[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
I don't know of a great way to test this without pulling apart p11_child, or using it as part of a pre-flight check somehow during the package update. The problem here is you'd need a PKI cert to test that preflight. As a failsafe, a dialog during upgrade with a preflight check of require_cert_auth in /etc/pam/common-password to throw a warning if the user continues with smart card enforcement. Force the user to ack to proceed, otherwise fail the package install. Perhaps adding a debconf flag to allow bypassing this dialog of this by sysadmins. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
I've opened this as a new bug here. https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
Karl, The script (https://github.com/3v1n0/nss-database-pem-exporter) can be definitely adjusted to handle that, that meant to be simple as this requirement wasn't considered. Any help is appreciated though. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
This change had created a denial of service configuration bug for an untold number of smart card configured (and smart card requires) systems. p11_child requires with the OpenSSL PEM full cert chain to function. the NSSDB version does not. So for folks that have configured the minimum in the NSSDB by only adding the issuing certificate (and not chain of certs to the root), smart card authentication will now fail by simply updating to the latest Ubuntu 20.04 packages. The nssdb to pam conversion script does not check chain of trust in the new pam file. So when untold number of systems roll this out with require_cert_auth in the pam stack to be NIST 800-171 compliant, they will all be bricked and no way to login. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
** No longer affects: ca-certificates (Ubuntu Focal) ** No longer affects: ca-certificates (Ubuntu) ** Bug watch removed: github.com/SSSD/sssd/issues #1041 https://github.com/SSSD/sssd/issues/1041 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
Ah, and of course the SSSD pem file is properly populated: $ sudo openssl crl2pkcs7 -nocrl -certfile /etc/sssd/pki/sssd_auth_ca_db.pem | openssl pkcs7 -print_certs -noout | grep subject | wc -l 421 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
Thanks Valters for your verification! It's always better when someone that didn't commit the fix can help with it. I've also done further verification to ensure that the migration happens as expected, so my sssd.conf was: [sssd] enable_files_domain = True services = pam certificate_verification = no_ocsp [certmap/implicit_files/marco] matchrule = .*TRVMRC[A-Z0-9]+/6090010669298009\.YOrY0zOk5CdMby2Z2O/HnVRA8Ao.* [pam] pam_cert_auth = True pam_verbosity = 10 debug_level = 10 #pam_cert_db_path = /etc/ssl/certs/ca-certificates.crt # pam_cert_db_path = /etc/pki/nssdb pam_cert_db_path = /etc/pki/nssdb2 ca_db = /etc/pki/nssdb2 #ca_db = /etc/pki/nssdb With /etc/pki/nssdb2 configured so that it was able to read my reader and containing the relative CA certificate: $ sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --nssdb=/etc/pki/nssdb2 (Mon Mar 1 15:16:29:470908 2021) [[sssd[p11_child[70818 [main] (0x0400): p11_child started. (Mon Mar 1 15:16:29:470980 2021) [[sssd[p11_child[70818 [main] (0x2000): Running in [pre-auth] mode. (Mon Mar 1 15:16:29:470991 2021) [[sssd[p11_child[70818 [main] (0x2000): Running with effective IDs: [0][0]. (Mon Mar 1 15:16:29:470998 2021) [[sssd[p11_child[70818 [main] (0x2000): Running with real IDs [0][0]. (Mon Mar 1 15:16:31:152580 2021) [[sssd[p11_child[70818 [do_card] (0x4000): Default Module List: (Mon Mar 1 15:16:31:152668 2021) [[sssd[p11_child[70818 [do_card] (0x4000): common name: [NSS Internal PKCS #11 Module]. (Mon Mar 1 15:16:31:152697 2021) [[sssd[p11_child[70818 [do_card] (0x4000): dll name: [(null)]. (Mon Mar 1 15:16:31:152706 2021) [[sssd[p11_child[70818 [do_card] (0x4000): common name: [PKCS#11 Kit modules proxy]. (Mon Mar 1 15:16:31:152715 2021) [[sssd[p11_child[70818 [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/p11-kit-proxy.so]. (Mon Mar 1 15:16:31:152724 2021) [[sssd[p11_child[70818 [do_card] (0x4000): Dead Module List: (Mon Mar 1 15:16:31:152732 2021) [[sssd[p11_child[70818 [do_card] (0x4000): DB Module List: (Mon Mar 1 15:16:31:152750 2021) [[sssd[p11_child[70818 [do_card] (0x4000): common name: [NSS Internal Module]. (Mon Mar 1 15:16:31:152759 2021) [[sssd[p11_child[70818 [do_card] (0x4000): dll name: [(null)]. (Mon Mar 1 15:16:31:152769 2021) [[sssd[p11_child[70818 [do_card] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation] Manufacturer [Mozilla