[p11_child[8855 [do_card] (0x4000): 
Description [NSS User Private Key and Certificate Services   
Mozilla Foundation  ] Manufacturer [Mozilla Foundation  
] flags [1].
(Fri Mar  6 13:33:30:712016 2020) [[sssd[p11_child[8855 [do_card] (0x4000): 
Description [NSS Internal Cryptographic Services 
Mozilla Foundation ] Manufacturer [Mozilla Foundation   
] flags [9].
(Fri Mar  6 13:33:30:712335 2020) [[sssd[p11_child[8855 [do_card] (0x0040): 
No removable slots found.
(Fri Mar  6 13:33:30:712448 2020) [[sssd[p11_child[8855 [main] (0x0040): 
do_work failed.
(Fri Mar  6 13:33:30:712595 2020) [[sssd[p11_child[8855 [main] (0x0020): 
p11_child failed!


BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Fri, Mar 06, 2020 at 08:09:59AM -, Hristina Marosevic wrote:
> Hello, 
> 
> I got an error message: "Certificate is not valid"
> 
> So, I am not sure what should this mean? Is it because the trust (path to CA 
> cert) isn't stored in the sssd configuration? Here I have a root CA and an 
> intermediate CA.
> This can be the only option I can think of, so far because it is still valid 
> considering expiration time, and it is not revoked (there is also no change 
> in sssd configuration regarding OCSP (should I do something about this or 
> sssd will by default check the provided CRL list given by URL in the 
> certificate?), but there is a link of the CRL in the certificate provided by 
> LDAP to sssd which - maybe can not be reached because this machine is not 
> connected to Internet - in this case is it possible to use offlice copy of 
> the CRL list on the local machine? )
> 
> sssd_ssh.log:
> 
> (Fri Mar  6 08:50:11 2020) [sssd[ssh]] [cert_to_ssh_key_done] (0x0080): 
> Certificate 
> [MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVo
>  
> q80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCCsGAQUFBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2FfdGVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2RfcnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuzoV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DPX06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpOBvGEQptEHItx4YiEZTQuvdCtlW585kUyol39sK
>  
> v2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M20BMUh+SiGoL/kJAi2XdM922U3po9a2FbULvJfOlsFY2Z6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdlufS8M/YWxAWw=]
>  is not valid.
> 

Hi,

this looks like some progress. Please check p11_child.log which might
contain detail why SSSD thinks the certificate is not valid. By default
SSSD will check the certificate with the help of the CA certificates and
does OCSP if the certificate contains the needed OCSP data.

To disable OCSP, since your system cannot reach the OCSP responder,
please add

certificate_verification = no_ocsp

to the [sssd] section of sssd.conf and restart SSSD. For testing you can
even use 'no_verification' but this is should not be used in production
(see man sssd.conf for details).

Which version of SSSD are you using? Depending on the version you might
have to add the CA certificates to different locations, please check the
'ca_db' option described in man sssd.conf for details as well.

bye,
Sumit

> 
> 
> 
> Once again, the certificate is stored in LDAP like: 
> ..
> userCertificate;binary:: 
> MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZ
>  
> IhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw
>  
> 0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQo
>  
> tCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEy
>  
> MQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JA
>  
> xGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCgg
>  
> EBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1g
>  
> xbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxE
>  
> w62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZ
>  
> b/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGB
>  
> axQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEF
>  
> 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

I added the certificate using the ldapmodify option "read from file" and the 
content for the user certificate retrieved by the ldapsearch on the LDAP 
server, also the content mapped by SSSD on the sssd client proved that the 
format of the user certificate was okay. 
What I get in the sssd_ssh.log is the same errror as before, i.e. "certificate 
is not valid"

So, now I need to find out only why is this certificate not valid. Is it 
because of the trust or revocation status that can not be retrieved from the 
CRL list which can not be downloaded due to the lack of connection to Internet 
or both..
What is your opinion on this?

BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

I will try this proposal to check if I get the same error when using the binary 
format. 
I will let you know.
Thank you for your help!


BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

Hello, 

I got an error message: "Certificate is not valid"

So, I am not sure what should this mean? Is it because the trust (path to CA 
cert) isn't stored in the sssd configuration? Here I have a root CA and an 
intermediate CA.
This can be the only option I can think of, so far because it is still valid 
considering expiration time, and it is not revoked (there is also no change in 
sssd configuration regarding OCSP (should I do something about this or sssd 
will by default check the provided CRL list given by URL in the certificate?), 
but there is a link of the CRL in the certificate provided by LDAP to sssd 
which - maybe can not be reached because this machine is not connected to 
Internet - in this case is it possible to use offlice copy of the CRL list on 
the local machine? )

sssd_ssh.log:

(Fri Mar  6 08:50:11 2020) [sssd[ssh]] [cert_to_ssh_key_done] (0x0080): 
Certificate 
[MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVo
 
q80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCCsGAQUFBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2FfdGVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2RfcnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuzoV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DPX06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpOBvGEQptEHItx4YiEZTQuvdCtlW585kUyol39sK
 
v2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M20BMUh+SiGoL/kJAi2XdM922U3po9a2FbULvJfOlsFY2Z6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdlufS8M/YWxAWw=]
 is not valid.




Once again, the certificate is stored in LDAP like: 
..
userCertificate;binary:: MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZ
 IhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw
 0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQo
 tCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEy
 MQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JA
 xGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCgg
 EBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1g
 xbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxE
 w62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZ
 b/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGB
 axQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEF
 jAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVoq80UGgwHQYD
 VR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCCsGAQU
 FBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3
 ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2Ffd
 GVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2Rf
 cnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmd
 vdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3
 Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK
 6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h
 4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuz
 oV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DP
 X06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR
 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Thu, Mar 05, 2020 at 02:34:42PM -, Hristina Marosevic wrote:
> Some more info (another prove that sssd does not derive the public key from 
> the user certificate):
> /usr/bin/sss_ssh_authorizedkeys IIN321 when I am using only 
> userCertificate;binary attribute (with the binary value of the certificate) 
> is not giving any output, while when I am using the userCertificate attribute 
> associated with the value of the public key (when the PKI authentication 
> works fine) /usr/bin/sss_ssh_authorizedkeys IIN321 outputs the public 
> key of the user which proves the oposite situation when using public key 
> (wether used along with certificate or not; in cases when user certificate is 
> used along with public key it gets mapped in sssd but it is not validated or 
> compared to the public key - I already mentioned this, and the authentication 
> using the private/public key pair work fine which is not fine :) )
> 
> I am just trying to give as much information in order to solve this problem. 
> Sorry for the spam. 

