[Freeipa-devel] [RFC] Smartcard authentication with PKINIT and local authentication

Sumit Bose sbose at redhat.com
Fri Mar 10 12:08:02 UTC 2017 

On Fri, Mar 10, 2017 at 01:39:27PM +0200, Alexander Bokovoy wrote:
> On pe, 10 maalis 2017, Sumit Bose wrote:
> > On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote:
> > > On pe, 10 maalis 2017, Sumit Bose wrote:
> > > > Hi,
> > > >
> > > > with the recent addition of PKINIT support there is now a second method
> > > > available to Smartcard authentication besides local authentication.
> > > >
> > > > I was about to add some sssd.conf option which can control the fallback
> > > > to local authentication if PKINIT fails. Currently there is only a
> > > > fallback to local authentication if the backend is offline or if PKINIT
> > > > is not available because either the client or the server side do not
> > > > support it.
> > > >
> > > > It came to my mind that it might be more flexible to add the fallback
> > > > scheme to the certificate matching rules discussed earlier on this list.
> > > > With this it would be possible e.g. to require PKINIT for a set of
> > > > certificates and allow local authentication to a different set.
> > > >
> > > > Do you think this would make sense or is it sufficient an option in
> > > > sssd.conf which covers all certificates?
> > > Interesting idea. If we were to define it as a part of a certificate
> > > matching rule, would we be able to deny using a matching certificate for
> > > local authentication in case only PKINIT is allowed?
> > 
> > Yes, SSSD first checks in the backend if PKINIT is available and tries
> > it. If this fails the backend can tell the frontend to try local
> > authentication or fail.
> Ok. I'd prefer to have this possibility then -- a certificate matching
> rule including a flag to require PKINIT.

I think it should be a bit more than a single flag.

- PKINIT and newer fall back to local authentication
- PKINIT and fall back to local authentication when offline or PKINIT is
  not available
- PKINIT and fall back in all errors 
- no PKINIT only local authentication.

bye,
Sumit

> 
> -- 
> / Alexander Bokovoy

More information about the Freeipa-devel mailing list