Thanks Valters for your verification!
It's always better when someone that didn't commit the fix can help with
it.
I've also done further verification to ensure that the migration happens
as expected, so my sssd.conf was:
[sssd]
enable_files_domain = True
services = pam
certificate_verification = no_ocsp
[certmap/implicit_files/marco]
matchrule =
<SUBJECT>.*TRVMRC[A-Z0-9]+/6090010669298009\.YOrY0zOk5CdMby2Z2O/HnVRA8Ao.*
[pam]
pam_cert_auth = True
pam_verbosity = 10
debug_level = 10
#pam_cert_db_path = /etc/ssl/certs/ca-certificates.crt
# pam_cert_db_path = /etc/pki/nssdb
pam_cert_db_path = /etc/pki/nssdb2
ca_db = /etc/pki/nssdb2
#ca_db = /etc/pki/nssdb
With /etc/pki/nssdb2 configured so that it was able to read my reader
and containing the relative CA certificate:
$ sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
--nssdb=/etc/pki/nssdb2
(Mon Mar 1 15:16:29:470908 2021) [[sssd[p11_child[70818]]]] [main] (0x0400):
p11_child started.
(Mon Mar 1 15:16:29:470980 2021) [[sssd[p11_child[70818]]]] [main] (0x2000):
Running in [pre-auth] mode.
(Mon Mar 1 15:16:29:470991 2021) [[sssd[p11_child[70818]]]] [main] (0x2000):
Running with effective IDs: [0][0].
(Mon Mar 1 15:16:29:470998 2021) [[sssd[p11_child[70818]]]] [main] (0x2000):
Running with real IDs [0][0].
(Mon Mar 1 15:16:31:152580 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): Default Module List:
(Mon Mar 1 15:16:31:152668 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): common name: [NSS Internal PKCS #11 Module].
(Mon Mar 1 15:16:31:152697 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): dll name: [(null)].
(Mon Mar 1 15:16:31:152706 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): common name: [PKCS#11 Kit modules proxy].
(Mon Mar 1 15:16:31:152715 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): dll name: [/usr/lib/x86_64-linux-gnu/p11-kit-proxy.so].
(Mon Mar 1 15:16:31:152724 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): Dead Module List:
(Mon Mar 1 15:16:31:152732 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): DB Module List:
(Mon Mar 1 15:16:31:152750 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): common name: [NSS Internal Module].
(Mon Mar 1 15:16:31:152759 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): dll name: [(null)].
(Mon Mar 1 15:16:31:152769 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): Description [NSS Internal Cryptographic Services
Mozilla Foundation ] Manufacturer [Mozilla Foundation
] flags [9] removable [false] token present [true].
(Mon Mar 1 15:16:31:152818 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): Description [NSS User Private Key and Certificate Services
Mozilla Foundation ] Manufacturer [Mozilla Foundation
] flags [1] removable [false] token present [true].
(Mon Mar 1 15:16:31:153898 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): Description [VMware Virtual USB CCID 00 00
VMware ] Manufacturer [VMware
] flags [7] removable [true] token present [true].
(Mon Mar 1 15:16:31:153949 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): Found [MARCO TREVISAN (PIN CNS0)] in slot [VMware Virtual USB CCID 00
00][16] of module [2][/usr/lib/x86_64-linux-gnu/p11-kit-proxy.so].
(Mon Mar 1 15:16:31:153976 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): Token is NOT friendly.
(Mon Mar 1 15:16:31:153995 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): Trying to switch to friendly to read certificate.
(Mon Mar 1 15:16:31:154029 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): Login required.
(Mon Mar 1 15:16:31:154041 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x0020): Login required but no PIN available, continue.
(Mon Mar 1 15:16:31:170652 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): found cert[MARCO TREVISAN (PIN
CNS0):CNS0][SN=TREVISAN,givenName=MARCO,CN="TRVMRC85T31A851Y/6090010669298009.YOrY0zOk5CdMby2Z2O/HnVRA8Ao=",OU=REGIONE
TOSCANA,O=Actalis S.p.A.,C=IT]
(Mon Mar 1 15:16:31:170710 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): Filtered certificates:
(Mon Mar 1 15:16:31:170725 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): found cert[MARCO TREVISAN (PIN
CNS0):CNS0][SN=TREVISAN,givenName=MARCO,CN="TRVMRC85T31A851Y/6090010669298009.YOrY0zOk5CdMby2Z2O/HnVRA8Ao=",OU=REGIONE
TOSCANA,O=Actalis S.p.A.,C=IT]
(Mon Mar 1 15:16:31:170776 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): module uri:
pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1.