Hi,

the best information would be the SSSD logs files with
'debug_level = 9'.

bye,
Sumit

> 
> 
> BR,
> Hristina
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Thu, Mar 05, 2020 at 02:24:25PM -, Hristina Marosevic wrote:
> I added the content between -BEGIN CERTIFICATE- and -END 
> CERTIFICATE- from the base64 user certificate and during authentication 
> in the logs I saw that the user certificate was stored in the user 
> certificate SSSD option but there was no public key derived. 
> This time I deleted the public key and during authentication I was using only 
> userCertificate;binary attrbiute wit hthe default SSSD configuration for 
> mapping the certificate. 
> 
> 
> This is from the SSSD_LDAP.log
> 
> (Thu Mar  5 15:16:19 2020) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] 
> (0x2000): Adding userCertificate 
> [0\82\0610\82\04\19\A0\03\02\01\02\02\14}\85\99\DB]\B02\D7\8A\D28\E7\9Dwzv\A9j\90\890\0D\06\09\2A\86H\86\F7\0D\01\01\0B\05\000-1\0B0\09\06\03U\04\06\13\02KZ1\1E0\1C\06\03U\04\03\0C\15\D2\B0\D0\9A\D0\9E\203.0\20\28RSA\20TEST\290\1E\17\0D190404085454Z\17\0D210403085454Z0\81\AF1\220\20\06\03U\04\03\0C\19\D0\A2\D0\95\D0\A1\D0\A2\D0\A2\D0\9E\D0\92\20\D0\A2\D0\95\D0\A1\D0\A2\D0\A21\170\15\06\03U\04\04\0C\0E\D0\A2\D0\95\D0\A1\D0\A2\D0\A2\D0\9E\D0\921\180\16\06\03U\04\05\13\0FIIN1234567890121\0B0\09\06\03U\04\06\13\02KZ1\150\13\06\03U\04\07\0C\0C\D0\90\D0\A1\D0\A2\D0\90\D0\9D\D0\901\150\13\06\03U\04\08\0C\0C\D0\90\D0\A1\D0\A2\D0\90\D0\9D\D0\901\1B0\19\06\03U\04\2A\0C\12\D0\A2\D0\95\D0\A1\D0\A2\D0\A2\D0\9E\D0\92\D0\98\D0\A70\82\01\220\0D\06\09\2A\86H\86\F7\0D\01\01\01\05\00\03\82\01\0F\000\82\01\0A\02\82\01\01\00\8Fd^\DA\B927N?\EE\AEzW\ED\86\C6\DE8P\AB\8C\F4\1D\CA\96\F0\908\08\A1\AB4\E7\81I
>  
> \BC\A1\E0}\7FZ\A5Q\EFl\CA\CD+\BF\DA\B4S\1B~\BB\F5\83\16\CB\A8Y\07>\CE\7F\BBgC\A3\81\96ff\03\1C\85\92E\14\D5\95Q\28TrU`s\99?\18\A8\E8\DE\B5\D6\98\12\BE\1F\F5\C8\CEWm\84J\D3\C9\0A\17\99\9B,\8CD\C3\AD\9507\D9\D4;\AD`Kr:d,T\19\84\89\DB\9C~IPA.\89T\CA]\9Eq\0D\1C\E9,%M\C7\F5E\C8\BCG\80\F8\DF\BFI\968jw\B5P\81E\89\E6[\FF6\A4\E7/`d-H\96\EC/\D2\F2\22\CB\89YSs%d\1A\DA\FE\20\AC\D7\F78+\96;\AC\08\88\F6\89rv\0D\B6\F4m4p\AD{\13\E2p\9E\E2h\29\A0\8F\18\16\B1B\82\C9\A5H\14\D9\FEI8\11\F3\5C\E5\E7\D9k\99\F0\C3\02\03\01\00\01\A3\82\01\C40\82\01\C00\0E\06\03U\1D\0F\01\01\FF\04\04\03\02\05\A00\1D\06\03U\1D%\04\160\14\06\08+\06\01\05\05\07\03\02\06\08\2A\83\0E\03\03\04\01\010\1F\06\03U\1D#\04\180\16\80\14\A6\8C\163\7C\B8\E85g\06>^AWU\A2\AF4Ph0\1D\06\03U\1D\0E\04\16\04\14\BA\09\EF~j\9DMP\E3/\00\12\D3\DD$\8D\A5\A9\05_0^\06\03U\1D\20\04W0U0S\06\07\2A\83\0E\03\03\02\040H0\21\06\08+\06\01\05\05\07\02\01\16\15http://pki.gov.kz/cps0#\06\08+\06\01\05\05\07\02\020\17\0C\15http://pki.gov.kz/cps0<\06\03U\1D\1F\045030
>  
> 1\A0/\A0-\86+http://test.pki.gov.kz/crl/nca_rsa_test.crl0>\06\03U\1D.\0470503\A01\A0/\86-http://test.pki.gov.kz/crl/nca_d_rsa_test.crl0q\06\08+\06\01\05\05\07\01\01\04e0c08\06\08+\06\01\05\05\070\02\86,http://test.pki.gov.kz/cert/nca_rsa_test.cer0'\06\08+\06\01\05\05\070\01\86\1Bhttp://test.pki.gov.kz/ocsp0\0D\06\09\2A\86H\86\F7\0D\01\01\0B\05\00\03\82\02\01\00\0Av\29\CA\D8\DB\CA\E5w\B1\1A#\9E\5C\B1\10.\C7\1B\B0`p0\F2\EA\B4\BF\91\F3\AD+\A5\F9\F8\C1\82O\FC\EF\C2K\19:\E9\8D\E4\989L\F7I\B8\ABwy\B2\89\18\80U\AF\8E\F8\98qd\EC\DA\B4\17\C5\B1\B8\05\8D}\F8\E8/B\EFr\EA'\E1\9C\2A\FDo\21\E2\DE\8Fb\EBC\E0\D1\1A\B8\83\C4k\C5\FC\04c\E02\7F\98\A8\E77\B1\F1+\B9x\7C\AEg\12'\FC\EEO\BB\B0\D7\00\FAe\09M\B2x\A2\A1\E9\E0\28\88\1A\A45C\1E\EC\E8W\FA\FF\FE\B1\007\02\29\9E\D02\8Dqa\F9\F8\F1\F8\20\C2\C7k\0B\C5\88\E5V\0C\B174\F9\DE`\FAf\AB\0C\96\0E\8D\AD\A8\C9{\F1\AFK@7\F22\8D\CB\15\BF\0C\F5\F4\E8\D4\E8X\FF\E1\BB\B38?o\D6\8A\C9#\29X\0E\C6\A4\1Cs\8C\B3M\F2\95\E3P\E6\12a\86\0B\BB\13\D6\BD\D8y\9E\1D\1F\F2\90F\98\
>  
> E8\C0\13\92\2Ae\19\AB\8F\D7GL\97^\1AS\0E\D8\A2G\05\E4B\035\A7\84\8A\13_[\06\A1\AEs\BE\A5\0E\09\9F\7C\F3\CF\8F\80~\DCvjj\9A\C8\201\B7`\0D\FF[\8A\F0R\85\81@\F1\86\09zN\06\F1\84B\9BD\1C\8Bq\E1\88\84e4.\BD\D0\AD\95n\7C\E6E2\A2]\FD\B0\AB\F6\B8\8A?\16\0C\9C\05\DF\0D\B9\F3\88\9C`\8BR\0AYy\CE3T\B6M\F5\28c\F8\CD\B4\04\C5\21\F9\28\86\A0\BF\E4$\08\B6]\D3=\DBe7\A6\8FZ\D8V\D4.\F2_:[\05cfz\9F\E4\D4e\95W\04%\08\10N\84\93\8BS\20h\C7Z>\EEAQ\8B\8F\0D\0Fpw\F5\D4+k1\93\BBc\E3\93\05\BF\D8\D2\8C\94c\D2N\CB4\AA\86>+\B7\89\CD\934u\BC\C1\95`\C3HJ\85\DB\0E\06\01h\02\AE\BFj\12\A4n\B2A\D9n}/\0C\FD\85\B1\01l]
>  to attributes of [IIN321@ldap].


