Performing verification on Focal (20.04) as described in test steps.
Local test system has a 4th generation Yubikey attached.
The Yubikey is a smartcard reader with an integrated card.
There's a certificate on card, issued from internal non-default CA.
# # Install `p11-kit` for test case use.
# apt install p11-kit
# apt-cache policy p11-kit | grep Installed:
Installed: 0.23.20-1ubuntu0.1
# # Install `ykcs11` for Yubikey smartcard use on system.
# # This could also be `opensc` or any other module package.
# apt install ykcs11
# apt-cache policy ykcs11 | grep Installed:
Installed: 2.0.0-2
# # Allow auto-discovery of ykcs11 PKCS#11 module:
# echo 'module: ../libykcs11.so' > \
/usr/share/p11-kit/modules/ykcs11.module
# # Install SSSD from -updates.
# apt install sssd/focal-updates
# apt-cache policy sssd | grep Installed:
Installed: 2.2.3-3ubuntu0.3
# # Execute described test case.
# p11-kit list-modules | grep -Eve '^ '
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.23
token: System Trust
ykcs11: ../libykcs11.so
library-description: PKCS#11 PIV Library (SP-800-73)
library-manufacturer: Yubico (www.yubico.com)
library-version: 2.0
token: YubiKey PIV #1234567
# sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/ssl/certs/ca-certificates.crt
(Sat Feb 27 14:21:22:579260 2021) [[sssd[p11_child[3511]]]] [main] (0x0400):
p11_child started.
(Sat Feb 27 14:21:22:579307 2021) [[sssd[p11_child[3511]]]] [main] (0x2000):
Running in [pre-auth] mode.
(Sat Feb 27 14:21:22:579315 2021) [[sssd[p11_child[3511]]]] [main] (0x2000):
Running with effective IDs: [0][0].
(Sat Feb 27 14:21:22:579322 2021) [[sssd[p11_child[3511]]]] [main] (0x2000):
Running with real IDs [0][0].
(Sat Feb 27 14:21:22:581129 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000):
Default Module List:
(Sat Feb 27 14:21:22:581145 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000):
common name: [NSS Internal PKCS #11 Module].
(Sat Feb 27 14:21:22:581151 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000):
dll name: [(null)].
(Sat Feb 27 14:21:22:581156 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000):
Dead Module List:
(Sat Feb 27 14:21:22:581160 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000):
DB Module List:
(Sat Feb 27 14:21:22:581165 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000):
common name: [NSS Internal Module].
(Sat Feb 27 14:21:22:581170 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000):
dll name: [(null)].
(Sat Feb 27 14:21:22:581175 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000):
Description [NSS Internal Cryptographic Services
Mozilla Foundation ] Manufacturer [Mozilla Foundation
] flags [9] removable [false] token present [true].
(Sat Feb 27 14:21:22:581182 2021) [[sssd[p11_child[3511]]]] [do_card] (0x4000):
Description [NSS User Private Key and Certificate Services
Mozilla Foundation ] Manufacturer [Mozilla Foundation
] flags [9] removable [false] token present [true].
(Sat Feb 27 14:21:22:581188 2021) [[sssd[p11_child[3511]]]] [do_card] (0x0040):
No removable slots found.
(Sat Feb 27 14:21:22:581193 2021) [[sssd[p11_child[3511]]]] [main] (0x0040):
do_work failed.
(Sat Feb 27 14:21:22:581198 2021) [[sssd[p11_child[3511]]]] [main] (0x0020):
p11_child failed!
# # In-place upgrade SSSD from -proposed.
# apt install sssd/focal-proposed
# apt-cache policy sssd | grep Installed:
Installed: 2.2.3-3ubuntu0.4
# # Execute described test case.
# p11-kit list-modules | grep -Eve '^ '
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.23
token: System Trust
ykcs11: ../libykcs11.so
library-description: PKCS#11 PIV Library (SP-800-73)
library-manufacturer: Yubico (www.yubico.com)
library-version: 2.0
token: YubiKey PIV #1234567
# sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/ssl/certs/ca-certificates.crt
(Sat Feb 27 14:23:47:854078 2021) [p11_child[4287]] [main] (0x0400): p11_child
started.