(Mon Mar 1 15:16:31:170847 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): token uri:
pkcs11:token=MARCO%20TREVISAN%20(PIN%20CNS0);manufacturer=IC:%20STMicroelectronics%3B%20mask:...;serial=6090010669298009;model=PKCS%2315%20emulated.
(Mon Mar 1 15:16:31:287477 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): (null) /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so (null) MARCO
TREVISAN (PIN CNS0) (null) (null).
(Mon Mar 1 15:16:31:678018 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): Found certificate has key id [01].
(Mon Mar 1 15:16:31:684142 2021) [[sssd[p11_child[70818]]]] [do_card]
(0x4000): uri:
pkcs11:token=MARCO%20TREVISAN%20(PIN%20CNS0);manufacturer=IC:%20STMicroelectronics%3B%20mask:...;serial=6090010669298009;model=PKCS%2315%20emulated;library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1;object=CNS0;type=cert;slot-manufacturer=VMware;slot-description=VMware%20Virtual%20USB%20CCID%2000%2000;slot-id=16;id=%01.
MARCO TREVISAN (PIN CNS0)
/usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
01
CNS0
MIIFrDCCBJSgAwIBAgIDNDXMMA0GCSqGSIb3DQEBBQUAMHMx
[...CERTIFICATE...]
f2vVnVMaAJXrmJWvreJrFPb+bCuEDqaubg7kpr+21TbMLQDOusKm66LAhOV4cIrLf5zlCTk7aP3/GszTXcFQ==
So dist-upgrading...
Configurazione di sssd-common (2.2.3-3ubuntu0.4)...
Installazione della nuova versione del file di configurazione
/etc/apparmor.d/usr.sbin.sssd...
Importing /etc/pki/nssdb2 CA certificates to /etc/sssd/pki/sssd_auth_ca_db.pem
Found CA certificate Certificate WITH TRAILING spacesss
Found CA certificate Certificate with lots o of spacesss and invalid value
Certificate Certificate with lots o of spacesss and invalid value is not a
trusted CA certificate, ignoring
Found CA certificate Certificate with lots o of spacesss
Found CA certificate
Regione_Toscana_-_CA_Cittadini__Servizi_di_Certificazione_Actalis_S.p.A._IT
Found CA certificate
Regione_Siciliana_Certification_Authority_Cittadini_Virtuale__Servizi_di_certificazione_Actalis_S.p.A._IT
[ ... more imported ... ]
Disabling sssd.conf setting using invalid value: 'ca_db'
Disabling sssd.conf setting using invalid value: 'pam_cert_db_path'
Once installation was done, my sssd.conf file was:
[sssd]
enable_files_domain = True
services = pam
certificate_verification = no_ocsp
[certmap/implicit_files/marco]
matchrule =
<SUBJECT>.*TRVMRC[A-Z0-9]+/6090010669298009\.YOrY0zOk5CdMby2Z2O/HnVRA8Ao.*
[pam]
pam_cert_auth = True
pam_verbosity = 10
debug_level = 10
#pam_cert_db_path = /etc/ssl/certs/ca-certificates.crt
# pam_cert_db_path = /etc/pki/nssdb
#pam_cert_db_path = /etc/pki/nssdb2
#ca_db = /etc/pki/nssdb2
#ca_db = /etc/pki/nssdb
And launching the p11_child completes with:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem
(Mon Mar 1 15:19:57:675490 2021) [p11_child[71877]] [main] (0x0400): p11_child
started.
(Mon Mar 1 15:19:57:675598 2021) [p11_child[71877]] [main] (0x2000): Running
in [pre-auth] mode.
(Mon Mar 1 15:19:57:675610 2021) [p11_child[71877]] [main] (0x2000): Running
with effective IDs: [0][0].
(Mon Mar 1 15:19:57:675630 2021) [p11_child[71877]] [main] (0x2000): Running
with real IDs [0][0].
(Mon Mar 1 15:19:59:671859 2021) [p11_child[71877]] [do_card] (0x4000): Module
List:
(Mon Mar 1 15:19:59:671916 2021) [p11_child[71877]] [do_card] (0x4000): common
name: [p11-kit-trust].
(Mon Mar 1 15:19:59:671930 2021) [p11_child[71877]] [do_card] (0x4000): dll
name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so].
(Mon Mar 1 15:19:59:671969 2021) [p11_child[71877]] [do_card] (0x4000):
Description [/etc/ssl/certs/ca-certificates.crt
PKCS#11 Kit ] Manufacturer [PKCS#11 Kit
] flags [1] removable [false] token present [true].
(Mon Mar 1 15:19:59:672005 2021) [p11_child[71877]] [do_card] (0x4000): common
name: [opensc-pkcs11].