Hi,

yes, this looks better, please add 'debug_level = 9' to the [ssh]
section of sssd.conf, restart sssd and call sss_ssh_authorizedkeys for
the user and check sssd_ssh.log.

HTH

bye,
Sumit

> 
> before, the content of the certificate was not like this, but: 
> 
> (Tue Mar  3 17:08:15 2020) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] 
> (0x2000): Adding userCertificate 
> 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

Some more info (another prove that sssd does not derive the public key from the 
user certificate):
/usr/bin/sss_ssh_authorizedkeys IIN321 when I am using only 
userCertificate;binary attribute (with the binary value of the certificate) is 
not giving any output, while when I am using the userCertificate attribute 
associated with the value of the public key (when the PKI authentication works 
fine) /usr/bin/sss_ssh_authorizedkeys IIN321 outputs the public key of 
the user which proves the oposite situation when using public key (wether used 
along with certificate or not; in cases when user certificate is used along 
with public key it gets mapped in sssd but it is not validated or compared to 
the public key - I already mentioned this, and the authentication using the 
private/public key pair work fine which is not fine :) )

I am just trying to give as much information in order to solve this problem. 
Sorry for the spam. 


BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Thu, Mar 05, 2020 at 07:16:45AM -, Hristina Marosevic wrote:
> Hello, 
> 
> By using ldapmodify command and ldif file as input. 
> 
> # ldif file: 
> dn: uid=321,
> changetype: modify
> add: userCertificate;binary
> userCertificate;binary: 
> MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVoq80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMF
>  
> UwUwYHKoMOAwMCBDBIMCEGCCsGAQUFBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2FfdGVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2RfcnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuzoV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DPX06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpOBvGEQptEHItx4YiEZTQuvdCtlW585kUyol39sKv2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M20BMUh+SiGoL/kJAi2XdM
>  
> 922U3po9a2FbULvJfOlsFY2Z6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdlufS8M/YWxAWw=

Hi,

you have to load it as a binary. For this frist convert your certificate
into DER format with

openssl x509 -in my_cert.cer -outform der -out my_cert.der

and then the ldif should look like

# ldif file: 
dn: uid=321,
changetype: modify
add: userCertificate;binary
userCertificate;binary:< file:///path/to/my_cert.der

(see man ldapmodify for details about the file syntax).

bye,
Sumit

> 
> 
> 
> BR,
> Hristina
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

I added the content between -BEGIN CERTIFICATE- and -END 
CERTIFICATE- from the base64 user certificate and during authentication in 
the logs I saw that the user certificate was stored in the user certificate 
SSSD option but there was no public key derived. 
This time I deleted the public key and during authentication I was using only 
userCertificate;binary attrbiute wit hthe default SSSD configuration for 
mapping the certificate. 


