Smartcard authentication

Smartcard

Smartcard Reader

PCSCD

PKCS#11 module (OpenSC, Coolkey, ....)

PAM module (pam_pkcs11, pam_sss/p11_child)

local login application (login, gdm, sudo, ...)

Smartcard authentication (local)

local Workstation

certutil

pkcs11-tool

p11tool

...

Smartcard

• public/private key pairs

• access to private key protected with a PIN

• private key cannot be read (hopefully)

• can do crypto operations

Smartcard

Smartcard Reader

PCSCD

PKCS#11 module (OpenSC, Coolkey, ....)

PAM module (pam_pkcs11, pam_sss/p11_child)

local login application (login, gdm, sudo, ...)

Smartcard authentication (local)

local Workstation

certutil

pkcs11-tool

p11tool

...

Smartcard authentication - PKCS#11

• Crypto API to talk to Smartcards
• implemented as modules
  • coolkey
  • OpenSC
  • vendor specific e.g. Gemalto
• Smartcard support in REHL 7.4+ https://access.redhat.com/articles/3034441
• manged by:
  • NSS
    • modutil
  • p11-kit
    • config files
  • direct access

Smartcard

Smartcard Reader

PCSCD

PKCS#11 module (OpenSC, Coolkey, ....)

PAM module (pam_pkcs11, pam_sss/p11_child)

local login application (login, gdm, sudo, ...)

Smartcard authentication (local)

local Workstation

certutil

pkcs11-tool

p11tool

...

Reading data from Smartcards (NSS)

[sbose@p50 ~]$ certutil -d /etc/pki/nssdb -L -h all

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

Enter Password or Pin for "Sumit Bose (OpenSC Card)":
rh1                                                          CT,C,C
rh3                                                          CT,C,C
rh2                                                          CT,C,C
Sumit Bose (OpenSC Card):Certificate                         u,u,u

[sbose@p50 ~]$ certutil -d /etc/pki/nssdb -L -n 'Sumit Bose (OpenSC Card):Certificate'
Enter Password or Pin for "Sumit Bose (OpenSC Card)":      
Certificate:                                               
    Data:                                                  
        Version: 3 (0x2)                                   
        Serial Number: 488 (0x1e8)                         
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption   
        Issuer: "CN=Certificate Authority,OU=prod,O=Red Hat"      
        Validity:                                          
            Not Before: Wed Mar 23 11:26:32 2016           
            Not After : Fri Mar 23 11:26:32 2018           
        Subject: "CN=Sumit Bose Sumit Bose,E=sbose@redhat.com,UID=sbose,OU=us
            ers,DC=redhat,DC=com"

Reading data from Smartcards (OpenSC)

[sbose@p50 ~]$ pkcs11-tool --list-objects
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      Private Key
  ID:         de9b7642e1f4a36f71358dc5514d771e5e6bd9d5
  Usage:      verify
Certificate Object; type = X.509 cert
  label:      Certificate
  ID:         de9b7642e1f4a36f71358dc5514d771e5e6bd9d5

[sbose@p50 ~]$ pkcs11-tool --list-objects --login
Using slot 0 with a present token (0x0)
Logging in to "Sumit Bose (OpenSC Card)".
Please enter User PIN: 
Private Key Object; RSA 
  label:      Certificate
  ID:         de9b7642e1f4a36f71358dc5514d771e5e6bd9d5
  Usage:      sign
Public Key Object; RSA 2048 bits
  label:      Private Key
  ID:         de9b7642e1f4a36f71358dc5514d771e5e6bd9d5
  Usage:      verify
Certificate Object; type = X.509 cert
  label:      Certificate
  ID:         de9b7642e1f4a36f71358dc5514d771e5e6bd9d5

Reading data from Smartcards (OpenSC)

[sbose@p50 ~]$ pkcs11-tool --read-object --type cert \
                   --id de9b7642e1f4a36f71358dc5514d771e5e6bd9d5 \
                   --output-file /tmp/bla.der               
Using slot 0 with a present token (0x0)

