[Freeipa-devel] [RFC] Smartcard authentication with PKINIT and local authentication
Sumit Bose
sbose at redhat.com
Fri Mar 10 10:37:34 UTC 2017
On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote:
> On pe, 10 maalis 2017, Sumit Bose wrote:
> > Hi,
> >
> > with the recent addition of PKINIT support there is now a second method
> > available to Smartcard authentication besides local authentication.
> >
> > I was about to add some sssd.conf option which can control the fallback
> > to local authentication if PKINIT fails. Currently there is only a
> > fallback to local authentication if the backend is offline or if PKINIT
> > is not available because either the client or the server side do not
> > support it.
> >
> > It came to my mind that it might be more flexible to add the fallback
> > scheme to the certificate matching rules discussed earlier on this list.
> > With this it would be possible e.g. to require PKINIT for a set of
> > certificates and allow local authentication to a different set.
> >
> > Do you think this would make sense or is it sufficient an option in
> > sssd.conf which covers all certificates?
> Interesting idea. If we were to define it as a part of a certificate
> matching rule, would we be able to deny using a matching certificate for
> local authentication in case only PKINIT is allowed?
Yes, SSSD first checks in the backend if PKINIT is available and tries
it. If this fails the backend can tell the frontend to try local
authentication or fail.
bye,
Sumit
> --
> / Alexander Bokovoy
More information about the Freeipa-devel
mailing list