This is from the SSSD_LDAP.log

(Thu Mar  5 15:16:19 2020) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] 
(0x2000): Adding userCertificate 
[0\82\0610\82\04\19\A0\03\02\01\02\02\14}\85\99\DB]\B02\D7\8A\D28\E7\9Dwzv\A9j\90\890\0D\06\09\2A\86H\86\F7\0D\01\01\0B\05\000-1\0B0\09\06\03U\04\06\13\02KZ1\1E0\1C\06\03U\04\03\0C\15\D2\B0\D0\9A\D0\9E\203.0\20\28RSA\20TEST\290\1E\17\0D190404085454Z\17\0D210403085454Z0\81\AF1\220\20\06\03U\04\03\0C\19\D0\A2\D0\95\D0\A1\D0\A2\D0\A2\D0\9E\D0\92\20\D0\A2\D0\95\D0\A1\D0\A2\D0\A21\170\15\06\03U\04\04\0C\0E\D0\A2\D0\95\D0\A1\D0\A2\D0\A2\D0\9E\D0\921\180\16\06\03U\04\05\13\0FIIN1234567890121\0B0\09\06\03U\04\06\13\02KZ1\150\13\06\03U\04\07\0C\0C\D0\90\D0\A1\D0\A2\D0\90\D0\9D\D0\901\150\13\06\03U\04\08\0C\0C\D0\90\D0\A1\D0\A2\D0\90\D0\9D\D0\901\1B0\19\06\03U\04\2A\0C\12\D0\A2\D0\95\D0\A1\D0\A2\D0\A2\D0\9E\D0\92\D0\98\D0\A70\82\01\220\0D\06\09\2A\86H\86\F7\0D\01\01\01\05\00\03\82\01\0F\000\82\01\0A\02\82\01\01\00\8Fd^\DA\B927N?\EE\AEzW\ED\86\C6\DE8P\AB\8C\F4\1D\CA\96\F0\908\08\A1\AB4\E7\81I
 
\BC\A1\E0}\7FZ\A5Q\EFl\CA\CD+\BF\DA\B4S\1B~\BB\F5\83\16\CB\A8Y\07>\CE\7F\BBgC\A3\81\96ff\03\1C\85\92E\14\D5\95Q\28TrU`s\99?\18\A8\E8\DE\B5\D6\98\12\BE\1F\F5\C8\CEWm\84J\D3\C9\0A\17\99\9B,\8CD\C3\AD\9507\D9\D4;\AD`Kr:d,T\19\84\89\DB\9C~IPA.\89T\CA]\9Eq\0D\1C\E9,%M\C7\F5E\C8\BCG\80\F8\DF\BFI\968jw\B5P\81E\89\E6[\FF6\A4\E7/`d-H\96\EC/\D2\F2\22\CB\89YSs%d\1A\DA\FE\20\AC\D7\F78+\96;\AC\08\88\F6\89rv\0D\B6\F4m4p\AD{\13\E2p\9E\E2h\29\A0\8F\18\16\B1B\82\C9\A5H\14\D9\FEI8\11\F3\5C\E5\E7\D9k\99\F0\C3\02\03\01\00\01\A3\82\01\C40\82\01\C00\0E\06\03U\1D\0F\01\01\FF\04\04\03\02\05\A00\1D\06\03U\1D%\04\160\14\06\08+\06\01\05\05\07\03\02\06\08\2A\83\0E\03\03\04\01\010\1F\06\03U\1D#\04\180\16\80\14\A6\8C\163\7C\B8\E85g\06>^AWU\A2\AF4Ph0\1D\06\03U\1D\0E\04\16\04\14\BA\09\EF~j\9DMP\E3/\00\12\D3\DD$\8D\A5\A9\05_0^\06\03U\1D\20\04W0U0S\06\07\2A\83\0E\03\03\02\040H0\21\06\08+\06\01\05\05\07\02\01\16\15http://pki.gov.kz/cps0#\06\08+\06\01\05\05\07\02\020\17\0C\15http://pki.gov.kz/cps0<\06\03U\1D\1F\045030
 
1\A0/\A0-\86+http://test.pki.gov.kz/crl/nca_rsa_test.crl0>\06\03U\1D.\0470503\A01\A0/\86-http://test.pki.gov.kz/crl/nca_d_rsa_test.crl0q\06\08+\06\01\05\05\07\01\01\04e0c08\06\08+\06\01\05\05\070\02\86,http://test.pki.gov.kz/cert/nca_rsa_test.cer0'\06\08+\06\01\05\05\070\01\86\1Bhttp://test.pki.gov.kz/ocsp0\0D\06\09\2A\86H\86\F7\0D\01\01\0B\05\00\03\82\02\01\00\0Av\29\CA\D8\DB\CA\E5w\B1\1A#\9E\5C\B1\10.\C7\1B\B0`p0\F2\EA\B4\BF\91\F3\AD+\A5\F9\F8\C1\82O\FC\EF\C2K\19:\E9\8D\E4\989L\F7I\B8\ABwy\B2\89\18\80U\AF\8E\F8\98qd\EC\DA\B4\17\C5\B1\B8\05\8D}\F8\E8/B\EFr\EA'\E1\9C\2A\FDo\21\E2\DE\8Fb\EBC\E0\D1\1A\B8\83\C4k\C5\FC\04c\E02\7F\98\A8\E77\B1\F1+\B9x\7C\AEg\12'\FC\EEO\BB\B0\D7\00\FAe\09M\B2x\A2\A1\E9\E0\28\88\1A\A45C\1E\EC\E8W\FA\FF\FE\B1\007\02\29\9E\D02\8Dqa\F9\F8\F1\F8\20\C2\C7k\0B\C5\88\E5V\0C\B174\F9\DE`\FAf\AB\0C\96\0E\8D\AD\A8\C9{\F1\AFK@7\F22\8D\CB\15\BF\0C\F5\F4\E8\D4\E8X\FF\E1\BB\B38?o\D6\8A\C9#\29X\0E\C6\A4\1Cs\8C\B3M\F2\95\E3P\E6\12a\86\0B\BB\13\D6\BD\D8y\9E\1D\1F\F2\90F\98\
 
