[Freeipa-devel] [RFC] Smartcard authentication with PKINIT and local authentication
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 10 09:58:25 UTC 2017
On pe, 10 maalis 2017, Sumit Bose wrote:
>Hi,
>
>with the recent addition of PKINIT support there is now a second method
>available to Smartcard authentication besides local authentication.
>
>I was about to add some sssd.conf option which can control the fallback
>to local authentication if PKINIT fails. Currently there is only a
>fallback to local authentication if the backend is offline or if PKINIT
>is not available because either the client or the server side do not
>support it.
>
>It came to my mind that it might be more flexible to add the fallback
>scheme to the certificate matching rules discussed earlier on this list.
>With this it would be possible e.g. to require PKINIT for a set of
>certificates and allow local authentication to a different set.
>
>Do you think this would make sense or is it sufficient an option in
>sssd.conf which covers all certificates?
Interesting idea. If we were to define it as a part of a certificate
matching rule, would we be able to deny using a matching certificate for
local authentication in case only PKINIT is allowed?
--
/ Alexander Bokovoy
More information about the Freeipa-devel
mailing list