(Mon Mar 1 15:19:59:672018 2021) [p11_child[71877]] [do_card] (0x4000): dll
name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
(Mon Mar 1 15:19:59:675925 2021) [p11_child[71877]] [do_card] (0x4000):
Description [VMware Virtual USB CCID 00 00
VMware ] Manufacturer [VMware
] flags [7] removable [true] token present [true].
(Mon Mar 1 15:19:59:679220 2021) [p11_child[71877]] [do_card] (0x4000): Found
[MARCO TREVISAN (PIN CNS0)] in slot [VMware Virtual USB CCID 00 00][0] of
module [1][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
(Mon Mar 1 15:19:59:679258 2021) [p11_child[71877]] [do_card] (0x4000): Login
NOT required.
(Mon Mar 1 15:19:59:679448 2021) [p11_child[71877]] [read_certs] (0x4000):
found cert[CNS0][/C=IT/O=Actalis S.p.A./OU=REGIONE
TOSCANA/CN=TRVMRC85T31A851Y/6090010669298009.YOrY0zOk5CdMby2Z2O/HnVRA8Ao=/GN=MARCO/SN=TREVISAN]
(Mon Mar 1 15:19:59:679733 2021) [p11_child[71877]] [do_ocsp] (0x4000): Using
OCSP URL [http://ocsp02.actalis.it/VA/CNS_RTO].
(Mon Mar 1 15:19:59:813955 2021) [p11_child[71877]] [do_ocsp] (0x4000): Nonce
in OCSP response is the same as the one used in the request.
(Mon Mar 1 15:19:59:814198 2021) [p11_child[71877]] [do_ocsp] (0x4000): OCSP
check was successful.
(Mon Mar 1 15:19:59:814247 2021) [p11_child[71877]] [do_card] (0x4000): (null)
/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so (null) MARCO TREVISAN (PIN
CNS0) (null) 01.
(Mon Mar 1 15:19:59:814305 2021) [p11_child[71877]] [do_card] (0x4000): uri:
pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.20;slot-description=VMware%20Virtual%20USB%20CCID%2000%2000;slot-manufacturer=VMware;slot-id=0;model=PKCS%2315%20emulated;manufacturer=IC%3A%20STMicroelectronics%3B%20mask%3A...;serial=6090010669298009;token=MARCO%20TREVISAN%20%28PIN%20CNS0%29%00%00%00%00%00%00%00;id=%01;object=CNS0;type=cert.
(Mon Mar 1 15:19:59:814324 2021) [p11_child[71877]] [do_card] (0x4000): Found
certificate has key id [01].
MARCO TREVISAN (PIN CNS0)
/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
01
CNS0
MIIFrDCCBJ
[ ...CERTIFICATE... ]
66LAhOV4cIrLf5zlCTk7aP3/GszTXcFQ==
So, all green!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to ca-certificates in Ubuntu.
https://bugs.launchpad.net/bugs/1905790
Title:
Make SSSD in 20.04 using OpenSSL and p11-kit (instead of NSS) for
p11_child
Status in ca-certificates package in Ubuntu:
New
Status in sssd package in Ubuntu:
Fix Released
Status in ca-certificates source package in Focal:
New
Status in sssd source package in Focal:
Fix Released
Bug description:
[ Impact ]
SSSD supports in 20.04 two security backends: NSS and OpenSSL
(speaking in past tense as upstream dropped NSS support completely).
Those two backends are used for various generic crypto features (so
they are interchangeable), but also for the management of the PKCS#11
modules for smart cards.
In this case, the main problem is that by using NSS it also relies on
the presence of a "system NSS" database [1] that is something present
in Fedora and RHEL, but not in ubuntu or generic Linux distributions.
In order to make SSSD to find a smart card module, we would then need to
create a such database that mentions a p11kit proxy that will eventually load
the p11-kit module and then add the card CA certificate to the same DB (see
more details in [2]).
And even in such case... It will not work at login phase.
This is making support for Smart-card based authentication in 20.04
quite complicated, and hard to implement in professional environments
(see bug #1865226).
As per this, recompiling SSSD's p11_child to use OpenSSL (as it
already happens starting from 20.10) would be enough to make the this
tool (the one in charge for smartcard authentications and certificate
matching) to be able to get the smartcard devices from p11-kit allowed
modules and to check their certificate using CA certificates in the
ubuntu system ca certificate files (or other configured file).
One more mayor reason to do this, is also that if we fix 20.04 now to
use the "proper" method, people who will configure smartcard access
there via SSSD (not easily possible right now) won't be affected by
future migrations.