[sbose@p50 ~]$ file /tmp/bla.der  
/tmp/bla.der: data

[sbose@p50 ~]$ openssl x509 -in /tmp/bla.der -inform der -text    
Certificate:                                       
    Data:                                  
        Version: 3 (0x2)   
        Serial Number: 488 (0x1e8)  
    Signature Algorithm: sha256WithRSAEncryption    
        Issuer: O = Red Hat, OU = prod, CN = Certificate Authority  
        Validity                                         
            Not Before: Mar 23 11:26:32 2016 GMT 
            Not After : Mar 23 11:26:32 2018 GMT 
        Subject: DC = com, DC = redhat, OU = users, UID = sbose,
                         emailAddress = sbose@redhat.com, CN = Sumit Bose Sumit Bose

Reading data from Smartcards (GNUTLS)

[sbose@p50 ~]$ p11tool --list-all
warning: no token URL was provided for this operation; the available tokens are:

pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust
pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aSSH%3aHOME;token=SSH%20Keys
pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aSECRET%3aMAIN;token=Secret%20Store
pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aUSER%3aDEFAULT;token=Gnome2%20Key%20Storage
pkcs11:model=1.0;manufacturer=Gnome%20Keyring;serial=1%3aXDG%3aDEFAULT;token=User%20Key%20Storage
pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=56561A120E35;token=Sumit%20Bose%20%28OpenSC%20Card%29

[sbose@p50 ~]$ p11tool --list-all pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=56561A120E35;token=Sumit%20Bose%20%28OpenSC%20Card%29
Object 0:
        URL: pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=56561A120E35;token=Sumit%20Bose%20%28OpenSC%20Card%29;id=%de%9b%76%42%e1%f4%a3%6f%71%35%8d%c5%51%4d%77%1e%5e%6b%d9%d5;object=Private%20Key;type=public
        Type: Public key
        Label: Private Key
        ID: de:9b:76:42:e1:f4:a3:6f:71:35:8d:c5:51:4d:77:1e:5e:6b:d9:d5

Object 1:
        URL: pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=56561A120E35;token=Sumit%20Bose%20%28OpenSC%20Card%29;id=%de%9b%76%42%e1%f4%a3%6f%71%35%8d%c5%51%4d%77%1e%5e%6b%d9%d5;object=Certificate;type=cert
        Type: X.509 Certificate
        Label: Certificate
        ID: de:9b:76:42:e1:f4:a3:6f:71:35:8d:c5:51:4d:77:1e:5e:6b:d9:d5

Reading data from Smartcards (GNUTLS)

[sbose@p50 ~]$ p11tool --list-all pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=56561A120E35;token=Sumit%20Bose%20%28OpenSC%20Card%29
Object 0:
        URL: pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=56561A120E35;token=Sumit%20Bose%20%28OpenSC%20Card%29;id=%de%9b%76%42%e1%f4%a3%6f%71%35%8d%c5%51%4d%77%1e%5e%6b%d9%d5;object=Private%20Key;type=public
        Type: Public key
        Label: Private Key
        ID: de:9b:76:42:e1:f4:a3:6f:71:35:8d:c5:51:4d:77:1e:5e:6b:d9:d5

Object 1:
        URL: pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=56561A120E35;token=Sumit%20Bose%20%28OpenSC%20Card%29;id=%de%9b%76%42%e1%f4%a3%6f%71%35%8d%c5%51%4d%77%1e%5e%6b%d9%d5;object=Certificate;type=cert
        Type: X.509 Certificate
        Label: Certificate
        ID: de:9b:76:42:e1:f4:a3:6f:71:35:8d:c5:51:4d:77:1e:5e:6b:d9:d5

[sbose@p50 ~]$ p11tool --list-all --provider=/usr/lib64/pkcs11/opensc-pkcs11.so 
Object 0:
        URL: pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=56561A120E35;token=Sumit%20Bose%20%28OpenSC%20Card%29;id=%de%9b%76%42%e1%f4%a3%6f%71%35%8d%c5%51%4d%77%1e%5e%6b%d9%d5;object=Private%20Key;type=public
        Type: Public key
        Label: Private Key
        ID: de:9b:76:42:e1:f4:a3:6f:71:35:8d:c5:51:4d:77:1e:5e:6b:d9:d5