Foundation ] flags [9] removable [false] token present [true]. (Mon Mar 1 15:16:31:152818 2021) [[sssd[p11_child[70818 [do_card] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [1] removable [false] token present [true]. (Mon Mar 1 15:16:31:153898 2021) [[sssd[p11_child[70818 [do_card] (0x4000): Description [VMware Virtual USB CCID 00 00 VMware ] Manufacturer [VMware ] flags [7] removable [true] token present [true]. (Mon Mar 1 15:16:31:153949 2021) [[sssd[p11_child[70818 [do_card] (0x4000): Found [MARCO TREVISAN (PIN CNS0)] in slot [VMware Virtual USB CCID 00 00][16] of module [2][/usr/lib/x86_64-linux-gnu/p11-kit-proxy.so]. (Mon Mar 1 15:16:31:153976 2021) [[sssd[p11_child[70818 [do_card] (0x4000): Token is NOT friendly. (Mon Mar 1 15:16:31:153995 2021) [[sssd[p11_child[70818 [do_card] (0x4000): Trying to switch to friendly to read certificate. (Mon Mar 1 15:16:31:154029 2021) [[sssd[p11_child[70818 [do_card] (0x4000): Login required. (Mon Mar 1 15:16:31:154041 2021) [[sssd[p11_child[70818 [do_card] (0x0020): Login required but no PIN available, continue. (Mon Mar 1 15:16:31:170652 2021) [[sssd[p11_child[70818 [do_card] (0x4000): found cert[MARCO TREVISAN (PIN CNS0):CNS0][SN=TREVISAN,givenName=MARCO,CN="TRVMRC85T31A851Y/6090010669298009.YOrY0zOk5CdMby2Z2O/HnVRA8Ao=",OU=REGIONE TOSCANA,O=Actalis S.p.A.,C=IT] (Mon Mar 1 15:16:31:170710 2021) [[sssd[p11_child[70818 [do_card] (0x4000): Filtered certificates: (Mon Mar 1 15:16:31:170725 2021) [[sssd[p11_child[70818 [do_card] (0x4000): found cert[MARCO TREVISAN (PIN CNS0):CNS0][SN=TREVISAN,givenName=MARCO,CN="TRVMRC85T31A851Y/6090010669298009.YOrY0zOk5CdMby2Z2O/HnVRA8Ao=",OU=REGIONE TOSCANA,O=Actalis S.p.A.,C=IT] (Mon Mar 1 15:16:31:170776 2021) [[sssd[p11_child[70818 [do_card] (0x4000): module uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1. (Mon Mar 1 15:16:31:170847 2021) [[sssd[p11_child[70818 [do_card] (0x4000): token uri: pkcs11:token=MARCO%20TREVISAN%20(PIN%20CNS0);manufacturer=IC:%20STMicroelectronics%3B%20mask:...;serial=6090010669298009;model=PKCS%2315%20emulated. (Mon Mar 1 15:16:31:287477 2021)
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
This bug was fixed in the package sssd - 2.2.3-3ubuntu0.4 --- sssd (2.2.3-3ubuntu0.4) focal; urgency=medium [ Marco Trevisan ] * debian/control: - Add missing (test) dependencies as per libcrypto usage (LP: #1905790) - Update Maintainer to Ubuntu devs * debian/rules: Compile using libcrypto as crypto backend (LP: #1905790) * debian/nss-database-pem-exporter: Add to sssd-common and run on postinst. When upgrading from previous versions (that were compiled using the NSS crypto backend) we need to migrate the trusted CA certificates that the user may have added to the SSSD's NSS system database (that defaults to /etc/pki/nssdb). To do this, and not to introduce a new dependency on libnss3-tools (which is not shipped by default, other than making the parsing not working in some scenarios) I've added a small C tool that we compile and install as part of the sssd-common package which is able to get all the trusted CA certificates for a NSS database and export them in PEM format. The nss-database-pem-exporter is then used in the postinst script where we now: 1. Read the SSSD settings 2. Convert all the certificates in the configured NSS databases 3. Store them all, appending them to the (new) default location (/etc/sssd/pki/sssd_auth_ca_db.pem) 4. Disables the configured locations if pointing to NSS dbs (needed or we'll leave the configuration with broken values). At this point nss-database-pem-exporter is then the only binary in the package that still depends on NSS libraries. (LP: #1905790) * debian/patches: - Get libsofthsm2 from right path for each architecture, this is now used for real (wasn't before) to test p11k components with libcrypto and p11-kit, also avoids a test build failure on armhf (LP: #1905790) [ Valters Jansons ] * Avoid sending malformed SYSLOG_IDENTIFIER to journald (LP: #1908065): - d/rules: Set --with-syslog=journald in override_dh_auto_configure. - d/p/lp-1908065-01-debug_prg_name-format.patch: Upstream patch to clean up program names. - d/p/lp-1908065-02-syslog_identifier-format.patch: Upstream patch to include "sssd[]" identifier in program names. - d/p/lp-1908065-03-remove-syslog_identifier.patch: Upstream patch to remove custom SYSLOG_IDENTIFIER from Journald. -- Marco Trevisan (Treviño) Thu, 11 Feb 2021 15:31:14 -0500 ** Changed in: sssd (Ubuntu Focal) Status: Fix Committed => Fix Released -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