[ Proposed Implementations ]
1) Use p11-kit and openssl for p11_child, by changing the build/test system
(preferred)
https://salsa.debian.org/3v1n0-guest/sssd/-/commits/p11-kit-p11_child
2) Build both versions and package things accordingly (hackish)
https://salsa.debian.org/3v1n0-guest/sssd/-/commits/p11-kit-p11_child-v1
3) Recompile SSSD completely to use libcrypto as backend
The option 3) has been finally choosen, but we also require migration
scripts on upgrade.
[ Test case ]
With a smartcard reader available (and with a card in its slot) as reported
by:
$ p11-kit list-modules
launch:
$ sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/ssl/certs/ca-certificates.crt
The tool should find your card:
(2020-11-26 21:34:22:020395): [p11_child[100729]] [do_card] (0x4000): Module
List:
(2020-11-26 21:34:22:020481): [p11_child[100729]] [do_card] (0x4000): common
name: [p11-kit-trust].
(2020-11-26 21:34:22:020497): [p11_child[100729]] [do_card] (0x4000): dll
name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so].
(2020-11-26 21:34:22:020569): [p11_child[100729]] [do_card] (0x4000):
Description [/etc/ssl/certs/ca-certificates.crt
PKCS#11 Kit ] Manufacturer [PKCS#11 Kit
] flags [1] removable [false] token present [true].
(2020-11-26 21:34:22:020611): [p11_child[100729]] [do_card] (0x4000): common
name: [opensc-pkcs11].
(2020-11-26 21:34:22:020646): [p11_child[100729]] [do_card] (0x4000): dll
name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
(2020-11-26 21:34:22:025443): [p11_child[100729]] [do_card] (0x4000):
Description [VMware Virtual USB CCID 00 00
VMware ] Manufacturer [VMware
] flags [7] removable [true] token present [true].
(2020-11-26 21:34:22:025725): [p11_child[100729]] [do_card] (0x4000): Found
[MARCO TREVISAN (PIN CNS0)] in slot [VMware Virtual USB CCID 00 00][0] of
module [1][/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
Then:
1) If you previously configured SSSD match rules and/or CA certificates:
- You should still get your certificate public key printed as output
- Configured login with smartcard should continue working
2) If SSSD was not configured to do smartcard authentication:
- p11_child may fail if the card certificate was not previously added to
the trusted DB, but this is outside of this test case.
- What it matters is that the card is found.
[ Regression potential ]
While the change may involve quite different code paths when it comes
to security features, I think we trust OpenSSL enough to be an
acceptable crypto backend for PKCS#11 operations. Behavior should not
change, also assuming that upstream dropped NSS support completely in
latest release [3], keeping the same functionalities.
As per a further review of this by xnox [4], we can safely assume that
SSSD does not use libcrypto for operations where its behavior should
differ from NSS. As it's needed only for certificates handling.
The only binary that is really affected in its behavior is p11_child
(as per p11-kit usage instead of NSS for getting pkcs#11 modules).
So this change will break only those setup (if there are any, given
that smartcard access is currently not supported by ubuntu) that have
been manually configured using an unsupported system NSS db.
While we're providing a post-install script that migrates the possibly
configured NSS CA certificates, there could be still possible
regressions:
1) certificates not to be handled (referenced) in the same way, for example
in the SSSD
certmap: the mapping between users and their certificate could change, not
making an
user being able to access to the system anymore, not being correctly be
correctly
associated to a certificate.
-> This can be fixed by adapting the [certmap/*/*] options in
sssd.conf
2) custom p11-kit modules configured as allowed in the NSS database and not
recognized by
p11-kit, won't be accepted anymore, so again login won't work as p11_child
won't find a
module.
-> Modules can be added creating .module files in
/usr/share/p11-kit/modules/
So 1) can be the mayor concern here, even though I assume the few
custom installations that there might be around can be adapted to
this, in case this proves to be an important regression we can go back
to use NSS as backend for libsss_certs, but still using p11-kit +
openssl for p11_child.
Instead 2) can be a lower problem to handle, in case of a regression
we can think of listing all the modules added to the NSS database, and
if any, generate a module file for it, but I'd prefer to avoid this
unless needed as we should trust them.
Said this, given the fact that there are probably not known
implementations using this system for authentication in Ubuntu, I'm
confident that we can accept those two regressions as they are, but
being prepared to handle them (as described) if they end up in being
real concerns.
[1]
https://github.com/SSSD/sssd/blob/sssd-2_3_1/src/responder/pam/pamsrv.c#L53
[2]
https://hackmd.io/@3v1n0/ubuntu-smartcard-login#NSS-Database-to-be-deprecated-post-2004
[3] https://github.com/SSSD/sssd/issues/1041
[4] https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1905790/comments/10
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1905790/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
