Discussion:
[Freeipa-devel] [RFC] Smartcard authentication with PKINIT and local authentication
Sumit Bose
2017-03-10 09:12:21 UTC
Permalink
Hi,

with the recent addition of PKINIT support there is now a second method
available to Smartcard authentication besides local authentication.

I was about to add some sssd.conf option which can control the fallback
to local authentication if PKINIT fails. Currently there is only a
fallback to local authentication if the backend is offline or if PKINIT
is not available because either the client or the server side do not
support it.

It came to my mind that it might be more flexible to add the fallback
scheme to the certificate matching rules discussed earlier on this list.
With this it would be possible e.g. to require PKINIT for a set of
certificates and allow local authentication to a different set.

Do you think this would make sense or is it sufficient an option in
sssd.conf which covers all certificates?

bye,
Sumit
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Alexander Bokovoy
2017-03-10 09:58:25 UTC
Permalink
Post by Sumit Bose
Hi,
with the recent addition of PKINIT support there is now a second method
available to Smartcard authentication besides local authentication.
I was about to add some sssd.conf option which can control the fallback
to local authentication if PKINIT fails. Currently there is only a
fallback to local authentication if the backend is offline or if PKINIT
is not available because either the client or the server side do not
support it.
It came to my mind that it might be more flexible to add the fallback
scheme to the certificate matching rules discussed earlier on this list.
With this it would be possible e.g. to require PKINIT for a set of
certificates and allow local authentication to a different set.
Do you think this would make sense or is it sufficient an option in
sssd.conf which covers all certificates?
Interesting idea. If we were to define it as a part of a certificate
matching rule, would we be able to deny using a matching certificate for
local authentication in case only PKINIT is allowed?
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Sumit Bose
2017-03-10 10:37:34 UTC
Permalink
Post by Alexander Bokovoy
Post by Sumit Bose
Hi,
with the recent addition of PKINIT support there is now a second method
available to Smartcard authentication besides local authentication.
I was about to add some sssd.conf option which can control the fallback
to local authentication if PKINIT fails. Currently there is only a
fallback to local authentication if the backend is offline or if PKINIT
is not available because either the client or the server side do not
support it.
It came to my mind that it might be more flexible to add the fallback
scheme to the certificate matching rules discussed earlier on this list.
With this it would be possible e.g. to require PKINIT for a set of
certificates and allow local authentication to a different set.
Do you think this would make sense or is it sufficient an option in
sssd.conf which covers all certificates?
Interesting idea. If we were to define it as a part of a certificate
matching rule, would we be able to deny using a matching certificate for
local authentication in case only PKINIT is allowed?
Yes, SSSD first checks in the backend if PKINIT is available and tries
it. If this fails the backend can tell the frontend to try local
authentication or fail.

bye,
Sumit
Post by Alexander Bokovoy
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Alexander Bokovoy
2017-03-10 11:39:27 UTC
Permalink
Post by Sumit Bose
Post by Alexander Bokovoy
Post by Sumit Bose
Hi,
with the recent addition of PKINIT support there is now a second method
available to Smartcard authentication besides local authentication.
I was about to add some sssd.conf option which can control the fallback
to local authentication if PKINIT fails. Currently there is only a
fallback to local authentication if the backend is offline or if PKINIT
is not available because either the client or the server side do not
support it.
It came to my mind that it might be more flexible to add the fallback
scheme to the certificate matching rules discussed earlier on this list.
With this it would be possible e.g. to require PKINIT for a set of
certificates and allow local authentication to a different set.
Do you think this would make sense or is it sufficient an option in
sssd.conf which covers all certificates?
Interesting idea. If we were to define it as a part of a certificate
matching rule, would we be able to deny using a matching certificate for
local authentication in case only PKINIT is allowed?
Yes, SSSD first checks in the backend if PKINIT is available and tries
it. If this fails the backend can tell the frontend to try local
authentication or fail.
Ok. I'd prefer to have this possibility then -- a certificate matching
rule including a flag to require PKINIT.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Sumit Bose
2017-03-10 12:08:02 UTC
Permalink
Post by Alexander Bokovoy
Post by Sumit Bose
Post by Alexander Bokovoy
Post by Sumit Bose
Hi,
with the recent addition of PKINIT support there is now a second method
available to Smartcard authentication besides local authentication.
I was about to add some sssd.conf option which can control the fallback
to local authentication if PKINIT fails. Currently there is only a
fallback to local authentication if the backend is offline or if PKINIT
is not available because either the client or the server side do not
support it.
It came to my mind that it might be more flexible to add the fallback
scheme to the certificate matching rules discussed earlier on this list.
With this it would be possible e.g. to require PKINIT for a set of
certificates and allow local authentication to a different set.
Do you think this would make sense or is it sufficient an option in
sssd.conf which covers all certificates?
Interesting idea. If we were to define it as a part of a certificate
matching rule, would we be able to deny using a matching certificate for
local authentication in case only PKINIT is allowed?
Yes, SSSD first checks in the backend if PKINIT is available and tries
it. If this fails the backend can tell the frontend to try local
authentication or fail.
Ok. I'd prefer to have this possibility then -- a certificate matching
rule including a flag to require PKINIT.
I think it should be a bit more than a single flag.

- PKINIT and newer fall back to local authentication
- PKINIT and fall back to local authentication when offline or PKINIT is
not available
- PKINIT and fall back in all errors
- no PKINIT only local authentication.

bye,
Sumit
Post by Alexander Bokovoy
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Alexander Bokovoy
2017-03-10 12:25:22 UTC
Permalink
Post by Sumit Bose
Post by Alexander Bokovoy
Post by Sumit Bose
Post by Alexander Bokovoy
Post by Sumit Bose
Hi,
with the recent addition of PKINIT support there is now a second method
available to Smartcard authentication besides local authentication.
I was about to add some sssd.conf option which can control the fallback
to local authentication if PKINIT fails. Currently there is only a
fallback to local authentication if the backend is offline or if PKINIT
is not available because either the client or the server side do not
support it.
It came to my mind that it might be more flexible to add the fallback
scheme to the certificate matching rules discussed earlier on this list.
With this it would be possible e.g. to require PKINIT for a set of
certificates and allow local authentication to a different set.
Do you think this would make sense or is it sufficient an option in
sssd.conf which covers all certificates?
Interesting idea. If we were to define it as a part of a certificate
matching rule, would we be able to deny using a matching certificate for
local authentication in case only PKINIT is allowed?
Yes, SSSD first checks in the backend if PKINIT is available and tries
it. If this fails the backend can tell the frontend to try local
authentication or fail.
Ok. I'd prefer to have this possibility then -- a certificate matching
rule including a flag to require PKINIT.
I think it should be a bit more than a single flag.
- PKINIT and newer fall back to local authentication
s/newer/never/, I'd guess?
Post by Sumit Bose
- PKINIT and fall back to local authentication when offline or PKINIT is
not available
- PKINIT and fall back in all errors
- no PKINIT only local authentication.
Otherwise looks good.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code
Loading...