LP appears to have stripped spaces from the `grep` command. There was filtering on output to reduce verbosity. Instead of what is seen in previous comment: # p11-kit list-modules | grep -Eve '^ ' The actual executed verification command there is: # p11-kit list-modules | grep -Eve '^ {5}' -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
Performing verification on Focal (20.04) as described in test steps. Local test system has a 4th generation Yubikey attached. The Yubikey is a smartcard reader with an integrated card. There's a certificate on card, issued from internal non-default CA. # # Install `p11-kit` for test case use. # apt install p11-kit # apt-cache policy p11-kit | grep Installed: Installed: 0.23.20-1ubuntu0.1 # # Install `ykcs11` for Yubikey smartcard use on system. # # This could also be `opensc` or any other module package. # apt install ykcs11 # apt-cache policy ykcs11 | grep Installed: Installed: 2.0.0-2 # # Allow auto-discovery of ykcs11 PKCS#11 module: # echo 'module: ../libykcs11.so' > \ /usr/share/p11-kit/modules/ykcs11.module # # Install SSSD from -updates. # apt install sssd/focal-updates # apt-cache policy sssd | grep Installed: Installed: 2.2.3-3ubuntu0.3 # # Execute described test case. # p11-kit list-modules | grep -Eve '^ ' p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 token: System Trust ykcs11: ../libykcs11.so library-description: PKCS#11 PIV Library (SP-800-73) library-manufacturer: Yubico (www.yubico.com) library-version: 2.0 token: YubiKey PIV #1234567 # sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \ --nssdb=/etc/ssl/certs/ca-certificates.crt (Sat Feb 27 14:21:22:579260 2021) [[sssd[p11_child[3511 [main] (0x0400): p11_child started. (Sat Feb 27 14:21:22:579307 2021) [[sssd[p11_child[3511 [main] (0x2000): Running in [pre-auth] mode. (Sat Feb 27 14:21:22:579315 2021) [[sssd[p11_child[3511 [main] (0x2000): Running with effective IDs: [0][0]. (Sat Feb 27 14:21:22:579322 2021) [[sssd[p11_child[3511 [main] (0x2000): Running with real IDs [0][0]. (Sat Feb 27 14:21:22:581129 2021) [[sssd[p11_child[3511 [do_card] (0x4000): Default Module List: (Sat Feb 27 14:21:22:581145 2021) [[sssd[p11_child[3511 [do_card] (0x4000): common name: [NSS Internal PKCS #11 Module]. (Sat Feb 27 14:21:22:581151 2021) [[sssd[p11_child[3511 [do_card] (0x4000): dll name: [(null)]. (Sat Feb 27 14:21:22:581156 2021) [[sssd[p11_child[3511 [do_card] (0x4000): Dead Module List: (Sat Feb 27 14:21:22:581160 2021) [[sssd[p11_child[3511 [do_card] (0x4000): DB Module List: (Sat Feb 27 14:21:22:581165 2021) [[sssd[p11_child[3511 [do_card] (0x4000): common name: [NSS Internal Module]. (Sat Feb 27 14:21:22:581170 2021) [[sssd[p11_child[3511 [do_card] (0x4000): dll name: [(null)]. (Sat Feb 27 14:21:22:581175 2021) [[sssd[p11_child[3511 [do_card] (0x4000): Description [NSS Internal Cryptographic Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [9] removable [false] token present [true]. (Sat Feb 27 14:21:22:581182 2021) [[sssd[p11_child[3511 [do_card] (0x4000): Description [NSS User Private Key and Certificate Services Mozilla Foundation ] Manufacturer [Mozilla Foundation ] flags [9] removable [false] token present [true]. (Sat Feb 27 14:21:22:581188 2021) [[sssd[p11_child[3511 [do_card] (0x0040): No removable slots found. (Sat Feb 27 14:21:22:581193 2021) [[sssd[p11_child[3511 [main] (0x0040): do_work failed. (Sat Feb 27 14:21:22:581198 2021) [[sssd[p11_child[3511 [main] (0x0020): p11_child failed! # # In-place upgrade SSSD from -proposed. # apt install sssd/focal-proposed # apt-cache policy sssd | grep Installed: Installed: 2.2.3-3ubuntu0.4 # # Execute described test case. # p11-kit list-modules | grep -Eve '^ ' p11-kit-trust: p11-kit-trust.so library-description: PKCS#11 Kit Trust Module library-manufacturer: PKCS#11 Kit library-version: 0.23 token: System Trust ykcs11: ../libykcs11.so library-description: PKCS#11 PIV Library (SP-800-73) library-manufacturer: Yubico (www.yubico.com) library-version: 2.0 token: YubiKey PIV #1234567 # sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \ --nssdb=/etc/ssl/certs/ca-certificates.crt (Sat Feb 27 14:23:47:854078 2021) [p11_child[4287]] [main] (0x0400): p11_child started. (Sat Feb 27 14:23:47:854240 2021) [p11_child[4287]] [main] (0x2000): Running in [pre-auth] mode. (Sat Feb 27 14:23:47:854267 2021) [p11_child[4287]] [main] (0x2000): Running with effective IDs: [0][0]. (Sat Feb 27 14:23:47:854275 2021) [p11_child[4287]] [main] (0x2000): Running with real IDs [0][0]. (Sat Feb 27 14:23:47:864786 2021) [p11_child[4287]] [do_card] (0x4000): Module List: (Sat Feb 27 14:23:47:878057 2021) [p11_child[4287]] [do_card] (0x4000): common name: [p11-kit-trust]. (Sat Feb 27 14:23:47:879047 2021) [p11_child[4287]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so]. (Sat Feb 27 14:23:47:879072 2021) [p11_child[4287]] [do_card] (0x4000): Description
