smartcard login fails when network disconnected

[walterrowe]

Here is our configuration.

• We are configured with membership-software=samba for SSSD AD logins.
• We are using certmap attribute mapping in sssd.conf.
• We are running the latest RHEL8 with up-to-date patches.
• We have GUI login enabled to create a desktop smartcard login configuration.
• We publish our smartcard authentication and encryption public keys in our AD in the userCertificate attribute.

Here is what we experience:

• Traditional username / password works when network is connected or disconnected.
• Smartcard login works with network is connected.
• Smartcard login fails when network is disconnected.

Here is our sssd.conf (in ansible jinja2 template format to hide our actual AD domain name):

[sssd]
config_file_version = 2
default_domain_suffix = {{ realm_dom }}
domains = {{ realm_dom }}
full_name_format = %1$s
services = nss, pam, ssh

[domain/{{ realm_dom }}]
access_provider = ad
ad_domain = {{ realm_dom }}
ad_enabled_domains = {{ realm_dom }}
ad_gpo_access_control = permissive
cache_credentials = True
default_shell = /bin/bash
fallback_homedir = /home/%uid
id_provider = ad
krb5_realm = {{ realm_dom }}
krb5_store_password_if_offline = True
ldap_id_mapping = False
ldap_sasl_authid = {{ inventory_hostname_short }}$
realmd_tags = manages-system joined-with-samba
override_homedir = /home/%u
use_fully_qualified_names = True

[certmap/{{ realm_dom }}/rule_name]
matchrule = <SAN:ntPrincipalName>.*@XXX\.XXX
maprule = (ourADAttribute={subject_nt_principal})

[pam]
pam_cert_auth = True

[alexey-tikhonov]

id_provider = ad

In this case smart card auth (PKInit) is performed by AD, not by SSSD.

Smartcard login fails when network is disconnected.

So SSSD cache won't help here and offline auth doesn't work. This is different as compared with password based auth, where SSSD caches hash of a password from successful attempt and later can compare hashes.

[walterrowe]

With attribute mapping (certmap) enabled shouldn't it be able to map the smartcard to a cached AD user object?

We are mapping from a smartcard attribute to a custom AD user object attribute. Does the cache include the entire user Object or only the core AD user object attributes?

macOS and Windows can do this. Linux should be able to do this.

[alexey-tikhonov]

That's not a matter of mapping (user object is cached). That's a question who performs verification that smart card really holds a private key for a certificate it presents. For a case "smart card auth of local users" this is done by SSSD itself, for IPA/AD users this is done by KDC, using PKINIT, to obtain TGT as well.

[sumit-bose]

Hi,

@alexey-tikhonov, if offline SSSD should fall back to local Smartcard authentication, even for remote users.

@walterrowe, was the Smartcard used once for successful online authentication before trying offline authentication?

bye, Sumit

[sumit-bose]

Hi,

@walterrowe, do your certificates have OCSP information? If yes, OCSP most probaby won't work when offline and have to use no_ocsp or soft_ocsp with the certificate_verification option, see man sssd.conf for details.

bye, Sumit

[alexey-tikhonov]

@alexey-tikhonov, if offline SSSD should fall back to local Smartcard authentication, even for remote users.

How would SSSD be able to obtain TGT automatically when back online in this case?

[sumit-bose]

@alexey-tikhonov, if offline SSSD should fall back to local Smartcard authentication, even for remote users.

How would SSSD be able to obtain TGT automatically when back online in this case?

Hi,

this of course won't work. But this is not enabled by default even for password and the option name krb5_store_password_if_offline indicates that this would only work for passwords.

bye, Sumit

[jimmyg20794]

I work with Walter and we do have OCSP URLs built into our certificates which are provided by a 3rd-party. They are linked to a private entity via a Federal PKI.

I tested the soft_ocsp setting and could not get the system to authenticate via smartcard until either no_ocsp or no_verification was used for certificate verification. This clearly isn't optimal when using a laptop or not being connected to any network upon boot.

Sumit - To your point, the system wasn't 'on-line' (ie: connected to our corporate network) upon configuration and implementation.

Jim Graham

[alexey-tikhonov]

I tested the soft_ocsp setting and could not get the system to authenticate via smartcard until either no_ocsp or no_verification was used for certificate verification.

You might hit https://bugzilla.redhat.com/show_bug.cgi?id=2053153

You can check if increase of p11_child_timeout helps ([pam] section of sssd.conf)

[walterrowe]

@sumit-bose .. is there a solution for "offline" smartcard login? must we fail back to username / password?

US Government agencies require multi-factor login. See HSPD 12. Windows and macOS afford us smartcard login even when offline.

[sumit-bose]

Hi,

in general I would say offline Smartcard authentication is working fine and I have to better understand your setup to see why it is not working. Having debug logs with 'debug_level = 9' in the [pam] and [domain/...] sections would help.

soft_ocsp was added for the offline case, but maybe it takes too much time as Alexey already assumed? Logs would help here as well.

@jimmyg20794, about " the system wasn't 'on-line' (ie: connected to our corporate network) upon configuration and implementation." but at some point the system must have been online to load the data of the user or how did you add those to the system?

bye, Sumit

[alexey-tikhonov]

Proper handling of timeout while connecting to OCSP responder is being tracked here: https://issues.redhat.com/browse/RHEL-4981