E8\C0\13\92\2Ae\19\AB\8F\D7GL\97^\1AS\0E\D8\A2G\05\E4B\035\A7\84\8A\13_[\06\A1\AEs\BE\A5\0E\09\9F\7C\F3\CF\8F\80~\DCvjj\9A\C8\201\B7`\0D\FF[\8A\F0R\85\81@\F1\86\09zN\06\F1\84B\9BD\1C\8Bq\E1\88\84e4.\BD\D0\AD\95n\7C\E6E2\A2]\FD\B0\AB\F6\B8\8A?\16\0C\9C\05\DF\0D\B9\F3\88\9C`\8BR\0AYy\CE3T\B6M\F5\28c\F8\CD\B4\04\C5\21\F9\28\86\A0\BF\E4$\08\B6]\D3=\DBe7\A6\8FZ\D8V\D4.\F2_:[\05cfz\9F\E4\D4e\95W\04%\08\10N\84\93\8BS\20h\C7Z>\EEAQ\8B\8F\0D\0Fpw\F5\D4+k1\93\BBc\E3\93\05\BF\D8\D2\8C\94c\D2N\CB4\AA\86>+\B7\89\CD\934u\BC\C1\95`\C3HJ\85\DB\0E\06\01h\02\AE\BFj\12\A4n\B2A\D9n}/\0C\FD\85\B1\01l]
 to attributes of [IIN321@ldap].

before, the content of the certificate was not like this, but: 

(Tue Mar  3 17:08:15 2020) [sssd[be[LDAP]]] [sdap_attrs_add_ldap_attr] 
(0x2000): Adding userCertificate 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

So, I am not sure if I should use 

userCertificate;binary:: MIIGMT..


in the ldif file. 

Also, should I add the -BEGIN CERTIFICATE-/-END CERTIFICATE- 
(now I am adding only the content between these lines as a value of the 
userCertificate;binary attribute) ? and if yes, should they be base64 encoded, 
too?
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

Thank you for the explanation!

BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

Hello, 

By using ldapmodify command and ldif file as input. 

# ldif file: 
dn: uid=321,
changetype: modify
add: userCertificate;binary
userCertificate;binary: 
MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVoq80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMF
 
UwUwYHKoMOAwMCBDBIMCEGCCsGAQUFBwIBFhVodHRwOi8vcGtpLmdvdi5rei9jcHMwIwYIKwYBBQUHAgIwFwwVaHR0cDovL3BraS5nb3Yua3ovY3BzMDwGA1UdHwQ1MDMwMaAvoC2GK2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovY3JsL25jYV9yc2FfdGVzdC5jcmwwPgYDVR0uBDcwNTAzoDGgL4YtaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jcmwvbmNhX2RfcnNhX3Rlc3QuY3JsMHEGCCsGAQUFBwEBBGUwYzA4BggrBgEFBQcwAoYsaHR0cDovL3Rlc3QucGtpLmdvdi5rei9jZXJ0L25jYV9yc2FfdGVzdC5jZXIwJwYIKwYBBQUHMAGGG2h0dHA6Ly90ZXN0LnBraS5nb3Yua3ovb2NzcDANBgkqhkiG9w0BAQsFAAOCAgEACnYpytjbyuV3sRojnlyxEC7HG7BgcDDy6rS/kfOtK6X5+MGCT/zvwksZOumN5Jg5TPdJuKt3ebKJGIBVr474mHFk7Nq0F8WxuAWNffjoL0Lvcuon4Zwq/W8h4t6PYutD4NEauIPEa8X8BGPgMn+YqOc3sfEruXh8rmcSJ/zuT7uw1wD6ZQlNsniioengKIgapDVDHuzoV/r//rEANwIpntAyjXFh+fjx+CDCx2sLxYjlVgyxNzT53mD6ZqsMlg6NrajJe/GvS0A38jKNyxW/DPX06NToWP/hu7M4P2/WiskjKVgOxqQcc4yzTfKV41DmEmGGC7sT1r3YeZ4dH/KQRpjowBOSKmUZq4/XR0yXXhpTDtiiRwXkQgM1p4SKE19bBqGuc76lDgmffPPPj4B+3HZqaprIIDG3YA3/W4rwUoWBQPGGCXpOBvGEQptEHItx4YiEZTQuvdCtlW585kUyol39sKv2uIo/FgycBd8NufOInGCLUgpZec4zVLZN9Shj+M20BMUh+SiGoL/kJAi2XdM
 
922U3po9a2FbULvJfOlsFY2Z6n+TUZZVXBCUIEE6Ek4tTIGjHWj7uQVGLjw0PcHf11CtrMZO7Y+OTBb/Y0oyUY9JOyzSqhj4rt4nNkzR1vMGVYMNISoXbDgYBaAKuv2oSpG6yQdlufS8M/YWxAWw=



BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Wed, Mar 04, 2020 at 02:12:30PM -, Hristina Marosevic wrote:
> > On Wed, Mar 04, 2020 at 07:29:14AM -, Hristina Marosevic wrote:
> > 
> > Hi,
> > 
> > with 'ldap_user_ssh_public_key = userCertificate' this should work, i.e.
> > calling 'sss_ssh_authorizedkeys testUser7' should return the ssh key
> > from above. If there is no output I need the SSSD ssh and domain logs to
> > understand why this fails.
> 
> Yes, this is working, but this is only an exported private key and no 
> certificate is sither stored in the LDAP's entry or used by SSSD.
> 
> > Are the line break added by you or is this the real output? For
> > certificates you have to user 'userCertificate;binary' and store the
> > certificates as binaries in LDAP. When you use the ldapsearch command
> > the output should be:
> > 
> > userCertificate;binary:: MIIGMTCC
> > 
> > Please note the '::' which indicates that the attribute value is a
> > binary and that it is encoded in base64 to be able to print the output.
> > 
> 
> The lines don't exist in the LDAP entry. 
> Is the .cer x509 compatible format for storing into LDAP's attribute 
> userCertificate;binary? As I know, so far this is Base64 encoded format  (pls 
> correct me if I am wrong)
> And should I manually add "::" or the LDAP should do that after modifying the 
> entry by adding the binary format of the user certificate? (when user 
> certificate is added without "::" ldapsearch retrieves the user certificate 
> only with "userCertificate;binary: MIIGMTCC"

Hi,

how do you add the certificate to the LDAP entry?

bye,
Sumit

> 
> BR,
> Hristina
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

> On Wed, Mar 04, 2020 at 07:29:14AM -, Hristina Marosevic wrote:
> 
> Hi,
> 
> with 'ldap_user_ssh_public_key = userCertificate' this should work, i.e.
> calling 'sss_ssh_authorizedkeys testUser7' should return the ssh key
> from above. If there is no output I need the SSSD ssh and domain logs to
> understand why this fails.

