On Fri, Jul 10, 2015 at 06:40:30PM +0200, Sumit Bose wrote:
Hi,
this is the initial version of my patch which add Smartcard
authentication to SSSD. I'm still working on a design page which will
explain everything in more details so I will only add a short version
here.
The main job will be done by a new child process called p11_child. Since
the Smartcard support in GDM is based on NSS I used NSS for the first
version of p11_child as well. But since all PKCS#11 (API to talk to
Smartcards) related code is in this child process adding support for
other PKCS#11 frameworks like p11-kit would be straight forward (in fact
I already started on the p11-kit version). Using NSS here means you have
to add the PKCS#11 module for your Smartcards reader to /etc/pki/nssdb
(the NSS DB GDM uses as well) with modutil or pk11install from the
coolkey package.
The PAM configuration so far must not be changed. pam_sss will do a
pre-auth request similar to the OPT case for find a suitable
authentication method for the user. The pam responder then checks is
Smartcard authentication is enabled (pam_cert_auth = True in the [pam]
section of sssd.conf), if the service is a local one and if there if a
valid certificate can be found which is available in the users LDAP
entry as well. If all this checks pass pam_sss will ask the user for a
PIN and then SSSD tries to validate that PIN, public and private keys
all relate to each other. If no Smartcard is found for the user the
standard password prompt is displayed.
With some valuable input form Christian Heimes I think I found a way to
test the Smartcard support even without real hardware but I still have
to work out some of the details. I will add instructions to the design
page and better and more unit tests.
Any comments and suggestions are welcome.
Please find attached an improved version of the patches. Especially
there are improvements to the test, the return values from the p11_child
are not mocked used the actual retrieved certificate data. The test data
causes some increase in the patch size. I plan to replace this with data
which is generate during the test run but for a start it is easier this
way.
I also added a 7th patch which should resolve
https://fedorahosted.org/sssd/ticket/2711 (SSH with certificates).
Strictly it is not related to Smartcard authentication via PAM but it
depends on the NSS version of the cert utilities (patch 0001) so I
included it here as well.
On the design page I added the 'How to test' section
https://fedorahosted.org/sssd/wiki/DesignDocs/SmartcardAuthenticationStep...
which hopefully gives sufficient details how to set up a test
environment.
bye,
Sumit