[Freeipa-devel] [RFC] Smartcard authentication with PKINIT and local authentication

Alexander Bokovoy abokovoy at redhat.com
Fri Mar 10 12:25:22 UTC 2017 

On pe, 10 maalis 2017, Sumit Bose wrote:
>On Fri, Mar 10, 2017 at 01:39:27PM +0200, Alexander Bokovoy wrote:
>> On pe, 10 maalis 2017, Sumit Bose wrote:
>> > On Fri, Mar 10, 2017 at 11:58:25AM +0200, Alexander Bokovoy wrote:
>> > > On pe, 10 maalis 2017, Sumit Bose wrote:
>> > > > Hi,
>> > > >
>> > > > with the recent addition of PKINIT support there is now a second method
>> > > > available to Smartcard authentication besides local authentication.
>> > > >
>> > > > I was about to add some sssd.conf option which can control the fallback
>> > > > to local authentication if PKINIT fails. Currently there is only a
>> > > > fallback to local authentication if the backend is offline or if PKINIT
>> > > > is not available because either the client or the server side do not
>> > > > support it.
>> > > >
>> > > > It came to my mind that it might be more flexible to add the fallback
>> > > > scheme to the certificate matching rules discussed earlier on this list.
>> > > > With this it would be possible e.g. to require PKINIT for a set of
>> > > > certificates and allow local authentication to a different set.
>> > > >
>> > > > Do you think this would make sense or is it sufficient an option in
>> > > > sssd.conf which covers all certificates?
>> > > Interesting idea. If we were to define it as a part of a certificate
>> > > matching rule, would we be able to deny using a matching certificate for
>> > > local authentication in case only PKINIT is allowed?
>> >
>> > Yes, SSSD first checks in the backend if PKINIT is available and tries
>> > it. If this fails the backend can tell the frontend to try local
>> > authentication or fail.
>> Ok. I'd prefer to have this possibility then -- a certificate matching
>> rule including a flag to require PKINIT.
>
>I think it should be a bit more than a single flag.
>
>- PKINIT and newer fall back to local authentication
 s/newer/never/, I'd guess?

>- PKINIT and fall back to local authentication when offline or PKINIT is
>  not available
>- PKINIT and fall back in all errors
>- no PKINIT only local authentication.
Otherwise looks good.
-- 
/ Alexander Bokovoy

More information about the Freeipa-devel mailing list