|
 |
483b06 |
From 7bbf7dbc27d1bcde8bf3e4d0bb8fec65de2660c8 Mon Sep 17 00:00:00 2001
|
|
|
483b06 |
From: Martin Babinsky <mbabinsk@redhat.com>
|
|
|
483b06 |
Date: Wed, 21 Jun 2017 18:52:57 +0200
|
|
|
483b06 |
Subject: [PATCH] smart-card advises: add steps to store smart card signing CA
|
|
|
483b06 |
cert
|
|
|
483b06 |
|
|
|
483b06 |
On master, upload the CA certificate to IPA LDAP and NSS databases. On
|
|
|
483b06 |
both master and client run ipa-certupdate to update client-side CA
|
|
|
483b06 |
certificate bundles used as PKINIT anchors.
|
|
|
483b06 |
|
|
|
483b06 |
https://pagure.io/freeipa/issue/7036
|
|
|
483b06 |
|
|
|
483b06 |
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
|
|
|
483b06 |
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
|
|
|
483b06 |
---
|
|
|
483b06 |
ipaserver/advise/plugins/smart_card_auth.py | 46 +++++++++++++++++++++++------
|
|
|
483b06 |
1 file changed, 37 insertions(+), 9 deletions(-)
|
|
|
483b06 |
|
|
|
483b06 |
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
|
|
|
483b06 |
index 0ee4808d47aa87a4b1b838d427e9958d98075a4a..0217bd190778f1235981a49e7b0764b8b9cdf582 100644
|
|
|
483b06 |
--- a/ipaserver/advise/plugins/smart_card_auth.py
|
|
|
483b06 |
+++ b/ipaserver/advise/plugins/smart_card_auth.py
|
|
|
483b06 |
@@ -3,6 +3,7 @@
|
|
|
483b06 |
#
|
|
|
483b06 |
|
|
|
483b06 |
from ipalib.plugable import Registry
|
|
|
483b06 |
+from ipaplatform import services
|
|
|
483b06 |
from ipaplatform.paths import paths
|
|
|
483b06 |
from ipaserver.advise.base import Advice
|
|
|
483b06 |
from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
|
|
|
483b06 |
@@ -19,6 +20,16 @@ class common_smart_card_auth_config(Advice):
|
|
|
483b06 |
systemwide_nssdb = paths.NSS_DB_DIR
|
|
|
483b06 |
smart_card_ca_cert_variable_name = "SC_CA_CERT"
|
|
|
483b06 |
|
|
|
483b06 |
+ def check_ccache_not_empty(self):
|
|
|
483b06 |
+ self.log.comment('Check whether the credential cache is not empty')
|
|
|
483b06 |
+ self.log.exit_on_failed_command(
|
|
|
483b06 |
+ 'klist',
|
|
|
483b06 |
+ [
|
|
|
483b06 |
+ "Credential cache is empty",
|
|
|
483b06 |
+ 'Use kinit as privileged user to obtain Kerberos credentials'
|
|
|
483b06 |
+ ])
|
|
|
483b06 |
+
|
|
|
483b06 |
+
|
|
|
483b06 |
def check_and_set_ca_cert_path(self):
|
|
|
483b06 |
ca_path_variable = self.smart_card_ca_cert_variable_name
|
|
|
483b06 |
self.log.command("{}=$1".format(ca_path_variable))
|
|
|
483b06 |
@@ -40,6 +51,20 @@ class common_smart_card_auth_config(Advice):
|
|
|
483b06 |
)
|
|
|
483b06 |
)
|
|
|
483b06 |
|
|
|
483b06 |
+ def install_smart_card_signing_ca_cert(self):
|
|
|
483b06 |
+ self.log.exit_on_failed_command(
|
|
|
483b06 |
+ 'ipa-cacert-manage install ${} -t CT,C,C'.format(
|
|
|
483b06 |
+ self.smart_card_ca_cert_variable_name
|
|
|
483b06 |
+ ),
|
|
|
483b06 |
+ ['Failed to install external CA certificate to IPA']
|
|
|
483b06 |
+ )
|
|
|
483b06 |
+
|
|
|
483b06 |
+ def update_ipa_ca_certificate_store(self):
|
|
|
483b06 |
+ self.log.exit_on_failed_command(
|
|
|
483b06 |