Yes, this is working, but this is only an exported private key and no 
certificate is sither stored in the LDAP's entry or used by SSSD.

> Are the line break added by you or is this the real output? For
> certificates you have to user 'userCertificate;binary' and store the
> certificates as binaries in LDAP. When you use the ldapsearch command
> the output should be:
> 
> userCertificate;binary:: MIIGMTCC
> 
> Please note the '::' which indicates that the attribute value is a
> binary and that it is encoded in base64 to be able to print the output.
> 

The lines don't exist in the LDAP entry. 
Is the .cer x509 compatible format for storing into LDAP's attribute 
userCertificate;binary? As I know, so far this is Base64 encoded format  (pls 
correct me if I am wrong)
And should I manually add "::" or the LDAP should do that after modifying the 
entry by adding the binary format of the user certificate? (when user 
certificate is added without "::" ldapsearch retrieves the user certificate 
only with "userCertificate;binary: MIIGMTCC"

BR,
Hristina
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Wed, Mar 04, 2020 at 07:29:14AM -, Hristina Marosevic wrote:
> Hello,
> 
> I forgot to mention the LDAP implementation I am using - it is OUD (Oracle 
> Unified Directory). Object class "strongAuthenticationUser" was added to the 
> users for PKI based authentication. The mandatory attribute od this object 
> class is "userCertificate" or "userCertificate;binary" in which I would store 
> the value of the public key or the certificate. 
> Case 1. I stored the certificate in the userCertificate;binary LDAP attribute 
> as this was the default configuration
> Case 2. I also tried to store the certificate as a value of the LDAP 
> attribute userCertificate and changed  "ldap_user_certificate" to 
> "userCertificate" in SSSD configuration (commented in the SSSD configuration 
> bellow)
> Both of the cases resulted in password based authentication, instead of PKI 
> based authentication. 
> Also in the log I saw that SSSD mapped userCertificate(;binary) value to 
> userCertificate parameter of the entry but I didn't see a derived public key 
> in the logs. 
> I am using x509 base64 encoded value od the certificate (also I tried with 
> pkcs#7 but the result was the same) 
> 
> # SSSD configuration at this moment: I am using only public key stored as a 
> value of the attribute "userCertificate" for authentication of the user which 
> works fine - but this way, there is no certificate shown to SSSD client, 
> hence - no certificate validation/verification mechanisms can be used 
> (correct me if I am wrong)
> [sssd]
> config_file_version = 2
> domains = LDAP
> services = nss, pam, autofs, ssh
> reconnection_retries = 3
> 
> [nss]
> reconnection_retries = 3
> debug_level = 2
> filter_users = root, oracle
> filter_groups = root
> 
> [pam]
> reconnection_retries = 3
> debug_level = 2
> 
> [domain/LDAP]
> id_provider = ldap
> access_provider = ldap
> chpass_provider = ldap
> ldap_schema = rfc2307
> ldap_uri = ldaps://:
> ldap_default_bind_dn = 
> ldap_default_authtok = 
> ldap_default_authtok_type = password
> ldap_search_base = 
> ldap_user_search_base = 
> ldap_group_search_base = 
> ldap_access_filter = isMemberOf=
> cache_credentials = true
> enumerate = false
> debug_level = 9
> ldap_id_use_start_tls = false
> ldap_tls_reqcert = demand
> ldap_tls_cacert = /etc/sssd/cacerts/
> ldap_tls_cacertdir = /etc/sssd/cacerts
> ldap_user_name = employeeNumber
> ldap_user_ssh_public_key = userCertificate
> #ldap_user_certificate = userCertificate
> 
> # LDAP entry at this moment (only with public key value stored in 
> "userCertificate" attribute)
> dn: uid=321,
> givenName: testUser7
> objectClass: strongAuthenticationUser
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: organizationalPerson
> objectClass: posixAccount
> objectClass: top
> uid: 321
> cn: 321
> sn: test
> loginShell: /bin/bash
> userPassword: 
> {SSHA512}0QAWd8NQNpN5bVS/sS0CDjHzctpy54X/JflWRSzIk/zpgSEgm5IE003RX
>  v35iEyt2LfqaXd5HGAwYrCaRbM7ylrg0syFXrLU
> homeDirectory: /ssh_users/321
> ou: 
> uidNumber: 1234567890
> userCertificate: ssh-rsa 
> B3NzaC1yc2EDAQABAAABAQCPZF7auTI3Tj/urnpX7YbG3jh
>  
> Qq4z0HcqW8JA4CKGrNOeBSbyh4H1/WqVR72zKzSu/2rRTG3679YMWy6hZBz7Of7tnQ6OBlmZmAxyFkk
>  
> UU1ZVRKFRyVWBzmT8YqOjetdaYEr4f9cjOV22EStPJCheZmyyMRMOtlTA32dQ7rWBLcjpkLFQZhInbn
>  
> H5JUEEuiVTKXZ5xDRzpLCVNx/VFyLxHgPjfv0mWOGp3tVCBRYnmW/82pOcvYGQtSJbsL9LyIsuJWVNz
>  
> JWQa2v4grNf3OCuWO6wIiPaJcnYNtvRtNHCtexPicJ7iaCmgjxgWsUKCyaVIFNn+STgR81zl59lrmfD
>  D
> gidNumber: 
> employeeNumber: 

Hi,

with 'ldap_user_ssh_public_key = userCertificate' this should work, i.e.
calling 'sss_ssh_authorizedkeys testUser7' should return the ssh key
from above. If there is no output I need the SSSD ssh and domain logs to
understand why this fails.

