[Freeipa-devel] [RFC] Smartcard authentication with PKINIT and local authentication

[Alexander Bokovoy]

On pe, 10 maalis 2017, Sumit Bose wrote:
>On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote:
>> On pe, 10 maalis 2017, Sumit Bose wrote:
>> > Hi,
>> >
>> > with the recent addition of PKINIT support there is now a second method
>> > available to Smartcard authentication besides local authentication.
>> >
>> > I was about to add some sssd.conf option which can control the fallback
>> > to local authentication if PKINIT fails. Currently there is only a
>> > fallback to local authentication if the backend is offline or if PKINIT
>> > is not available because either the client or the server side do not
>> > support it.
>> >
>> > It came to my mind that it might be more flexible to add the fallback
>> > scheme to the certificate matching rules discussed earlier on this list.
>> > With this it would be possible e.g. to require PKINIT for a set of
>> > certificates and allow local authentication to a different set.
>> >
>> > Do you think this would make sense or is it sufficient an option in
>> > sssd.conf which covers all certificates?
>> Interesting idea. If we were to define it as a part of a certificate
>> matching rule, would we be able to deny using a matching certificate for
>> local authentication in case only PKINIT is allowed?
>
>Yes, SSSD first checks in the backend if PKINIT is available and tries
>it. If this fails the backend can tell the frontend to try local
>authentication or fail.
Ok. I'd prefer to have this possibility then -- a certificate matching
rule including a flag to require PKINIT.

-- 
/ Alexander Bokovoy