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
Hello Marco, or anyone else affected, Accepted sssd into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/sssd/2.2.3-3ubuntu0.4 in a few hours, and then in the -proposed repository. Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-focal. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: sssd (Ubuntu Focal) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
OK, new package (with the same version) uploaded now, which addresses the comments made by Robie. Let me know what you think. Thanks! -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
Ok I was quite sure that CERT_LIST_HEAD was already guarding us from NULL pointers (as in many NSS places i didn't see the check) but it's not the case [1], so thanks! [1] https://searchfox.org/mozilla- central/source/security/nss/lib/certdb/certt.h#361 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
Re: [Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
On Thursday, February 18 2021, Robie Basak wrote: >> + certs = CERT_CreateSubjectCertList (NULL, handle, > >derSubject, > > Doesn't this need a return value test? AFAICT, > CERT_CreateSubjectCertList might return NULL, and CERTLIST_HEAD (certs) > will unconditionally look up a member? There's a second instance of this > pattern in print_trusted_certificates(). Agreed. I can expand the code to make it check for NULL. > However, since the postinst only calls nss-database-pem-exporter from > inside import_nss_ca_certs(), the "set -e" won't have any effect there, > so I think this is OK in practice. I'd normally ask for more explicit > error handling (or at least comments in the postinst) but since this > migration code will only exist in this SRU, I think it's OK to leave it > as-is. > >> +if dpkg --compare-versions "$2" lt-nl 2.2.3-3ubuntu0.2; then > > Doesn't this now need bumping to 0.4? The current version in focal- > updates is 2.2.3-3ubuntu0.3. Otherwise I think the upgrade path won't > activate for anyone already on 2.2.3-3ubuntu0.2 or 2.2.3-3ubuntu0.3? Yes, this one slipped past my radar. There were two more uploads since Marco posted his first MP, and although he did rebase it against the latest sssd on Focal, we forgot about this check. How should I proceed here? Should I just upload the new package with the same version, since it wasn't accepted yet? Thanks, -- Sergio GPG key ID: E92F D0B3 6B14 F1F4 D8E0 EB2F 106D A1C8 C3CB BF14 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
> + certs = CERT_CreateSubjectCertList (NULL, handle, >derSubject, Doesn't this need a return value test? AFAICT, CERT_CreateSubjectCertList might return NULL, and CERTLIST_HEAD (certs) will unconditionally look up a member? There's a second instance of this pattern in print_trusted_certificates(). However, since the postinst only calls nss-database-pem-exporter from inside import_nss_ca_certs(), the "set -e" won't have any effect there, so I think this is OK in practice. I'd normally ask for more explicit error handling (or at least comments in the postinst) but since this migration code will only exist in this SRU, I think it's OK to leave it as-is. > +if dpkg --compare-versions "$2" lt-nl 2.2.3-3ubuntu0.2; then Doesn't this now need bumping to 0.4? The current version in focal- updates is 2.2.3-3ubuntu0.3. Otherwise I think the upgrade path won't activate for anyone already on 2.2.3-3ubuntu0.2 or 2.2.3-3ubuntu0.3? -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
** Changed in: sssd (Ubuntu Focal) Assignee: Sergio Durigan Junior (sergiodj) => Marco Trevisan (Treviño) (3v1n0) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
** Description changed: [ Impact ] SSSD supports in 20.04 two security backends: NSS and OpenSSL (speaking in past tense as upstream dropped NSS support completely). Those two backends are used for various generic crypto features (so they are interchangeable), but also for the management of the PKCS#11 modules for smart cards. In this case, the main problem is that by using NSS it also relies on the presence of a "system NSS" database [1] that is something present in Fedora and RHEL, but not in ubuntu or generic Linux distributions. In order to make SSSD to find a smart card module, we would then need to create a such database that mentions a p11kit proxy that will eventually load the p11-kit module and then add the card CA certificate to the same DB (see more details in [2]). And even in such case... It will not work at login phase. This