Object 1:
        URL: pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;serial=56561A120E35;token=Sumit%20Bose%20%28OpenSC%20Card%29;id=%de%9b%76%42%e1%f4%a3%6f%71%35%8d%c5%51%4d%77%1e%5e%6b%d9%d5;object=Certificate;type=cert
        Type: X.509 Certificate
        Label: Certificate
        ID: de:9b:76:42:e1:f4:a3:6f:71:35:8d:c5:51:4d:77:1e:5e:6b:d9:d5

Reading data from Smartcards (GNUTLS)

[sbose@p50 ~]$ p11tool --export 'pkcs11:model=PKCS%2315;manufacturer=OpenSC%20Project;
                                 serial=56561A120E35;token=Sumit%20Bose%20%28OpenSC%20Card%29;
                                 id=%de%9b%76%42%e1%f4%a3%6f%71%35%8d%c5%51%4d%77%1e%5e%6b%d9%d5;
                                 object=Certificate;type=cert'   
-----BEGIN CERTIFICATE-----                                
MIIEAzCCAuugAwIBAgICAegwDQYJKoZIhvcNAQELBQAwQTEQMA4GA1UECgwHUmVk    
IEhhdDENMAsGA1UECwwEcHJvZDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9y                   
aXR5MB4XDTE2MDMyMzExMjYzMloXDTE4MDMyMzExMjYzMlowgZUxEzARBgoJkiaJ                    
k/IsZAEZFgNjb20xFjAUBgoJkiaJk/IsZAEZFgZyZWRoYXQxDjAMBgNVBAsMBXVz                   
....                                                      
YS9vY3NwLzAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG                   
AQUFBwMEMBsGA1UdEQQUMBKBEHNib3NlQHJlZGhhdC5jb20wDQYJKoZIhvcNAQEL                    
BQADggEBAFAtYR+/u3bKBePL9M+iixG0j8GY9M15SmK1zxn4drUJYgyqAe6LLxZ7                  
otFCiP4ZfMqt7iuaYP3puvCumo9DQ+5uaqk+NbsjeiUbWjvPa5zPvAFNktHK+inl         
uM8IL8JuXng2fW1iE9E8dVmOrEVUH93F4tArcjwZ4cMiTDtkT9jStaM5QgPLW5o9         
oBM9mwAme+SMdsFPDXPqJwk3NyZFjAJvdJ+SFZg9LHP0IVqbKQFFu6/bIg4Ve73j                   
jAQwnxCxTHN5PYVON3EIOmWX9G4CL6D3P0paYPcCw6Qe1KlPtepp8ihUhyJwilFU                  
9Vb+RH/nbgCyUyO7TqSBX4UdL/d+5vQ=                           
-----END CERTIFICATE-----       

Reading data from Smartcards (SSSD)