> 
> 
> When using certificate only or certificate and public key stored in the LDAP 
> entry, the value of the certificate stored in the userCertificate;binary 
> attribute is: 
> MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVoq80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCC
>  
> 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

Hello,

I forgot to mention the LDAP implementation I am using - it is OUD (Oracle 
Unified Directory). Object class "strongAuthenticationUser" was added to the 
users for PKI based authentication. The mandatory attribute od this object 
class is "userCertificate" or "userCertificate;binary" in which I would store 
the value of the public key or the certificate. 
Case 1. I stored the certificate in the userCertificate;binary LDAP attribute 
as this was the default configuration
Case 2. I also tried to store the certificate as a value of the LDAP attribute 
userCertificate and changed  "ldap_user_certificate" to "userCertificate" in 
SSSD configuration (commented in the SSSD configuration bellow)
Both of the cases resulted in password based authentication, instead of PKI 
based authentication. 
Also in the log I saw that SSSD mapped userCertificate(;binary) value to 
userCertificate parameter of the entry but I didn't see a derived public key in 
the logs. 
I am using x509 base64 encoded value od the certificate (also I tried with 
pkcs#7 but the result was the same) 

# SSSD configuration at this moment: I am using only public key stored as a 
value of the attribute "userCertificate" for authentication of the user which 
works fine - but this way, there is no certificate shown to SSSD client, hence 
- no certificate validation/verification mechanisms can be used (correct me if 
I am wrong)
[sssd]
config_file_version = 2
domains = LDAP
services = nss, pam, autofs, ssh
reconnection_retries = 3

[nss]
reconnection_retries = 3
debug_level = 2
filter_users = root, oracle
filter_groups = root

[pam]
reconnection_retries = 3
debug_level = 2

[domain/LDAP]
id_provider = ldap
access_provider = ldap
chpass_provider = ldap
ldap_schema = rfc2307
ldap_uri = ldaps://:
ldap_default_bind_dn = 
ldap_default_authtok = 
ldap_default_authtok_type = password
ldap_search_base = 
ldap_user_search_base = 
ldap_group_search_base = 
ldap_access_filter = isMemberOf=
cache_credentials = true
enumerate = false
debug_level = 9
ldap_id_use_start_tls = false
ldap_tls_reqcert = demand
ldap_tls_cacert = /etc/sssd/cacerts/
ldap_tls_cacertdir = /etc/sssd/cacerts
ldap_user_name = employeeNumber
ldap_user_ssh_public_key = userCertificate
#ldap_user_certificate = userCertificate

# LDAP entry at this moment (only with public key value stored in 
"userCertificate" attribute)
dn: uid=321,
givenName: testUser7
objectClass: strongAuthenticationUser
objectClass: person
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: posixAccount
objectClass: top
uid: 321
cn: 321
sn: test
loginShell: /bin/bash
userPassword: {SSHA512}0QAWd8NQNpN5bVS/sS0CDjHzctpy54X/JflWRSzIk/zpgSEgm5IE003RX
 v35iEyt2LfqaXd5HGAwYrCaRbM7ylrg0syFXrLU
homeDirectory: /ssh_users/321
ou: 
uidNumber: 1234567890
userCertificate: ssh-rsa B3NzaC1yc2EDAQABAAABAQCPZF7auTI3Tj/urnpX7YbG3jh
 Qq4z0HcqW8JA4CKGrNOeBSbyh4H1/WqVR72zKzSu/2rRTG3679YMWy6hZBz7Of7tnQ6OBlmZmAxyFkk
 UU1ZVRKFRyVWBzmT8YqOjetdaYEr4f9cjOV22EStPJCheZmyyMRMOtlTA32dQ7rWBLcjpkLFQZhInbn
 H5JUEEuiVTKXZ5xDRzpLCVNx/VFyLxHgPjfv0mWOGp3tVCBRYnmW/82pOcvYGQtSJbsL9LyIsuJWVNz
 JWQa2v4grNf3OCuWO6wIiPaJcnYNtvRtNHCtexPicJ7iaCmgjxgWsUKCyaVIFNn+STgR81zl59lrmfD
 D
gidNumber: 
employeeNumber: 


When using certificate only or certificate and public key stored in the LDAP 
entry, the value of the certificate stored in the userCertificate;binary 
attribute is: 
MIIGMTCCBBmgAwIBAgIUfYWZ212wMteK0jjnnXd6dqlqkIkwDQYJKoZIhvcNAQELBQAwLTELMAkGA1UEBhMCS1oxHjAcBgNVBAMMFdKw0JrQniAzLjAgKFJTQSBURVNUKTAeFw0xOTA0MDQwODU0NTRaFw0yMTA0MDMwODU0NTRaMIGvMSIwIAYDVQQDDBnQotCV0KHQotCi0J7QkiDQotCV0KHQotCiMRcwFQYDVQQEDA7QotCV0KHQotCi0J7QkjEYMBYGA1UEBRMPSUlOMTIzNDU2Nzg5MDEyMQswCQYDVQQGEwJLWjEVMBMGA1UEBwwM0JDQodCi0JDQndCQMRUwEwYDVQQIDAzQkNCh0KLQkNCd0JAxGzAZBgNVBCoMEtCi0JXQodCi0KLQntCS0JjQpzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAI9kXtq5MjdOP+6uelfthsbeOFCrjPQdypbwkDgIoas054FJvKHgfX9apVHvbMrNK7/atFMbfrv1gxbLqFkHPs5/u2dDo4GWZmYDHIWSRRTVlVEoVHJVYHOZPxio6N611pgSvh/1yM5XbYRK08kKF5mbLIxEw62VMDfZ1DutYEtyOmQsVBmEiducfklQQS6JVMpdnnENHOksJU3H9UXIvEeA+N+/SZY4ane1UIFFieZb/zak5y9gZC1Iluwv0vIiy4lZU3MlZBra/iCs1/c4K5Y7rAiI9olydg229G00cK17E+JwnuJoKaCPGBaxQoLJpUgU2f5JOBHzXOXn2WuZ8MMCAwEAAaOCAcQwggHAMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKoMOAwMEAQEwHwYDVR0jBBgwFoAUpowWM3y46DVnBj5eQVdVoq80UGgwHQYDVR0OBBYEFLoJ735qnU1Q4y8AEtPdJI2lqQVfMF4GA1UdIARXMFUwUwYHKoMOAwMCBDBIMCEGCC
 