(Sat Feb 27 14:23:47:854240 2021) [p11_child[4287]] [main] (0x2000): Running in
[pre-auth] mode.
(Sat Feb 27 14:23:47:854267 2021) [p11_child[4287]] [main] (0x2000): Running
with effective IDs: [0][0].
(Sat Feb 27 14:23:47:854275 2021) [p11_child[4287]] [main] (0x2000): Running
with real IDs [0][0].
(Sat Feb 27 14:23:47:864786 2021) [p11_child[4287]] [do_card] (0x4000): Module
List:
(Sat Feb 27 14:23:47:878057 2021) [p11_child[4287]] [do_card] (0x4000): common
name: [p11-kit-trust].
(Sat Feb 27 14:23:47:879047 2021) [p11_child[4287]] [do_card] (0x4000): dll
name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so].
(Sat Feb 27 14:23:47:879072 2021) [p11_child[4287]] [do_card] (0x4000):
Description [/etc/ssl/certs/ca-certificates.crt
PKCS#11 Kit �] Manufacturer [PKCS#11 Kit
�] flags [1] removable [false] token present [true].
(Sat Feb 27 14:23:47:879084 2021) [p11_child[4287]] [do_card] (0x4000): common
name: [ykcs11].
(Sat Feb 27 14:23:47:879090 2021) [p11_child[4287]] [do_card] (0x4000): dll
name: [/usr/lib/x86_64-linux-gnu/pkcs11/../libykcs11.so].
(Sat Feb 27 14:23:48:000140 2021) [p11_child[4287]] [do_card] (0x4000):
Description [Yubico YubiKey CCID 00 00
Yubico (www.yubico.com) ] Manufacturer [Yubico (www.yubico.com)
] flags [7] removable [true] token present [true].
(Sat Feb 27 14:23:48:001134 2021) [p11_child[4287]] [do_card] (0x4000): Found
[YubiKey PIV #1234567] in slot [Yubico YubiKey CCID 00 00][0] of module
[1][/usr/lib/x86_64-linux-gnu/pkcs11/../libykcs11.so].
(Sat Feb 27 14:23:49:076508 2021) [p11_child[4287]] [do_card] (0x4000): Login
NOT required.
(Sat Feb 27 14:23:49:076640 2021) [p11_child[4287]] [read_certs] (0x4000):
found cert[X.509 Certificate for PIV
Authentication][/DC=com/DC=example/OU=Struct/CN=Valters Jansons]
(Sat Feb 27 14:23:49:076706 2021) [p11_child[4287]] [do_verification] (0x0040):
X509_verify_cert failed [0].
(Sat Feb 27 14:23:49:076715 2021) [p11_child[4287]] [do_verification] (0x0040):
X509_verify_cert failed [20][unable to get local issuer certificate].
(Sat Feb 27 14:23:49:076722 2021) [p11_child[4287]] [read_certs] (0x0040):
Certificate [X.509 Certificate for PIV
Authentication][/DC=com/DC=example/OU=Struct/CN=Valters Jansons] not valid,
skipping.
(Sat Feb 27 14:23:49:076766 2021) [p11_child[4287]] [read_certs] (0x4000):
found cert[X.509 Certificate for PIV Attestation][/CN=Yubico PIV Attestation]
(Sat Feb 27 14:23:49:076781 2021) [p11_child[4287]] [do_verification] (0x0040):
X509_verify_cert failed [0].
(Sat Feb 27 14:23:49:076787 2021) [p11_child[4287]] [do_verification] (0x0040):
X509_verify_cert failed [20][unable to get local issuer certificate].
