On Mon, Oct 21, 2019 at 4:25 PM James Cassell <[email protected]> wrote:
> On Mon, Oct 21, 2019, at 1:16 PM, James Ralston wrote: > > > When you say "SSH authentication using the Smart Card", what > > exactly do you mean? > > I mean using the private key on the Smart Card as the SSH > private key. SSSD will convert the userCertificate into SSH > public keys for consumption by openssh. Ah; ok. We don't care about this, because with PKINIT login, the user obtains a Kerberos TGT, and that TGT permits gssapi-with-mic authentication. > PuTTY can do this ticket forwarding. The limiting factor is > convincing the Active Directory team (or the security team) to > enable the checkbox "Trust this computer for delegation to any > service (Kerberos only)" -- there is also an adcli command line > arg to set this option on Computer Account creation, but I've > not tried setting it with adcli. I've gotten this working for > the subset of machines for which InfoSec approved using > the "Trust this computer for delegation to any > service (Kerberos only)" checkbox. Interesting. Is this a setting on the computer object of the target host, or on the (Windows) client where PuTTY is being executed? > (Side note: is there a good guide to setting up NFSv4 w/ auth=krb5p? > I've been wanting to do this instead of forcing cifs/samba into its > place... virtually every NFS guide I've found left things > cleartext.) I wasn't able to find a good guide; we had to puzzle out the configuration ourselves. I can try to write up a guide for that (in my copious free time, ha), but in the meantime, shoot me off-list mail if you have specific questions. > Yes, I'm using opensc [in nssdb]. I only referenced coolkey since > you said your cards were coolkey-based. Understood. > I was also able to get this [smartcard login] working at the > console. I didn't do anything special for the console; it just > worked once the GUI was working. I've been able to get /usr/bin/login to prompt for the username/PIN, but it still fails, even after I enter the correct PIN (that works in gdm). This might be a PAM stack configuration issue, though. I'll have to dig into it further. > I'm in a similar situation... hoping to not write my own nssdb > ansible role, but I'll probably need to write one since I didn't see > a good existing one. I figured out a way to avoid needing to maintain certificates in /etc/pki/nssdb. You only need to do these two things: $ pkcs11-switch opensc $ ln -s /usr/lib64/libnssckbi.so /etc/pki/nssdb/ As long as alternatives is using p11-kit-trust.so: $ alternatives --display libnssckbi.so.x86_64 libnssckbi.so.x86_64 - status is auto. link currently points to /usr/lib64/pkcs11/p11-kit-trust.so /usr/lib64/pkcs11/p11-kit-trust.so - priority 30 /usr/lib64/nss/libnssckbi.so - priority 10 Current `best' version is /usr/lib64/pkcs11/p11-kit-trust.so. …then p11-kit-trust.so will automatically shim the certificate trust database maintained by update-ca-trust(8) into NSSDB. > It's [smartcard logins] certainly not going away anytime soon for > companies who have government, and especially DoD, contracts. Alas, yes. I did finally get full sssd PKINIT logins working with gdm, BTW. Thanks to you (and you, Sumit) for your assistance; it was invaluable. Next step: to write a guide for this and throw it up somewhere (GitHub or Pagure) so that others can contribute and expand it… _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