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Tue, Mar 03, 2020 at 04:38:16PM -, Hristina Marosevic wrote:
> Hello, 
> 
> Thank you for information. I can use this options (OCSP URL, trust cert 
> location) once I make SSSD derive public keys from user certificate which is 
> a problem that I can not solve, so far.
> The default mapping of the user certificate is from userCertificate;binary 
> LDAP attribute to SSSD option ldap_user_certificate, but when I have only the 
> certificate in the LDAP entry (and not the public key, also - as a value of 
> another attribute of the entry - later configured in sssd), the key is not 
> derived. Another combination that I have tried is storing the user 
> certificate in the userCertificate;binary attribute and storing the exported 
> public key as a value of another LDAP attribute but it didn't prove to be a 
> solution - this is like that because I experimented cases with different 
> public key and user certificate for one user and the user was accepted 
> without problem - which means that SSSD did not validated the public key 
> against the user certificate provided by LDAP
> 
> Can you please give me instructions on how to configure SSSD to derive the 
> publiy key from a user certificate (I would like to store only the user 
> certificate in LDAP, not the user certificate and the exported public key - 
> if possible)?

Hi,

just using the certificate is the expected way how to do it.

In which LDAP attribute is you certificate stored and in which format?
Can you send an example of an LDAP user object with all attributes? The
attribute value can be sanitized if needed but it would be helpful to
see the real attribute names.

Can you send your current sssd.conf as well since this would help tp see
what might be missing.

bye,
Sumit

> 
> 
> BR,
> Hristina 
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Hristina Marosevic]

Hello, 

Thank you for information. I can use this options (OCSP URL, trust cert 
location) once I make SSSD derive public keys from user certificate which is a 
problem that I can not solve, so far.
The default mapping of the user certificate is from userCertificate;binary LDAP 
attribute to SSSD option ldap_user_certificate, but when I have only the 
certificate in the LDAP entry (and not the public key, also - as a value of 
another attribute of the entry - later configured in sssd), the key is not 
derived. Another combination that I have tried is storing the user certificate 
in the userCertificate;binary attribute and storing the exported public key as 
a value of another LDAP attribute but it didn't prove to be a solution - this 
is like that because I experimented cases with different public key and user 
certificate for one user and the user was accepted without problem - which 
means that SSSD did not validated the public key against the user certificate 
provided by LDAP

Can you please give me instructions on how to configure SSSD to derive the 
publiy key from a user certificate (I would like to store only the user 
certificate in LDAP, not the user certificate and the exported public key - if 
possible)?


BR,
Hristina 
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users]Re: SSSD and PKI: capability of checking trust/validation/revocation

[James Cassell]

On Wed, Feb 26, 2020, at 4:38 AM, Hristina Marosevic wrote:
> Hello, 
> 
> I am using SSSD with LDAP directory which provides public keys for each 
> user entry to SSSD. 
> I am not sure if it is possible to configure SSSD not just to accept 
> the private key (provided by the user during the login) and 
> authenticate the user from LDAP (where his public ke is stored), but 
> also to check the:
> - trust (validation of the CA used for signing the user's certificate 
> i.e. public key)
> - validity of a user certificate with its public key (its "from" - "to" 
> dates)
> - revocation status (configuration of SSSD with CRL lists or OCSP)

SSSD manages all of these. What it does not manage for SSH is whether the 
certificate from LDAP actually matches the user, which allows users to grant 
SSH access "as himself" to anyone else in the organization. (If,  as in the 
case of AD, users can modify their own userCertificate attribute.

> or should I manage this on the LDAP side or on application level or 
> somewhere else?
> I would be grateful if you share your ideas about the possible 
> solutions of this situation!
> 
> 

V/r,
James Cassell 
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org

[SSSD-users] Re: SSSD and PKI: capability of checking trust/validation/revocation

[Sumit Bose]

On Wed, Feb 26, 2020 at 09:38:21AM -, Hristina Marosevic wrote:
> Hello, 
> 
> I am using SSSD with LDAP directory which provides public keys for each user 
> entry to SSSD. 
> I am not sure if it is possible to configure SSSD not just to accept the 
> private key (provided by the user during the login) and authenticate the user 
> from LDAP (where his public ke is stored), but also to check the:
> - trust (validation of the CA used for signing the user's certificate i.e. 
> public key)
> - validity of a user certificate with its public key (its "from" - "to" dates)
> - revocation status (configuration of SSSD with CRL lists or OCSP)
> or should I manage this on the LDAP side or on application level or somewhere 
> else?
> I would be grateful if you share your ideas about the possible solutions of 
> this situation!

Hi,

if you are thinking of using ssh to log in then SSSD can already handle
this.

SSSD can read the certificate for the user form the LDAP entry, validate
it and if valid make the derived ssh-key available to sshd with the help
of the sss_ssh_authorizedkeys utility.

Please check the option 'certificate_verification' and it's sub-options
in the sssd.conf man page for details. Also check the 'SSH configuration
options' section about how to configure SSSD's ssh responder. The
sss_ssh_authorizedkeys man page explains how to make sshd use the
utility.

HTH

bye,
Sumit

> 
> 
> BR,
> Hristina 
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct: 
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: 
> https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org