(Sat Feb 27 14:23:49:076793 2021) [p11_child[4287]] [read_certs] (0x0040):
Certificate [X.509 Certificate for PIV Attestation][/CN=Yubico PIV Attestation]
not valid, skipping.
(Sat Feb 27 14:23:49:076823 2021) [p11_child[4287]] [read_certs] (0x4000):
found cert[X.509 Certificate for PIV Attestation 9a][/CN=YubiKey PIV
Attestation 9a]
(Sat Feb 27 14:23:49:076837 2021) [p11_child[4287]] [do_verification] (0x0040):
X509_verify_cert failed [0].
(Sat Feb 27 14:23:49:076843 2021) [p11_child[4287]] [do_verification] (0x0040):
X509_verify_cert failed [20][unable to get local issuer certificate].
(Sat Feb 27 14:23:49:076849 2021) [p11_child[4287]] [read_certs] (0x0040):
Certificate [X.509 Certificate for PIV Attestation 9a][/CN=YubiKey PIV
Attestation 9a] not valid, skipping.
(Sat Feb 27 14:23:49:076859 2021) [p11_child[4287]] [do_card] (0x4000): No
certificate found.
As described in test case outcome 2, trust of the card is outside of the
verification scope -- what matters here is the card and certificate are
seen, when p11-kit identifies the token is there.
As a result, even though the certificate is considered invalid/unusable,
this verifies the focal-proposed package finds the card and certificate
slots on it.
** Tags removed: verification-needed verification-needed-focal
** Tags added: verification-done verification-done-focal
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1905790
Title:
Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for
p11_child
Status in ca-certificates package in Ubuntu:
New
Status in sssd package in Ubuntu:
Fix Released
Status in ca-certificates source package in Focal:
New
Status in sssd source package in Focal:
Fix Committed
Bug description:
[ Impact ]
SSSD supports in 20.04 two security backends: NSS and OpenSSL
(speaking in past tense as upstream dropped NSS support completely).
Those two backends are used for various generic crypto features (so
they are interchangeable), but also for the management of the PKCS#11
modules for smart cards.
In this case, the main problem is that by using NSS it also relies on
the presence of a "system NSS" database [1] that is something present
in Fedora and RHEL, but not in ubuntu or generic Linux distributions.
In order to make SSSD to find a smart card module, we would then need to
create a such database that mentions a p11kit proxy that will eventually load
the p11-kit module and then add the card CA certificate to the same DB (see
more details in [2]).
And even in such case... It will not work at login phase.
This is making support for Smart-card based authentication in 20.04
quite complicated, and hard to implement in professional environments
(see bug #1865226).
As per this, recompiling SSSD's p11_child to use OpenSSL (as it
already happens starting from 20.10) would be enough to make the this
tool (the one in charge for smartcard authentications and certificate
matching) to be able to get the smartcard devices from p11-kit allowed
modules and to check their certificate using CA certificates in the
ubuntu system ca certificate files (or other configured file).
One more mayor reason to do this, is also that if we fix 20.04 now to
use the "proper" method, people who will configure smartcard access
there via SSSD (not easily possible right now) won't be affected by
future migrations.
[ Proposed Implementations ]
1) Use p11-kit and openssl for p11_child, by changing the build/test system
(preferred)
https://salsa.debian.org/3v1n0-guest/sssd/-/commits/p11-kit-p11_child
2) Build both versions and package things accordingly (hackish)
https://salsa.debian.org/3v1n0-guest/sssd/-/commits/p11-kit-p11_child-v1
3) Recompile SSSD completely to use libcrypto as backend
The option 3) has been finally choosen, but we also require migration
scripts on upgrade.
[ Test case ]
With a smartcard reader available (and with a card in its slot) as reported
by:
$ p11-kit list-modules
launch:
$ sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/ssl/certs/ca-certificates.crt
The tool should find your card:
(2020-11-26 21:34:22:020395): [p11_child[100729]] [do_card] (0x4000): Module
List:
(2020-11-26 21:34:22:020481): [p11_child[100729]] [do_card] (0x4000): common
name: [p11-kit-trust].
