On 11/30/18 6:14 AM, Sumit Bose wrote:
On Thu, Nov 29, 2018 at 02:03:09PM -0700, Orion Poplawski wrote:
> On 11/28/18 11:29 PM, Sumit Bose wrote:
>> On Wed, Nov 28, 2018 at 04:57:17PM -0700, Orion Poplawski wrote:
>>> I configured a YubiKey on Windows using the YubiKey minidriver with the
>>> following certificates:
>>> - my "orion" certificate - went into slot 9a PIV Auth
>>> - A MacOS keychain cert per their docs - when into slot 9d Key Management
>>> - Another auth certificate for "orion-admin" - went into slot 82
>>> I'm able to authenticate on Windows as either orion or orion-admin, but
>>> Linux with sssd it does not see the orion-admin certificate. What needs to
>>> happen to support this?
>> Which version of SSSD are you using?
> On F29:
> I get somewhat different behavior. First the gdm login screen presents two
> - Certificate for Key Management
> - Certificate for PIV Authentication
> but still does not list the admin cert. Also, I don't believe it should list
> the Key Management cert because it is not flagged for smart card authentication.
Do you mean the labels 'Certificate for PIV Authentication' and
'Certificate for Key Management' by 'flagged'?
SSSD only looks at the content of the certificate and by default uses
everything with key usage digitalSignature and extended key usage
clientAuth. With F29 you can modify this by adding mapping and matching
rules to sssd.conf, see the 'CERTIFICATE MAPPING SECTION' in man
sssd.conf for details.
The certificate in slot 9d Key Management is not flagged with key usage
Digital Signature or Client Auth:
# p11tool --provider opensc-pkcs11.so --export
| openssl x509 -in /dev/stdin -purpose -noout -text
X509v3 Extended Key Usage:
Microsoft Encrypted File System
X509v3 Key Usage: critical
so it should not be listed. I don't have any certmap sections so I'm just
using the default. Now - is gdm going through sssd to display the available
certificates, or is it doing it's own thing?
>> Can you sent the output of
>> p11tool --list-all --provider opensc-pkcs11.so
The slots for the retired keys are not visible. I've found
a command which made the slots visible for PKCS#11 on my Yubikey.
Nevertheless the type is still data even after importing a certificate
with 'yubico-piv-tool -a import-certificate'. Maybe this is different
when using the Windows driver?
I'm sorry, I can't determine what needs to be done to make the slot visible
from the link above.
Since you already reached out to Yubico you might want to ask as
what needs to be done to make the certificates and private keys stored
in the retired slots properly available as certificate and private key
on the PKCS#11 level.
The latest response from Yubico is:
If you enrolled certificates on a Windows system utilizing the YubiKey Smart
Card Minidriver, this would explain why your certificates are showing in those
slots. Microsoft doesn't follow the NIST standard when enrolling certificates
to a Smart card, they rely on a container map file that records the location
and EKU (OIDS) from a certificate to present to Windows what they are
available to be used for authentication. this is how you can have multiple
authentication certificates (9a) with the Minidriver vs without.
I have asked for clarification on thie "container map file".
Manager of NWRA Technical Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/