is making support for Smart-card based authentication in 20.04 quite complicated, and hard to implement in professional environments (see bug #1865226). As per this, recompiling SSSD's p11_child to use OpenSSL (as it already happens starting from 20.10) would be enough to make the this tool (the one in charge for smartcard authentications and certificate matching) to be able to get the smartcard devices from p11-kit allowed modules and to check their certificate using CA certificates in the ubuntu system ca certificate files (or other configured file). One more mayor reason to do this, is also that if we fix 20.04 now to use the "proper" method, people who will configure smartcard access there via SSSD (not easily possible right now) won't be affected by future migrations. [ Proposed Implementations ] 1) Use p11-kit and openssl for p11_child, by changing the build/test system (preferred) https://salsa.debian.org/3v1n0-guest/sssd/-/commits/p11-kit-p11_child 2) Build both versions and package things accordingly (hackish) https://salsa.debian.org/3v1n0-guest/sssd/-/commits/p11-kit-p11_child-v1 3) Recompile SSSD completely to use libcrypto as backend [ Test case ] With a smartcard reader available (and with a card in its slot) as reported by: $ p11-kit list-modules launch: $ sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \ --nssdb=/etc/ssl/certs/ca-certificates.crt The tool should find your card: (2020-11-26 21:34:22:020395): [p11_child[100729]] [do_card] (0x4000): Module List: (2020-11-26 21:34:22:020481): [p11_child[100729]] [do_card] (0x4000): common name: [p11-kit-trust]. (2020-11-26 21:34:22:020497): [p11_child[100729]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so]. (2020-11-26 21:34:22:020569): [p11_child[100729]] [do_card] (0x4000): Description [/etc/ssl/certs/ca-certificates.crt PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (2020-11-26 21:34:22:020611): [p11_child[100729]] [do_card] (0x4000): common name: [opensc-pkcs11]. (2020-11-26 21:34:22:020646): [p11_child[100729]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. (2020-11-26 21:34:22:025443): [p11_child[100729]] [do_card] (0x4000): Description [VMware Virtual USB CCID 00 00 VMware ] Manufacturer [VMware ] flags [7] removable [true] token present [true]. (2020-11-26 21:34:22:025725): [p11_child[100729]] [do_card] (0x4000): Found [MARCO TREVISAN (PIN CNS0)] in slot [VMware Virtual USB CCID 00 00][0] of module [1][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. - Then the tool might fail if the card certificate is not added to the ca- - certificates.crt, but this is outside the scope of the test case. + Then: + 1) If you previously configured SSSD match rules and/or CA certificates: + - You should still get your certificate public key printed as output + - Configured login with smartcard should continue working - What it matters is that the card is found. + 2) If SSSD was not configured to do smartcard authentication: + - p11_child may fail if the card certificate was not previously added to + the trusted DB, but this is outside of this test case. + - What it matters is that the card is found. [ Regression potential ] While the change may involve quite different code paths when it comes to security features, I think we trust OpenSSL enough to be an acceptable crypto backend for PKCS#11 operations. Behavior should not change, also assuming that upstream dropped NSS support completely in latest release [3], keeping the same functionalities. As per a further review of this by xnox [4], we can safely assume that SSSD does not use libcrypto for operations where its behavior should differ from NSS. As it's needed only
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
** Merge proposal linked: https://code.launchpad.net/~3v1n0/ubuntu/+source/sssd/+git/sssd/+merge/395411 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
** Merge proposal linked: https://code.launchpad.net/~3v1n0/ubuntu/+source/sssd/+git/sssd/+merge/395410 -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
+1 to Timo to not go for "system nssdb" for the cause of this case here. Also system-wide-trust would be bug 1647285 and is quite a different scope. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
re: system nssdb; let's not go there anymore, Fedora already moved to openssl system-wide -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