(2020-11-26 21:34:22:020497): [p11_child[100729]] [do_card] (0x4000): dll
name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so].
(2020-11-26 21:34:22:020569): [p11_child[100729]] [do_card] (0x4000):
Description [/etc/ssl/certs/ca-certificates.crt
PKCS#11 Kit ] Manufacturer [PKCS#11 Kit
] flags [1] removable [false] token present [true].
(2020-11-26 21:34:22:020611): [p11_child[100729]] [do_card] (0x4000): common
name: [opensc-pkcs11].
(2020-11-26 21:34:22:020646): [p11_child[100729]] [do_card] (0x4000): dll
name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
(2020-11-26 21:34:22:025443): [p11_child[100729]] [do_card] (0x4000):
Description [VMware Virtual USB CCID 00 00
VMware ] Manufacturer [VMware
] flags [7] removable [true] token present [true].
(2020-11-26 21:34:22:025725): [p11_child[100729]] [do_card] (0x4000): Found
[MARCO TREVISAN (PIN CNS0)] in slot [VMware Virtual USB CCID 00 00][0] of
module [1][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
Then:
1) If you previously configured SSSD match rules and/or CA certificates:
- You should still get your certificate public key printed as output
- Configured login with smartcard should continue working
2) If SSSD was not configured to do smartcard authentication:
- p11_child may fail if the card certificate was not previously added to
the trusted DB, but this is outside of this test case.
- What it matters is that the card is found.
[ Regression potential ]
While the change may involve quite different code paths when it comes
to security features, I think we trust OpenSSL enough to be an
acceptable crypto backend for PKCS#11 operations. Behavior should not
change, also assuming that upstream dropped NSS support completely in
latest release [3], keeping the same functionalities.
As per a further review of this by xnox [4], we can safely assume that
SSSD does not use libcrypto for operations where its behavior should
differ from NSS. As it's needed only for certificates handling.
The only binary that is really affected in its behavior is p11_child
(as per p11-kit usage instead of NSS for getting pkcs#11 modules).
So this change will break only those setup (if there are any, given
that smartcard access is currently not supported by ubuntu) that have
been manually configured using an unsupported system NSS db.
While we're providing a post-install script that migrates the possibly
configured NSS CA certificates, there could be still possible
regressions:
1) certificates not to be handled (referenced) in the same way, for example
in the SSSD
certmap: the mapping between users and their certificate could change, not
making an
user being able to access to the system anymore, not being correctly be
correctly
associated to a certificate.
-> This can be fixed by adapting the [certmap/*/*] options in
sssd.conf
2) custom p11-kit modules configured as allowed in the NSS database and not
recognized by
p11-kit, won't be accepted anymore, so again login won't work as p11_child
won't find a
module.
-> Modules can be added creating .module files in
/usr/share/p11-kit/modules/
So 1) can be the mayor concern here, even though I assume the few
custom installations that there might be around can be adapted to
this, in case this proves to be an important regression we can go back
to use NSS as backend for libsss_certs, but still using p11-kit +
openssl for p11_child.
Instead 2) can be a lower problem to handle, in case of a regression
we can think of listing all the modules added to the NSS database, and
if any, generate a module file for it, but I'd prefer to avoid this
unless needed as we should trust them.
Said this, given the fact that there are probably not known
implementations using this system for authentication in Ubuntu, I'm
confident that we can accept those two regressions as they are, but
being prepared to handle them (as described) if they end up in being
real concerns.
[1]
https://github.com/SSSD/sssd/blob/sssd-2_3_1/src/responder/pam/pamsrv.c#L53
[2]
https://hackmd.io/@3v1n0/ubuntu-smartcard-login#NSS-Database-to-be-deprecated-post-2004
[3] https://github.com/SSSD/sssd/issues/1041
[4] https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1905790/comments/10
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
