On Mon, Sep 14, 2015 at 12:10:31PM +0200, Nikos Mavrogiannopoulos wrote: > On Mon, 2015-09-14 at 11:46 +0200, Sumit Bose wrote: > > On Mon, Sep 14, 2015 at 11:25:39AM +0200, Nikos Mavrogiannopoulos > > wrote: > > > Hello, > > > I've been writing some text to integrate freeipa/sssd with > > > openconnect > > > server [0], and for single password or OTP that seems to integrate > > > seamlessly. However, when PAM-SSSD is configured to use smart > > > cards, > > > that only works with locally inserted cards. That is even if one > > > uses > > > the smart card to establish the channel used for VPN, the PAM > > > module > > > wouldn't know that. Would it make sense to use a flag (e.g., via > > > pam_putenv()) and the caller of the PAM functions set the > > > information > > > provided by the certificate used for the session for SSSD to assume > > > a card is present? (*) > > I'm not sure I can follow, can you described with a bit more details > > how it should work? > > Hi Sumit, > > Let's assume the following scenario. SSSD requires a password + smart > card to login. > > The openconnect server could require the user to use a certificate to > access the VPN, and for that the administrator configures the > certificates accepted by ocserv to be the same as the ones accepted by > SSSD (same CA). So when the user is remote and connects to the VPN he > has already used the smart card. So when the openconnect server calls > PAM to authenticate the user, and SSSD is the PAM backend, it may be > desirable to allow the user to login, since the smart card was present > remotely, even if it was not present on the system login is done. Is > the use case clear?
This sounds similar to the Apache use-case Jan is working on where Apache verifies that the certificate is valid and the client knows the private key. In general this sounds similar to cases where the application is doing the authentication on it's own as e.g. ssh using ssh-keys or general GSSAPI authentication. In all cases the application just does not call pam_authenticate() but goes to pam_acct_mgmt() immediately after calling pam_start(). This way the PAM stack is only used for access control (and maybe session setup later on) but the authentication step is skipped. > > About the implementation, I don't have a concrete idea, but we will > need to provide out-of-band information to pam_sssd on whether a > certificate was used. I saw that pam_putenv() and pam_getenv() were > there and they look like a good candidate for such data. For example > the server could call: > pam_putenv("DN=BASE64(DN)") > pam_putenv("ISSUER_DN=BASE64(ISSUER-DN)") > pam_putenv("KEY_HASH=HEX(SHA256(SubjectPublicKeyInfo field))") > > and pam_sssd() check using pam_getenv("DN"), pam_getenv("ISSUER_DN") or > simply KEY_HASH, whether the strings match the expected user key. Is > that reasonable? In the Apache use case mentioned above Apache calls SSSD via DBus to resolves the user with the help of the certificate, please have a look at https://fedorahosted.org/sssd/wiki/DesignDocs/LookupUsersByCertificate for details. Would this work for you as well? bye, Sumit > > regards, > Nikos > > > _______________________________________________ > sssd-devel mailing list > sssd-devel@lists.fedorahosted.org > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel _______________________________________________ sssd-devel mailing list sssd-devel@lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/sssd-devel