> On Mar 17, 2021, at 10:01 PM, Marco Trevisan (Treviño) <email address hidden> wrote:
>
> So, if I didn't get it wrong, if we'd just use /etc/ssl/certs/ca-
> certificates.crt as the SSSD pam certificate in such case would work?
While this would technically work, it would be really bad news. This would allow anyone with any user cert issued by a CA in the system wide cert store (by any CA in the world) to be trusted and pass authorization checks by p11_child. (Albeit, some directory attributes would have to line up, depending on your match rules)
You only want the full chain of the issuing, intermediate and root CA(s) that are authorized to issue certs to users.
Really, going to OpenSSL is a bit of a downgrade. Nssdb, allows one to flag which certs you want to trust, and which certs you don't. There’s no way that I’m aware of to flag a cert in the /etc/sssd/pki/sssd_auth_ca_db.pem to say I trust this cert, but not this other cert.
Perhaps the right fix would be that p11_child is updated upstream to use the system cert store to complete chain of trust, and only the authorized issuing CAs should be put in the /etc/sssd/pki/sssd_auth_ca_db.pem file. Perhaps Summit would be willing to add this config option, for which could be set to default to the system store in Ubuntu in the Ubuntu packages.
This still assumes a user has properly setup the system store to trust corporate root CAs (and intermediate, since there’s no way to differentiate between trusted root vs untrusted supporting certs in the system store in Ubuntu)
> I mean having this in /etc/sssd/sssd.conf
>
> [pam]
> pam_cert_db_path = /etc/ssl/certs/ca-certificates.crt
>
> And then what was into /etc/sssd/pki/sssd_auth_ca_db.pem to be added to
> .crt's under /usr/local/share/ca-certificates/sssd_auth_ca_db/ and
> eventually calling update-ca-certificates maybe?
>
> We could even do the other way around probably, by adding an hook to
> /etc/ca-certificates/update.d/ so that we ensure that /etc/ssl/certs/ca-
> certificates.crt is always in sync with the system ring?
>
>
> As Robie said, we could revert this change but this would not be ideal for various reasons IMHO:
> 1. As you said this is going to be used more and more, and so we'll have to end up to keep supporting
> a growing number of systems with an outdated method that is going to be dropped in future
> (i.e. better to do it now that its usage is limited than having to do it in future when the audience
> is bigger)
> 2. We would like to have a single documented method to have smartcard auth in ubuntu using SSSD that can
> be validated from 20.04 onward and that keep working in future LTSs (and for sure next LTS will have to drop
> NSS anyways, so it's just about delaying a problem making it bigger).
Agreed. We just need something to prevent a user from bricking a system by just applying updates from upstream. This is kind of a high priority issue, given folks I’m sure are upgrading daily. By now this issue is starting to creep into offline synced repos.
> On Mar 17, 2021, at 10:01 PM, Marco Trevisan (Treviño) <email address hidden> wrote:
>
> So, if I didn't get it wrong, if we'd just use /etc/ssl/certs/ca-
> certificates.crt as the SSSD pam certificate in such case would work?
While this would technically work, it would be really bad news. This would allow anyone with any user cert issued by a CA in the system wide cert store (by any CA in the world) to be trusted and pass authorization checks by p11_child. (Albeit, some directory attributes would have to line up, depending on your match rules)
You only want the full chain of the issuing, intermediate and root CA(s) that are authorized to issue certs to users.
Really, going to OpenSSL is a bit of a downgrade. Nssdb, allows one to flag which certs you want to trust, and which certs you don't. There’s no way that I’m aware of to flag a cert in the /etc/sssd/ pki/sssd_ auth_ca_ db.pem to say I trust this cert, but not this other cert.
Perhaps the right fix would be that p11_child is updated upstream to use the system cert store to complete chain of trust, and only the authorized issuing CAs should be put in the /etc/sssd/ pki/sssd_ auth_ca_ db.pem file. Perhaps Summit would be willing to add this config option, for which could be set to default to the system store in Ubuntu in the Ubuntu packages.
This still assumes a user has properly setup the system store to trust corporate root CAs (and intermediate, since there’s no way to differentiate between trusted root vs untrusted supporting certs in the system store in Ubuntu)
> I mean having this in /etc/sssd/sssd.conf certs/ca- certificates. crt pki/sssd_ auth_ca_ db.pem to be added to share/ca- certificates/ sssd_auth_ ca_db/ and ca-certificates maybe? certificates/ update. d/ so that we ensure that /etc/ssl/certs/ca-
>
> [pam]
> pam_cert_db_path = /etc/ssl/
>
> And then what was into /etc/sssd/
> .crt's under /usr/local/
> eventually calling update-
>
> We could even do the other way around probably, by adding an hook to
> /etc/ca-
> certificates.crt is always in sync with the system ring?
>
>
> As Robie said, we could revert this change but this would not be ideal for various reasons IMHO:
> 1. As you said this is going to be used more and more, and so we'll have to end up to keep supporting
> a growing number of systems with an outdated method that is going to be dropped in future
> (i.e. better to do it now that its usage is limited than having to do it in future when the audience
> is bigger)
> 2. We would like to have a single documented method to have smartcard auth in ubuntu using SSSD that can
> be validated from 20.04 onward and that keep working in future LTSs (and for sure next LTS will have to drop
> NSS anyways, so it's just about delaying a problem making it bigger).
Agreed. We just need something to prevent a user from bricking a system by just applying updates from upstream. This is kind of a high priority issue, given folks I’m sure are upgrading daily. By now this issue is starting to creep into offline synced repos.
Karl