** Description changed: [ Impact ] SSSD supports in 20.04 two security backends: NSS and OpenSSL (speaking in past tense as upstream dropped NSS support completely). Those two backends are used for various generic crypto features (so they are interchangeable), but also for the management of the PKCS#11 modules for smart cards. In this case, the main problem is that by using NSS it also relies on the presence of a "system NSS" database [1] that is something present in Fedora and RHEL, but not in ubuntu or generic Linux distributions. In order to make SSSD to find a smart card module, we would then need to create a such database that mentions a p11kit proxy that will eventually load the p11-kit module and then add the card CA certificate to the same DB (see more details in [2]). And even in such case... It will not work at login phase. This is making support for Smart-card based authentication in 20.04 quite complicated, and hard to implement in professional environments (see bug #1865226). As per this, recompiling SSSD's p11_child to use OpenSSL (as it already happens starting from 20.10) would be enough to make the this tool (the one in charge for smartcard authentications and certificate matching) to be able to get the smartcard devices from p11-kit allowed modules and to check their certificate using CA certificates in the ubuntu system ca certificate files (or other configured file). One more mayor reason to do this, is also that if we fix 20.04 now to use the "proper" method, people who will configure smartcard access there via SSSD (not easily possible right now) won't be affected by future migrations. [ Proposed Implementations ] 1) Use p11-kit and openssl for p11_child, by changing the build/test system (preferred) https://salsa.debian.org/3v1n0-guest/sssd/-/commits/p11-kit-p11_child 2) Build both versions and package things accordingly (hackish) https://salsa.debian.org/3v1n0-guest/sssd/-/commits/p11-kit-p11_child-v1 + 3) Recompile SSSD completely to use libcrypto as backend + [ Test case ] With a smartcard reader available (and with a card in its slot) as reported by: - $ p11-kit list-modules + $ p11-kit list-modules launch: $ sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \ --nssdb=/etc/ssl/certs/ca-certificates.crt The tool should find your card: (2020-11-26 21:34:22:020395): [p11_child[100729]] [do_card] (0x4000): Module List: (2020-11-26 21:34:22:020481): [p11_child[100729]] [do_card] (0x4000): common name: [p11-kit-trust]. (2020-11-26 21:34:22:020497): [p11_child[100729]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so]. (2020-11-26 21:34:22:020569): [p11_child[100729]] [do_card] (0x4000): Description [/etc/ssl/certs/ca-certificates.crt PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (2020-11-26 21:34:22:020611): [p11_child[100729]] [do_card] (0x4000): common name: [opensc-pkcs11]. (2020-11-26 21:34:22:020646): [p11_child[100729]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. (2020-11-26 21:34:22:025443): [p11_child[100729]] [do_card] (0x4000): Description [VMware Virtual USB CCID 00 00 VMware ] Manufacturer [VMware ] flags [7] removable [true] token present [true]. (2020-11-26 21:34:22:025725): [p11_child[100729]] [do_card] (0x4000): Found [MARCO TREVISAN (PIN CNS0)] in slot [VMware Virtual USB CCID 00 00][0] of module [1][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. Then the tool might fail if the card certificate is not added to the ca- certificates.crt, but this is outside the scope of the test case. What it matters is that the card is found. [ Regression potential ] While the change may involve quite different code paths when it comes to security features, I think we trust OpenSSL enough to be an acceptable - crypto backend for PKCS#11 operations. And behavior should not change - (if not improved), also assuming that upstream dropped NSS support - completely in latest release, keeping the same functionalities. + crypto backend for PKCS#11 operations. Behavior should not change, also + assuming that upstream dropped NSS support completely in latest release + [3], keeping the same functionalities. - The only binary that is really affected in its behavior is p11_child. + As per a further review of this by xnox [4], we can safely assume that + SSSD does not use libcrypto for operations where its behavior should + differ from NSS. As it's needed only for certificates handling. - And I'm confident this will break only those setup (if there are any, - given that smartcard access is currently not supported by ubuntu) that -
Re: [Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