[sbose@p50 ~]$ /usr/libexec/sssd/p11_child --nssdb=/etc/pki/nssdb --pre --verify=no_verification
Sumit Bose (OpenSC Card)
opensc-pkcs11.so
DE9B7642E1F4A36F71358DC5514D771E5E6BD9D5
Certificate
MIIEAzCCAuugAwIBAgICAegwDQYJKoZIhvcNAQELBQAwQTEQMA4GA1UECgwHUmVkIEhhdDENMAsGA1UECwwEcHJvZDEeMBwGA
1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDMyMzExMjYzMloXDTE4MDMyMzExMjYzMlowgZUxEzARBgoJkiaJk/
IsZAEZFgNjb20xFjAUBgoJkiaJk/IsZAEZFgZyZWRoYXQxDjAMBgNVBAsMBXVzZXJzMRUwEwYKCZImiZPyLGQBAQwFc2Jvc2U
xHzAdBgkqhkiG9w0BCQEWEHNib3NlQHJlZGhhdC5jb20xHjAcBgNVBAMMFVN1bWl0IEJvc2UgU3VtaXQgQm9zZTCCASQwDQYJ
KoZIhvcNAQEBBQADggERADCCAQwCggEBAIPffGsi5hyTELB+02Q1063F8fLUvGZwXtBlOf79hocoIJOTf7iazCUg7v6YnZUOK
5gFrUskoxrTLwdBRKHy++PpQWZk0tZxEBh38or9xWuvvfgB+Eg1lld+Na3K1SorNWTJURUVSIbLnZnIAtnuvTu6kifprOdqBR
i9LGnGPXfVClfzSoFQ/3ZF2+39NzQo+3VWVR2rmcQZj79haRSmueT5EqYUAeHS2q47oeweRJvi4OPrUVGaKeJDaKHq1rFjTXn
2Vo6cDkNSJJSpx4XRgTyBOWuTUEKF3mnMhrcmzfTPUgSQnSAVuAgG0AWuVTSN5o7P65cUxztnQ2kpnB0CBQCxLDMno4GtMIGq
MB8GA1UdIwQYMBaAFHvaCfVJXdnXXMk2+FXSG5eeES9+MDsGCCsGAQUFBwEBBC8wLTArBggrBgEFBQcwAYYfaHR0cDovL29jc
3AucmVkaGF0LmNvbS9jYS9vY3NwLzAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsGAQUFBwMEMBsGA1
UdEQQUMBKBEHNib3NlQHJlZGhhdC5jb20wDQYJKoZIhvcNAQELBQADggEBAFAtYR+/u3bKBePL9M+iixG0j8GY9M15SmK1zxn
4drUJYgyqAe6LLxZ7otFCiP4ZfMqt7iuaYP3puvCumo9DQ+5uaqk+NbsjeiUbWjvPa5zPvAFNktHK+inluM8IL8JuXng2fW1i
E9E8dVmOrEVUH93F4tArcjwZ4cMiTDtkT9jStaM5QgPLW5o9oBM9mwAme+SMdsFPDXPqJwk3NyZFjAJvdJ+SFZg9LHP0IVqbK
QFFu6/bIg4Ve73jjAQwnxCxTHN5PYVON3EIOmWX9G4CL6D3P0paYPcCw6Qe1KlPtepp8ihUhyJwilFU9Vb+RH/nbgCyUyO7Tq
SBX4UdL/d+5vQ=

Reading data from Smartcards (SSSD)

[sbose@p50 ~]$ /usr/libexec/sssd/p11_child --nssdb=/etc/pki/nssdb --pre -d 10 --debug-fd=1
(Tue Apr 24 12:27:14:251525 2018) [[sssd[p11_child[24771]]]] [main] (0x0400): p11_child started.
(Tue Apr 24 12:27:14:251651 2018) [[sssd[p11_child[24771]]]] [main] (0x2000): Running in [pre-auth] mode.
(Tue Apr 24 12:27:14:251678 2018) [[sssd[p11_child[24771]]]] [main] (0x2000): Running with effective IDs: [13481][13481].
(Tue Apr 24 12:27:14:251708 2018) [[sssd[p11_child[24771]]]] [main] (0x2000): Running with real IDs [13481][13481].
(Tue Apr 24 12:27:15:533919 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): Default Module List:
(Tue Apr 24 12:27:15:533986 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): common name: [NSS Internal PKCS #11 Module].
(Tue Apr 24 12:27:15:534017 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): dll name: [(null)].
(Tue Apr 24 12:27:15:534065 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): common name: [OpenSC PKCS #11 Module].
(Tue Apr 24 12:27:15:534099 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): dll name: [opensc-pkcs11.so].
(Tue Apr 24 12:27:15:534127 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): Dead Module List:
(Tue Apr 24 12:27:15:534172 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): common name: [SoftHSM PKCS #11 Module].
(Tue Apr 24 12:27:15:534198 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): dll name: [libsofthsm2.so].
(Tue Apr 24 12:27:15:534216 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): DB Module List:
(Tue Apr 24 12:27:15:534233 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): common name: [NSS Internal Module].
(Tue Apr 24 12:27:15:534250 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): dll name: [(null)].
(Tue Apr 24 12:27:15:534276 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): common name: [Policy File].
(Tue Apr 24 12:27:15:534320 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): dll name: [(null)].
(Tue Apr 24 12:27:15:550599 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): Description [NSS User Private Key and Certificate Services                   Mozilla Foundation              ] Manufacturer [Mozilla Foundation              ] flags [1].
(Tue Apr 24 12:27:15:550694 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): Description [NSS Internal Cryptographic Services                             Mozilla Foundation                ] Manufacturer [Mozilla Foundation                    ] flags [9].
(Tue Apr 24 12:27:15:551038 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): Description [Gemalto PC Twin Reader (CB6D4E02) 00 00                         Gemalto                         ] Manufacturer [Gemalto                         ] flags [7].
(Tue Apr 24 12:27:15:551101 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): Found [Sumit Bose (OpenSC Card)] in slot [Gemalto PC Twin Reader (CB6D4E02) 00 00][0] of module [2][opensc-pkcs11.so].
(Tue Apr 24 12:27:15:551143 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): Token is NOT friendly.
(Tue Apr 24 12:27:15:551172 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): Trying to switch to friendly to read certificate.
(Tue Apr 24 12:27:15:551205 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): Login required.
(Tue Apr 24 12:27:15:551237 2018) [[sssd[p11_child[24771]]]] [do_work] (0x0020): Login required but no PIN available, continue.
(Tue Apr 24 12:27:15:551941 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): found cert[Sumit Bose (OpenSC Card):Certificate]
                            [CN=Sumit Bose Sumit Bose,E=sbose@redhat.com,UID=sbose,OU=users,DC=redhat,DC=com]
(Tue Apr 24 12:27:15:552007 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): Filtered certificates:
(Tue Apr 24 12:27:15:552042 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): found cert[Sumit Bose (OpenSC Card):Certificate]
                            [CN=Sumit Bose Sumit Bose,E=sbose@redhat.com,UID=sbose,OU=users,DC=redhat,DC=com]
(Tue Apr 24 12:27:15:552097 2018) [[sssd[p11_child[24771]]]] [do_work] (0x0040): Certificate [Sumit Bose (OpenSC Card):Certificate]
                            [CN=Sumit Bose Sumit Bose,E=sbose@redhat.com,UID=sbose,OU=users,DC=redhat,DC=com] not valid 
                            [-8181][Peer's Certificate has expired.], skipping.
(Tue Apr 24 12:27:15:552133 2018) [[sssd[p11_child[24771]]]] [do_work] (0x4000): No certificate found.