+ 'ipa-certupdate',
|
|
|
483b06 |
+ ['Failed to update IPA CA certificate database']
|
|
|
483b06 |
+ )
|
|
|
483b06 |
+
|
|
|
483b06 |
|
|
|
483b06 |
@register()
|
|
|
483b06 |
class config_server_for_smart_card_auth(common_smart_card_auth_config):
|
|
|
483b06 |
@@ -56,6 +81,7 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
|
|
|
483b06 |
nss_conf = paths.HTTPD_NSS_CONF
|
|
|
483b06 |
nss_ocsp_directive = 'NSSOCSP'
|
|
|
483b06 |
nss_nickname_directive = 'NSSNickname'
|
|
|
483b06 |
+ kdc_service_name = services.knownservices.krb5kdc.systemd_name
|
|
|
483b06 |
|
|
|
483b06 |
def get_info(self):
|
|
|
483b06 |
self.log.exit_on_nonroot_euid()
|
|
|
483b06 |
@@ -70,15 +96,8 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
|
|
|
483b06 |
self.check_and_enable_pkinit()
|
|
|
483b06 |
self.enable_ok_to_auth_as_delegate_on_http_principal()
|
|
|
483b06 |
self.upload_smartcard_ca_certificate_to_systemwide_db()
|
|
|
483b06 |
-
|
|
|
483b06 |
- def check_ccache_not_empty(self):
|
|
|
483b06 |
- self.log.comment('Check whether the credential cache is not empty')
|
|
|
483b06 |
- self.log.exit_on_failed_command(
|
|
|
483b06 |
- 'klist',
|
|
|
483b06 |
- [
|
|
|
483b06 |
- "Credential cache is empty",
|
|
|
483b06 |
- 'Use kinit as privileged user to obtain Kerberos credentials'
|
|
|
483b06 |
- ])
|
|
|
483b06 |
+ self.update_ipa_ca_certificate_store()
|
|
|
483b06 |
+ self.restart_kdc()
|
|
|
483b06 |
|
|
|
483b06 |
def check_hostname_is_in_masters(self):
|
|
|
483b06 |
self.log.comment('Check whether the host is IPA master')
|
|
|
483b06 |
@@ -193,6 +212,12 @@ class config_server_for_smart_card_auth(common_smart_card_auth_config):
|
|
|
483b06 |
["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"]
|
|
|
483b06 |
)
|
|
|
483b06 |
|
|
|
483b06 |
+ def restart_kdc(self):
|
|
|
483b06 |
+ self.log.exit_on_failed_command(
|
|
|
483b06 |
+ 'systemctl restart {}'.format(self.kdc_service_name),
|
|
|
483b06 |
+ ['Failed to restart KDC. Please restart the service manually.']
|
|
|
483b06 |
+ )
|
|
|
483b06 |
+
|
|
|
483b06 |
|
|
|
483b06 |
@register()
|
|
|
483b06 |
class config_client_for_smart_card_auth(common_smart_card_auth_config):
|
|
|
483b06 |
@@ -214,11 +239,14 @@ class config_client_for_smart_card_auth(common_smart_card_auth_config):
|
|
|
483b06 |
def get_info(self):
|
|
|
483b06 |
self.log.exit_on_nonroot_euid()
|
|
|
483b06 |
self.check_and_set_ca_cert_path()
|
|
|
483b06 |
+ self.check_ccache_not_empty()
|
|
|
483b06 |
self.check_and_remove_pam_pkcs11()
|
|
|
483b06 |
self.install_opensc_and_dconf_packages()
|
|
|
483b06 |
self.start_enable_smartcard_daemon()
|
|
|
483b06 |
self.add_pkcs11_module_to_systemwide_db()
|
|
|
483b06 |
self.upload_smartcard_ca_certificate_to_systemwide_db()
|
|
|
483b06 |
+ self.install_smart_card_signing_ca_cert()
|
|
|
483b06 |
+ self.update_ipa_ca_certificate_store()
|
|
|
483b06 |
self.run_authconfig_to_configure_smart_card_auth()
|
|
|
483b06 |
self.restart_sssd()
|
|
|
483b06 |
|
|
|
483b06 |
--
|
|
|
483b06 |
2.9.4
|
|
|
483b06 |
|