> This does raise a question as to why we don't provide a system nssdb. I > think we should. I wonder if libnss or libnss3-tools could ship ca- > certificates hook to provide a system nssdb certificate store. I don't think it makes much sense at this point as most of the tools that were depending on NSS are leaving it anyways (curl, sssd...) and even Fedora is trying to get rid the usage of libnss completely and only support one crypto backend. So, I was thinking of doing that and it could be a possibility, but wouldn't still be a futurable solution as we'd regress in next LTS, and so we'd end up providing a solution for this LTS (for something that we didn't support so far) that is going to be broken in the next version. And I don't think it's a professional thing to ask our users to setup something and reconfigure it at next mayor update when we can start with the right foot now. > If we are changing backends, and certs were provided for the nss > backend, imho we should automatically convert them and keep them active > for the openssl backend. However unlikely it is that somebody made nss- > based p11_child work. Yeah, as I said isn't hard to do... The only problem I see is that the postinst script for NSS should depend on libnss3-tools (if we don't write us something in C that is shipped with SSSD) in order to read the certs and export them to the OpenSSL chain. As you said, it's quite unlikely, but could happen. > Actually, I don't see sssd at all using TLS connections, does it? It > seems that to perform ldaps connections, it uses libldap from openldap > which in turn uses GnuTLS. And any and all TLS LDAPS options are simply > passed through to the libldap. I had this feeling too, both looking at the code and at the various logs I found around, where I noticed that connection was handled differently, but not being the maximum expert here, I preferred not to talk. So happy you say so. > Inspecting all sssd binary packages I can see that only p11_child is the > only one using libssl and that does not do TLS. Yeah, exactly... It does only certs management basically. > Thus changing nss => openssl backend should be immaterial to what sssd > uses from them. Ok, good to hear. > I don't know how to configure p11_child but I do have > smartcard reader and multiple smartcards so happy to test things =) I wrote a bit of hints in this document, should help: https://hackmd.io/@3v1n0/ubuntu-smartcard-login -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
Actually, I don't see sssd at all using TLS connections, does it? It seems that to perform ldaps connections, it uses libldap from openldap which in turn uses GnuTLS. And any and all TLS LDAPS options are simply passed through to the libldap. Inspecting all sssd binary packages I can see that only p11_child is the only one using libssl and that does not do TLS. libsss-certmap0 uses libcrypto.so.1.1 only for certificate parsing but not for TLS. Thus changing nss => openssl backend should be immaterial to what sssd uses from them. The only concern from me is to migrate custom certs that p11_child trusts, if there are any configured, and migration is needed between the backends. I don't know how to configure p11_child but I do have smartcard reader and multiple smartcards so happy to test things =) -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
If we want to change the main sssd backend from nss to openssl, imho it would be prudent enough to use http://manpages.ubuntu.com/manpages/hirsute/en/man3/SSL_set_security_level.3ssl.html APIs to set_security_level to 1. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
This does raise a question as to why we don't provide a system nssdb. I think we should. I wonder if libnss or libnss3-tools could ship ca- certificates hook to provide a system nssdb certificate store. If we are changing backends, and certs were provided for the nss backend, imho we should automatically convert them and keep them active for the openssl backend. However unlikely it is that somebody made nss- based p11_child work. In nss, we do set minimum TLS version TLSv1.2 but we do not enforce 112 bits of security like we do with OpenSSL. Specifically that is 2k RSA minimum key size, nor prohibit SHA1/MD5 cert hashes, and any cipher suites that use RC4. These changes in minimum requirements do not affect p11_child, but would affect sssd itself when talking over ldaps. I would be worried that an LDAP server has a lowish sized key in their cert, and suddenly an upgrade of sssd, once caches expire, prevent logins. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
** Also affects: ca-certificates (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
** Tags added: patch -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1905790 Title: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1905790/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
[Bug 1905790] Re: Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for p11_child