Certificate Content

• "public key with metadata and a signature"
• X.509 https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.509-201210-S!!PDF-E&type=items
  • ASN.1
  • DER encoded
  • binary blob
  • *.cer, *.crt, *.der
• PEM
  • base64  encoded der certificate
  • enclosed between
    • -----BEGIN CERTIFICATE-----
    • -----END CERTIFICATE-----
  • *.pem

Certificate Content (NSS)

[sbose@p50 ~]$ /usr/lib64/nss/unsupported-tools/pp -t c -i /tmp/bla.der                                                
Certificate:                                               
    Data:                                                  
        Version: 3 (0x2)                                   
        Serial Number: 488 (0x1e8)                         
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption                                                       
        Issuer: "CN=Certificate Authority,OU=prod,O=Red Hat"                                                           
        Validity:                                          
            Not Before: Wed Mar 23 11:26:32 2016           
            Not After : Fri Mar 23 11:26:32 2018           
        Subject: "CN=Sumit Bose Sumit Bose,E=sbose@redhat.com,UID=sbose,OU=us                                          
            ers,DC=redhat,DC=com"                          
        Subject Public Key Info:                           
            Public Key Algorithm: PKCS #1 RSA Encryption   
            RSA Public Key:                                
                Modulus:                                   
                    83:df:7c:6b:22:e6:1c:93:10:b0:7e:d3:64:35:d3:ad:                                                   
                    c5:f1:f2:d4:bc:66:70:5e:d0:65:39:fe:fd:86:87:28:                                                   
                    20:93:93:7f:b8:9a:cc:25:20:ee:fe:98:9d:95:0e:2b: 

Certificate Content (OpenSSL)

