PAM: use PKCS#11 URIs to restrict certificate selection#671
Closed
sumit-bose wants to merge 10 commits intoSSSD:masterfrom
Closed
PAM: use PKCS#11 URIs to restrict certificate selection#671sumit-bose wants to merge 10 commits intoSSSD:masterfrom
sumit-bose wants to merge 10 commits intoSSSD:masterfrom
Conversation
The --wait_for_card option will let the p11_child wait until a Smartcard/token is available in a slot with the removable flag. Related to https://pagure.io/SSSD/sssd/issue/3650
If the --wait_for_card is used to call p11_child the PAM responder should be prepared to wait longer until p11_child can return successfully. Related to https://pagure.io/SSSD/sssd/issue/3650
To allow the PAM responder to act on the config flags set for pam_sss the flags have to be made public first. Related to https://pagure.io/SSSD/sssd/issue/3650
With this new option pam_sss can be configured to only do Smartcard authentication or return an error if this is not possible. Related to https://pagure.io/SSSD/sssd/issue/3650
With this new option pam_sss will wait until a Smartcard is available and then try to authenticate with the help of the Smartcard. Related https://pagure.io/SSSD/sssd/issue/3650
Integration test for the new try_cert_auth and require_cert_auth option for pam_sss. Related to https://pagure.io/SSSD/sssd/issue/3650
The patch only adds debug messages where the PKCS#11 URI of the selected certificates is shown. The output should help to create suitable URIs to restrict the selection. Related to https://pagure.io/SSSD/sssd/issue/3814
p11_child gets a new option to restrict the selection of certificates with the help of a PKCS#11 URI. Related to https://pagure.io/SSSD/sssd/issue/3814
This patch adds a new option 'p11_uri' to the PAM responder to restrict the selection of certificates in p11_child with the help of a PKCS#11 URI. Related to https://pagure.io/SSSD/sssd/issue/3814
New PAM responder unit test to test the selection of certificates with the help of PKCS#11 URIs. For this a new SoftHSM2 configuration with 2 slots is created. The new tests will try to access the certificates stored in the slot individually. Related to https://pagure.io/SSSD/sssd/issue/3814
Contributor
|
retest this please |
Contributor
Contributor
Author
|
Ok, let's track it in #668. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
With the new option 'p11_uri' to the PAM responder can be used to restrict the
selection of certificates in p11_child with the help of a PKCS#11 URI.
The implementation of for the NSS version of p11_child is not available in this
PR. As you can see in the first patch the support for PKCS#11 URIs in NSS is
limited and I have to talk to NSS developers first if this will change of if it
would make more sense to use the PKCS#11 URI calls form libp11kit for the NSS
version as well.
To avoid rebase issues this PR is already on top of PR#668.
Related to https://pagure.io/SSSD/sssd/issue/3814