** Description changed: [ Impact ] SSSD supports in 20.04 two security backends: NSS and OpenSSL (speaking in past tense as upstream dropped NSS support completely). Those two backends are used for various generic crypto features (so they are interchangeable), but also for the management of the PKCS#11 modules for smart cards. In this case, the main problem is that by using NSS it also relies on the presence of a "system NSS" database [1] that is something present in Fedora and RHEL, but not in ubuntu or generic Linux distributions. In order to make SSSD to find a smart card module, we would then need to create a such database that mentions a p11kit proxy that will eventually load the p11-kit module and then add the card CA certificate to the same DB (see more details in [2]). And even in such case... It will not work at login phase. This is making support for Smart-card based authentication in 20.04 quite complicated, and hard to implement in professional environments (see bug #1865226). - As per this, recompiling SSSD to use OpenSSL (as it already happens - starting from 20.10) would be enough to make the p11_child tool (the one - in charge for smartcard authentications) to be able to get the smartcard - devices from p11-kit allowed modules and to check their certificate - using CA certificates in the ubuntu system ca certificate files (or - other configured file). + As per this, recompiling SSSD's p11_child to use OpenSSL (as it already + happens starting from 20.10) would be enough to make the this tool (the + one in charge for smartcard authentications and certificate matching) to + be able to get the smartcard devices from p11-kit allowed modules and to + check their certificate using CA certificates in the ubuntu system ca + certificate files (or other configured file). One more mayor reason to do this, is also that if we fix 20.04 now to use the "proper" method, people who will configure smartcard access there via SSSD (not easily possible right now) won't be affected by future migrations. + + [ Proposed Implementations ] + + 1) Use p11-kit and openssl for p11_child, by changing the build/test system (preferred) +https://salsa.debian.org/3v1n0-guest/sssd/-/commits/p11-kit-p11_child + + 2) Build both versions and package things accordingly (hackish) +https://salsa.debian.org/3v1n0-guest/sssd/-/commits/p11-kit-p11_child-v1 [ Test case ] With a smartcard reader available (and with a card in its slot) launch: - sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \ --nssdb=/etc/ssl/certs/ca-certificates.crt The tool should find your card: (2020-11-26 21:34:22:020395): [p11_child[100729]] [do_card] (0x4000): Module List: (2020-11-26 21:34:22:020481): [p11_child[100729]] [do_card] (0x4000): common name: [p11-kit-trust]. (2020-11-26 21:34:22:020497): [p11_child[100729]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so]. (2020-11-26 21:34:22:020569): [p11_child[100729]] [do_card] (0x4000): Description [/etc/ssl/certs/ca-certificates.crt PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true]. (2020-11-26 21:34:22:020611): [p11_child[100729]] [do_card] (0x4000): common name: [opensc-pkcs11]. (2020-11-26 21:34:22:020646): [p11_child[100729]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. (2020-11-26 21:34:22:025443): [p11_child[100729]] [do_card] (0x4000): Description [VMware Virtual USB CCID 00 00 VMware ] Manufacturer [VMware ] flags [7] removable [true] token present [true]. (2020-11-26 21:34:22:025725): [p11_child[100729]] [do_card] (0x4000): Found [MARCO TREVISAN (PIN CNS0)] in slot [VMware Virtual USB CCID 00 00][0] of module [1][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so]. Then the tool might fail if the card certificate is not added to the ca- certificates.crt, but this is outside the scope of the test case. What it matters is that the card is found. [ Regression potential ] - While the change may involve quite different code paths when it comes to security features, I think we trust OpenSSL enough to be an acceptable crypto backend. And behavior should not change. - Also assuming that upstream dropped NSS support completely in latest release, keeping the same functionalities. + While the change may involve quite different code paths when it comes to + security features, I think we trust OpenSSL enough to be an acceptable + crypto backend for PKCS#11 operations. And behavior should not change + (if not improved), also assuming that upstream dropped NSS support + completely in latest release, keeping the same functionalities. The only binary that is really affected in its behavior is