[sbose@p50 ~]$ openssl x509 -in /tmp/bla.der -inform DER -text                                                         
Certificate:                                                                                                           
    Data:                                                                                                              
        Version: 3 (0x2)                                                                                               
        Serial Number: 488 (0x1e8)                                                                                     
    Signature Algorithm: sha256WithRSAEncryption                                                                       
        Issuer: O = Red Hat, OU = prod, CN = Certificate Authority                                                     
        Validity                                                                                                       
            Not Before: Mar 23 11:26:32 2016 GMT                                                                       
            Not After : Mar 23 11:26:32 2018 GMT                                                                       
        Subject: DC = com, DC = redhat, OU = users, UID = sbose,
                   emailAddress = sbose@redhat.com, CN = Sumit Bose Sumit Bose                                                                                                                  
        Subject Public Key Info:                           
            Public Key Algorithm: rsaEncryption                                                                        
                Public-Key: (2048 bit)                                                                                 
                Modulus:                                                                                               
                    00:83:df:7c:6b:22:e6:1c:93:10:b0:7e:d3:64:35:                                                      
                    d3:ad:c5:f1:f2:d4:bc:66:70:5e:d0:65:39:fe:fd:                                                      
                    86:87:28:20:93:93:7f:b8:9a:cc:25:20:ee:fe:98:                                                      
                    9d:95:0e:2b:98:05:ad:4b:24:a3:1a:d3:2f:07:41:

Certificate Content (GNUTLS)

[sbose@p50 ~]$ certtool --infile /tmp/bla.der --inder --certificate-info                                               
X.509 Certificate Information:                                                                                         
        Version: 3                                                                                                     
        Serial Number (hex): 01e8                                                                                      
        Issuer: CN=Certificate Authority,OU=prod,O=Red Hat                                                             
        Validity:                                                                                                      
                Not Before: Wed Mar 23 11:26:32 UTC 2016                                                               
                Not After: Fri Mar 23 11:26:32 UTC 2018
        Subject: CN=Sumit Bose Sumit Bose,EMAIL=sbose@redhat.com,UID=sbose,
                         OU=users,DC=redhat,DC=com
        Subject Public Key Algorithm: RSA
        Algorithm Security Level: Medium (2048 bits)
                Modulus (bits 2048):
                        00:83:df:7c:6b:22:e6:1c:93:10:b0:7e:d3:64:35:d3
                        ad:c5:f1:f2:d4:bc:66:70:5e:d0:65:39:fe:fd:86:87
                        28:20:93:93:7f:b8:9a:cc:25:20:ee:fe:98:9d:95:0e
                        2b:98:05:ad:4b:24:a3:1a:d3:2f:07:41:44:a1:f2:fb

Certificate Validation

• Certificate lifetime
• signature check with CA certificates
• OCSP

• openssl
  • openssl verify
  • openssl ocsp
• GNUTLS
  • certtool
  • ocsptool
• NSS
  • certutil

  • /usr/lib/nss/unsupported-tools/vfychain

  • /usr/lib/nss/unsupported-tools/ocspclnt

Smartcard

Smartcard Reader

PCSCD

PKCS#11 module (OpenSC, Coolkey, ....)

PAM module (pam_pkcs11, pam_sss/p11_child)

local login application (login, gdm, sudo, ...)

Smartcard authentication (local)

local Workstation

certutil

pkcs11-tool

p11tool

...

Smartcard authentication

• certificate must be valid
• certificate must be signed by a trusted CA
• verifying the PIN is not enough
  • everybody can create a Smartcard with the (public) certificate and a known PIN
• private key must sign some random data
  • public key from the certificate must verify the signed data

Smartcard authentication PAM_PKCS11

• no upstream anymore
• not ported to OpenSSL-1.1
• currently still needed for Smartcard authentication for local user
  • SSSD support limited, will be improved

SSSD workflow

pam_sss

sssd_pam

p11_child

krb5_child

krb5_child

sssd_be

SSS_PAM_PREAUTH

checks for Smartcard and gets certificates

checks if certificate and user matches

SSS_PAM_PREAUTH

checks for available

authentication methods

returns authentication methods

returns authentication methods

SSS_PAM_AUTHENTICATE

SSS_PAM_AUTHENTICATE

tries to get TGT with given creds

returns authentication result

returns authentication result

asks for creds

/var/lib/sss/pubconf/pam_preauth_available

must exist

Smartcard authentication - PKINIT

• Public Key Cryptography for
  Initial Authentication in Kerberos

  • RFC 4556, RFC 8062

• Mutal authentication
  • client certificate and private key from the Smartcard
  • KDC certificate with private key stored on the KDC
• both certificates might be signed by different CAs,
  both must be trusted

kinit -X 'X509_user_identity=PKCS11:module_name=opensc-pkcs11.so:' \
         'token=OpenSC Card (AD.DEVEL Admin):' \
         'certid=38DF81B7159F9CC31B5B4CA0B1C4131DE5E93315' user@REALM

To debug use KRB5_TRACE or krb5-pkinit debug build.

