Warning
This is a design page. It was used to design and discuss the initial implementation of the change. However, the state of this document does not necessarily correspond to the current state of the implementation since we do not keep this document up to date with further changes and bug fixes.
Require Smartcard authentication (for local users)
Related ticket(s):
Problem statement
By default SSSD tries to determine what authentication methods are available
for a user and prompts accordingly. This is primarily done by figuring out the
supported authentication methods on the server. E.g. the krb5 provider will
use the available pre-authentication methods to determine how the user can
authenticate. If a user should only and always use Smartcard authentication the
long term password can be removed on the server side so that the user can only
user PKINIT for authentication. For FreeIPA domains there are authentication
indicators to requires specific authentication methods for services.
Currently SSSD does not handle the general authentication of local user because
this is still done by pam_unix. However SSSD offers the support for
Smartcard authentication for local user. To be flexible and offer the user the
most suitable prompting during authentication SSSD currently only prompt for a
Smartcard PIN if a Smartcard is inserted with certificates which can mapped to
the user trying to log in. This means that local users cannot easily be forced
to use Smartcard authentication where the user is prompted to insert a
Smartcard and SSSD waits until a suitable card is inserted.
Use cases
Local users
Force local users to use Smartcard authentication
Active Directory
Although Active Directory offers the ‘Smart card is required for interactive logon’ option it might not be suitable for all use cases because it disables password based authentication which might still be needed for certain services. Having an option on the client to require Smartcard authentication for specific services would help here as well.
Overview of the solution
There are two places where an option to enforce Smartcard authentication can be
set, the SSSD configuration file sssd.conf or the option list of the
pam_sss PAM module.
In general we try to avoid adding options to the PAM module to keep the PAM
module as dumb and simple as possible and do all processing in SSSD’s PAM
responder and the backends. But in the given case options for the PAM module
offer greater flexibility with a less complex configuration. To keep the
pam_sss PAM module still simple, it will forward the provided option to
SSSD and check the reply if Smartcard authentication is possible or return an
error.
Besides and option to require Smartcard authentication and option to only check if Smartcard authentication is available will be added as well to allow more flexible PAM configurations.
Implementation details
p11_child
p11_child needs a new option to wait until a card is available if no
suitable card is available. Since the PAM responder will kill p11_child if
a timeout expires an option is needed to let the PAM responder wait longer to
allow the child to wait longer.
If a slot with with the CKF_REMOVABLE_DEVICE flag was found p11_child
can check if the PKCS#11 call C_WaitForSlotEvent is implemented and use it.
If the PKCS#11 does not implement this call p11_child can call
C_GetSlotInfo in regular interval until a token is present or it is kill by
the PAM responder. NSS provides the PK11_WaitForTokenEvent call to handle
this.
If there is no slot with the CKF_REMOVABLE_DEVICE flag set p11_child
has to run C_Finalize-C_Initialize cycles to be able to discover new
slots. This is e.g. needed for Yubikey USB devices which are from the PKCS#11
perspective Smartcard (tokens) and reader (slot) in a single device.
pam_sss
The PAM module pam_sss will get two new flag options:
try_cert_authTry to use certificate based authentication, i.e. authentication with a Smartcard or similar devices. If a Smartcard is available and the service is allowed for Smartcard authentication the use will be prompted for a PIN and the certificate based authentication will continue.
If no Smartcard is available or certificate based authentication is not allowed for the current service
PAM_AUTHINFO_UNAVAILis returned.require_cert_authWait until a Smartcard suitable for authentication is available and ask the user to insert a Smartcard.
If no Smartcard is available or certificate based authentication is not allowed for the current service
PAM_AUTHINFO_UNAVAILis returned.
The PAM module will forward the flags to the PAM responder in a 32bit integer
which will handled the request accordingly. If the reply of the PAM responder
does not contain the needed information to prompt the user for a Smartcard PIN
the PAM module will return PAM_AUTHINFO_UNAVAIL.
PAM responder
The PAM responder will get a new option to increase the waiting time for
p11_child if the require_cert_auth flag was received from the client.
To receive the flags the PAM responder must be prepared to handle to 32bit
integer send by the client containing the flags.
Configuration changes
p11_child
p11_child is mentioned here for completeness, since it is an internal helper this change is not directly relevant for users.
New option:
--wait_for_cardWait until a Smartcard (token) is available in a reader (slot)
pam_sss
New options:
try_cert_authsee above
require_cert_authsee above
PAM responder:
New option:
p11_wait_for_card_timeoutIf Smartcard authentication is required how many extra seconds in addition to p11_child_timeout should the PAM responder wait until a Smartcard is inserted.
Default: 60 (seconds)
How to test
To test the feature the PAM configuration had to be modified and pam_sss has to be added with the require_cert_auth or try_cert_auth option at a suitable place.
Allow Smartcard authentication for local users
To allow Smartcard authentication for local user but use password authentication as a fallback if no Smartcard is available the following snippet might be added to the PAM configuration:
....
auth [default=2 success=ok] pam_localuser.so
auth sufficient pam_sss.so try_cert_auth
auth [success=done ignore=ignore default=die] pam_unix.so try_first_pass
....
Require Smartcard authentication for local users
To require Smartcard authentication for local user the following snippet might be added to the PAM configuration:
....
auth [default=2 success=ok] pam_localuser.so
auth required pam_sss.so require_cert_auth
auth required pam_deny.so
....
Authors
Sumit Bose
<sbose@redhat.com>