Great! This should be easy for me to test, and I’d be happy to do so.
I may be able to do a regression test to make sure the automated NSSDB -> openssl upgrade works as well. This would mean however that the upgrade would need to drop the appropriate sssd.conf.d to configure the partial_chain config option on upgrade.
I assume partial_chain will work even if the full chain is present?
Karl
> On Mar 28, 2021, at 4:15 PM, Marco Trevisan (Treviño) <email address hidden> wrote:
>
> So, I've done some work on SSSD upstream to make this to happen:
> https://github.com/SSSD/sssd/pull/5558
>
> With that we'll just be able to set on upgraders the option
> `certification_verification = partial_chain`, and this will just make
> the SSSD's PEM ring to work as the NSS db used to work: and so verify a
> certificate if its only its issuer is in the SSSD's CA certificates DB.
>
> This comes with unit tests covering the case with generated
> certificates, not sure if I can personally test this with real hardware
> (for SRU purposes) though... We may still need to simulate it.
>
> At the end, it's just as doing:
> openssl verify -partial_chain -CAfile intermediate_CA.pem intermediate_CA_issued_cert.pem
>
> Karl, will this be enough for you?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1919563
>
> Title:
> updated sssd with smart cards now brick systems without full cert
> chain
>
> Status in sssd package in Ubuntu:
> New
>
> Bug description:
> With the latest sssd release supporting OpenSSL PKI authentication for
> Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely
> affected many systems which are configured for PKI only
> authentication.
>
> The NSSDB implementation of sssd/p11_child ONLY requires the issuing
> certificate to be populated to the nssdb and marked as trusted. While
> this may be considered a poorly configured system, it is still
> technically valid.
>
> The OpenSSL implementation of the sssd/p11_child requires the FULL
> cert chain to the root cert (which is then also trusted by the system
> root chain) in order to allow a certificate to authenticate.
>
> By upgrading to the latest packages, the conversion process from nssdb
> to the OpenSSL pam file fails to check the chain of trust, thereby
> creating a denial of service for some systems configured to require
> smart card/PKI authentication in the pam stack via pam_sss and
> require_cert_auth flag.
>
> Note that this is a popular configuration due to many organizations
> are required to follow NIST 800-171 (and other) security derived
> policy. Often policy requires PKI based authentication to be enforced
> and all other authentication methods disabled.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563/+subscriptions
Marco,
Great! This should be easy for me to test, and I’d be happy to do so.
I may be able to do a regression test to make sure the automated NSSDB -> openssl upgrade works as well. This would mean however that the upgrade would need to drop the appropriate sssd.conf.d to configure the partial_chain config option on upgrade.
I assume partial_chain will work even if the full chain is present?
Karl
> On Mar 28, 2021, at 4:15 PM, Marco Trevisan (Treviño) <email address hidden> wrote: /github. com/SSSD/ sssd/pull/ 5558 verification = partial_chain`, and this will just make CA_issued_ cert.pem /bugs.launchpad .net/bugs/ 1919563 /bugs.launchpad .net/ubuntu/ +source/ sssd/+bug/ 1919563/ +subscriptions
>
> So, I've done some work on SSSD upstream to make this to happen:
> https:/
>
> With that we'll just be able to set on upgraders the option
> `certification_
> the SSSD's PEM ring to work as the NSS db used to work: and so verify a
> certificate if its only its issuer is in the SSSD's CA certificates DB.
>
> This comes with unit tests covering the case with generated
> certificates, not sure if I can personally test this with real hardware
> (for SRU purposes) though... We may still need to simulate it.
>
> At the end, it's just as doing:
> openssl verify -partial_chain -CAfile intermediate_CA.pem intermediate_
>
> Karl, will this be enough for you?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> updated sssd with smart cards now brick systems without full cert
> chain
>
> Status in sssd package in Ubuntu:
> New
>
> Bug description:
> With the latest sssd release supporting OpenSSL PKI authentication for
> Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely
> affected many systems which are configured for PKI only
> authentication.
>
> The NSSDB implementation of sssd/p11_child ONLY requires the issuing
> certificate to be populated to the nssdb and marked as trusted. While
> this may be considered a poorly configured system, it is still
> technically valid.
>
> The OpenSSL implementation of the sssd/p11_child requires the FULL
> cert chain to the root cert (which is then also trusted by the system
> root chain) in order to allow a certificate to authenticate.
>
> By upgrading to the latest packages, the conversion process from nssdb
> to the OpenSSL pam file fails to check the chain of trust, thereby
> creating a denial of service for some systems configured to require
> smart card/PKI authentication in the pam stack via pam_sss and
> require_cert_auth flag.
>
> Note that this is a popular configuration due to many organizations
> are required to follow NIST 800-171 (and other) security derived
> policy. Often policy requires PKI based authentication to be enforced
> and all other authentication methods disabled.
>
> To manage notifications about this bug go to:
> https:/