PKINIT and IPA

• https://www.freeipa.org/page/V4/Kerberos_PKINIT

• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/sc-pkinit-auth

• ipa-pkinit-manage to setup PKINIT on the local server

• ipa pkinit-status to check the status of all/other servers

• PKINIT will be enabled automatically if you install IPA with a local CA

• ipa-advise config-server-for-smart-card-auth

  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/auth-remotely-sc

• ipa-advise config-client-for-smart-card-auth

  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/sc-web-ui-auth

PKINIT and krb5.conf

...
[realms]
  IPA.DEVEL = {
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
  }
...

...
[realms]
  AD.DEVEL = {
    # one of the CA bundles must contain the CA
    # which signed the AD DC certificate
    pkinit_anchors = FILE:/var/lib/ipa-client/pki/kdc-ca-bundle.pem
    pkinit_pool = FILE:/var/lib/ipa-client/pki/ca-bundle.pem
    pkinit_kdc_hostname = ad-server.ad.devel
    pkinit_eku_checking = none
  }
...

IPA and certificate mapping

• add certificate to userCertificate LDAP attribute
  • ipa user-add-cert
• use rule based mapping and matching
  • ipa user-add-certmap
  • man sss-certmap
  • https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/smart-cards#identity-mapping
  • https://floblanc.wordpress.com/2017/06/02/troubleshooting-mapping-between-a-smartcard-certificate-and-an-idm-user/

$ ipa certmaprule-add ipa_cert_for_ad_users \
  --maprule='(|(userCertificate;binary={cert!bin})
               (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})
               (altSecurityIdentities=X509:<I>{issuer_dn!ad_x500}<S>{subject_dn!ad_x500}))' \
  --matchrule='<ISSUER>CN=Certificate Authority,O=REALM.EXAMPLE.COM' \
  --domain=idm.example.com --domain=ad.example.com

IPA and certificate mapping

[root@ipaserver ~]# ipa certmap-match --certificate=MIIHHDCCBVSgAwIB...
--------------
1 user matched
--------------
  Domain: RHEL74.DEVEL
  User logins: ctest
-------------------------------------
Anzahl der zurückgegebenen Einträge 1

IPA and certificate mapping

Anyone can create a certificate which satisfies mapping and matching rules

Make sure you only trust really trusted CAs

Smartcard

Smartcard Reader

PCSCD

PKCS#11 module (OpenSC, Coolkey, ....)

PAM module (pam_pkcs11, pam_sss/p11_child)

local login application (login, gdm, sudo, ...)

Smartcard authentication (local)

local Workstation

certutil

pkcs11-tool

p11tool

...

gdm

Smartcard authentication - gdm

• gdm has a special Smartcard mode
  • if Smartcard is inserted gdm only asks for a PIN
• will be enabled with 'authconfig --enable-smartcard ....'

[root@rhel74 ~]# cat /etc/dconf/db/distro.d/10-authconfig 
# Generated by authconfig on 2017/11/03 08:54:23

[org/gnome/login-screen]
enable-fingerprint-authentication=false

[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'

Smartcard authentication (SSH)

Smartcard

Smartcard Reader

PCSCD

PKCS#11 module (OpenSC, Coolkey, ....)

ssh client (ssh -I ...., putty-cac)

sshd

allowed public key (~/.ssh/authorized_keys, sss_ssh_authorizedkeys)

ssh public key authentication

local Workstation

Remote Server

(no access to the Smartcard)

Smartcard authentication (SSH)

• https://floblanc.wordpress.com/2017/06/02/troubleshooting-ssh-to-an-idm-host-with-a-smartcard/
• https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/auth-remotely-sc