-
Notifications
You must be signed in to change notification settings - Fork 247
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
proxy: add support for Smartcard authentication #6633
Conversation
Hi @sumit-bose, could you please rebase this PR (since #6672 was merged)? |
(targets 2.9.1+) |
Hi @sumit-bose, is this unblocked now, as local auth policy was introduced in d019132 ? |
46dc3ef
to
1c58a2a
Compare
1c58a2a
to
26097e8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thank you. See comments inline, otherwise code-wise ack. Is there any way how can I test it without having a smartcard?
26097e8
to
aa6d079
Compare
src/providers/proxy/proxy_init.c
Outdated
|
||
ret = confdb_get_string(be_ctx->cdb, NULL, be_ctx->conf_path, | ||
CONFDB_DOMAIN_LOCAL_AUTH_POLICY, | ||
"match", &local_policy); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
$ grep -rn \"match\" *
responder/pam/pamsrv_cmd.c:943: "match", &local_policy);
responder/pam/pamsrv_cmd.c:954: } else if (strcasecmp(local_policy, "match") == 0) {
responder/pam/pamsrv_cmd.c:1232: && strcasecmp(local_policy, "match") == 0) {
-- "match", "only", etc begs for a define, imo...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
fixed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I meant in the entire code base, not in 'proxy provider' code locally...
But it can be done in another PR.
@spoore1, IIRC, in the past we briefly mentioned an option to run existing "smart card auth of local user" tests against "proxy" provider and a copr build from this PR. |
aa6d079
to
55880c0
Compare
Hi @spoore1, can you run your tests again with the latest version? If If in the same configuration local Smartcard authentication is allowed then Smartcard authentication is preferred and you should see a PIN prompt. I think this behavior should match the expected behavior with the given configuration. Please let me know if you think if some aspects should be explained more explicitly in the man page? bye, |
@sumit-bose I don't see the error anymore and it does appear to honor the different settings for local_auth_policy with a smart card inserted (using virtual for this test). Also, my only question about the man page wording is if local_auth_policy overrides proxy_pam_target if both are specified like I did in a few tests below?
|
Hi, thanks for testing. What about to add a paragraph like
to the bye, |
@sumit-bose Adding that to the man page for Thanks |
e7cac6c
to
06c0875
Compare
Hi, thanks, I added the paragraph in the latest version. bye, |
@sumit-bose, could you please also add RN to the commit description? |
To be able to do local Smartcard authenticate the backend must be able to map a certificate to a user based on the provided mapping rules. With this patch the proxy provider is able to handle the certificate mapping rules and users handled by the proxy provider can be configured for Smartcard authentication. Besides the mapping rule local Smartcard authentication should be enable with the 'local_auth_policy' option in the backend and with 'pam_cert_auth' in the PAM responder. :relnote: The proxy provider is now able to handle certificate mapping and matching rules and users handled by the proxy provider can be configured for local Smartcard authentication. Besides the mapping rule local Smartcard authentication should be enable with the 'local_auth_policy' option in the backend and with 'pam_cert_auth' in the PAM responder.
The main use case of this NSS module is to run proxy provider tests with cwrap's nss-wrapper. The proxy provider loads the NSS modules directly with dlopen() and is not using glibc's NSS mechanism. Since nss-wrapper just wraps the standard glibc calls and does not provide an NSS module on its own we have to use this workaround to make proxy provider work with nss-wrapper. DO NOT USE THIS IN /etc/nsswitch.conf, it will cause an infinite loop.
This patch replaces the deprecated files provider in the PAM responder tests with the proxy provider. The straight-forward replacement would be 'proxy_lib_name = files' to use libnss_files.so.2 with the proxy provider. But the tests are using nss-wrapper which wraps the plain glibc calls. Because of this the test is using a dedicated NSS module to work with nss-wrapper.
With this new boolean options the backends calling confdb_certmap_to_sysdb() can indicate if the certificate mapping rules should be applied for local users or not, which currently means LDAP based mapping with a search filter string.
All Smartcard authentication related tests are run now with the proxy provider and the deprecated files provider. If the files provider will be removed the tests can be removed by reverting this patch.
SSSD currently assumed that PAM modules configured for the proxy auth provider expect passwords as input. If a Smartcard is present during the authentication, but local Smartcard authentication is not enabled, the user should see a password prompt.
06c0875
to
7c9f995
Compare
done |
Thank you. |
Pushed PR: #6633
|
No description provided.