On 11/30/18 6:14 AM, Sumit Bose wrote:
> On Thu, Nov 29, 2018 at 02:03:09PM -0700, Orion Poplawski wrote:
>> On 11/28/18 11:29 PM, Sumit Bose wrote:
>>> On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote:
>>>> I configured a YubiKey on Windows using the YubiKey minidriver with the
>>>> following certificates:
>>>>
>>>> - my "orion" certificate - went into slot 9a PIV Auth
>>>> - A MacOS keychain cert per their docs - when into slot 9d Key Management
>>>> - Another auth certificate for "orion-admin" - went into slot 82
>>>>
>>>> I'm able to authenticate on Windows as either orion or orion-admin, but on
>>>> Linux with sssd it does not see the orion-admin certificate. What needs to
>>>> happen to support this?
>>>
>>> Which version of SSSD are you using?
>>
>> On F29:
>>
>> sssd-2.0.0-4.fc29.x86_64
>>
>> I get somewhat different behavior. First the gdm login screen presents two
>> certificates:
>>
>> - Certificate for Key Management
>> - Certificate for PIV Authentication
>>
>> but still does not list the admin cert. Also, I don't believe it should list
>> the Key Management cert because it is not flagged for smart card
>> authentication.
>
> Do you mean the labels 'Certificate for PIV Authentication' and
> 'Certificate for Key Management' by 'flagged'?
>
> SSSD only looks at the content of the certificate and by default uses
> everything with key usage digitalSignature and extended key usage
> clientAuth. With F29 you can modify this by adding mapping and matching
> rules to sssd.conf, see the 'CERTIFICATE MAPPING SECTION' in man
> sssd.conf for details.
The certificate in slot 9d Key Management is not flagged with key usage
Digital Signature or Client Auth:
# p11tool --provider opensc-pkcs11.so --export
'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=d75c91b27c25efbd;token=Orion%20Poplawski;id=%03;object=Certificate%20for%20Key%20Management;type=cert'
| openssl x509 -in /dev/stdin -purpose -noout -text
X509v3 Extended Key Usage:
Microsoft Encrypted File System
X509v3 Key Usage: critical
Key Encipherment
so it should not be listed. I don't have any certmap sections so I'm just
using the default. Now - is gdm going through sssd to display the available
certificates, or is it doing it's own thing?
>>> Can you sent the output of
>>>
>>> p11tool --list-all --provider opensc-pkcs11.so
>
> The slots for the retired keys are not visible. I've found
> https://github.com/OpenSC/OpenSC/issues/847#issuecomment-238119888 with
> a command which made the slots visible for PKCS#11 on my Yubikey.
> Nevertheless the type is still data even after importing a certificate
> with 'yubico-piv-tool -a import-certificate'. Maybe this is different
> when using the Windows driver?
I'm sorry, I can't determine what needs to be done to make the slot visible
from the link above.
> Since you already reached out to Yubico you might want to ask as well
> what needs to be done to make the certificates and private keys stored
> in the retired slots properly available as certificate and private key
> on the PKCS#11 level.
>
The latest response from Yubico is:
If you enrolled certificates on a Windows system utilizing the YubiKey Smart
Card Minidriver, this would explain why your certificates are showing in those
slots. Microsoft doesn't follow the NIST standard when enrolling certificates
to a Smart card, they rely on a container map file that records the location
and EKU (OIDS) from a certificate to present to Windows what they are
available to be used for authentication. this is how you can have multiple
authentication certificates (9a) with the Minidriver vs without.
I have asked for clarification on thie "container map file".
--
Orion Poplawski
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane [email protected]
Boulder, CO 80301 https://www.nwra.com/
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
