From f16d9533c7917a8a57a9148dee61df3b12a5e767 Mon Sep 17 00:00:00 2001
From: Martin Babinsky <mbabinsk@redhat.com>
Date: Fri, 2 Jun 2017 18:36:29 +0200
Subject: [PATCH] Prepare advise plugin for smart card auth configuration
The plugin contains recipes for configuring Smart Card authentication
on FreeIPA server and enrolled client.
https://www.freeipa.org/page/V4/Smartcard_authentication_ipa-advise_recipes
https://pagure.io/freeipa/issue/6982
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
Reviewed-By: Florence Blanc-Renaud <frenaud@redhat.com>
---
ipaserver/advise/plugins/smart_card_auth.py | 266 ++++++++++++++++++++++++++++
1 file changed, 266 insertions(+)
create mode 100644 ipaserver/advise/plugins/smart_card_auth.py
diff --git a/ipaserver/advise/plugins/smart_card_auth.py b/ipaserver/advise/plugins/smart_card_auth.py
new file mode 100644
index 0000000000000000000000000000000000000000..5859e350939fdba0a8b258de5285dd10c7b3bc23
--- /dev/null
+++ b/ipaserver/advise/plugins/smart_card_auth.py
@@ -0,0 +1,266 @@
+#
+# Copyright (C) 2017 FreeIPA Contributors see COPYING for license
+#
+
+from ipalib.plugable import Registry
+from ipaplatform.paths import paths
+from ipaserver.advise.base import Advice
+from ipaserver.install.httpinstance import NSS_OCSP_ENABLED
+
+register = Registry()
+
+
+@register()
+class config_server_for_smart_card_auth(Advice):
+ """
+ Configures smart card authentication via Kerberos (PKINIT) and for WebUI
+ """
+
+ description = ("Instructions for enabling Smart Card authentication on "
+ " a single FreeIPA server. Includes Apache configuration, "
+ "enabling PKINIT on KDC and configuring WebUI to accept "
+ "Smart Card auth requests. To enable the feature in the "
+ "whole topology you have to run the script on each master")
+
+ nss_conf = paths.HTTPD_NSS_CONF
+ nss_ocsp_directive = 'NSSOCSP'
+ nss_nickname_directive = 'NSSNickname'
+
+ def get_info(self):
+ self.log.exit_on_nonroot_euid()
+ self.check_ccache_not_empty()
+ self.check_hostname_is_in_masters()
+ self.resolve_ipaca_records()
+ self.enable_nss_ocsp()
+ self.mark_httpd_cert_as_trusted()
+ self.restart_httpd()
+ self.record_httpd_ocsp_status()
+ self.check_and_enable_pkinit()
+ self.enable_ok_to_auth_as_delegate_on_http_principal()
+
+ def check_ccache_not_empty(self):
+ self.log.comment('Check whether the credential cache is not empty')
+ self.log.exit_on_failed_command(
+ 'klist',
+ [
+ "Credential cache is empty",
+ 'Use kinit as privileged user to obtain Kerberos credentials'
+ ])
+
+ def check_hostname_is_in_masters(self):
+ self.log.comment('Check whether the host is IPA master')
+ self.log.exit_on_failed_command(
+ 'ipa server-find $(hostname -f)',
+ ["This script can be run on IPA master only"])
+
+ def resolve_ipaca_records(self):
+ ipa_domain_name = self.api.env.domain
+
+ self.log.comment('make sure bind-utils are installed so that we can '
+ 'dig for ipa-ca records')
+ self.log.exit_on_failed_command(
+ 'yum install -y bind-utils',
+ ['Failed to install bind-utils'])
+
+ self.log.comment('make sure ipa-ca records are resolvable, '
+ 'otherwise error out and instruct')
+ self.log.comment('the user to update the DNS infrastructure')
+ self.log.command('ipaca_records=$(dig +short '
+ 'ipa-ca.{})'.format(ipa_domain_name))
+
+ self.log.exit_on_predicate(
+ '[ -z "$ipaca_records" ]',
+ [
+ 'Can not resolve ipa-ca records for ${domain_name}',
+ 'Please make sure to update your DNS infrastructure with ',
+ 'ipa-ca record pointing to IP addresses of IPA CA masters'
+ ])
+
+ def enable_nss_ocsp(self):
+ self.log.comment('look for the OCSP directive in nss.conf')
+ self.log.comment(' if it is present, switch it on')
+ self.log.comment(
+ 'if it is absent, append it to the end of VirtualHost section')
+ predicate = self._interpolate_ocsp_directive_file_into_command(
+ "grep -q '{directive} ' {filename}")
+
+ self.log.commands_on_predicate(
+ predicate,
+ [
+ self._interpolate_ocsp_directive_file_into_command(
+ " sed -i.ipabkp -r "
+ "'s/^#*[[:space:]]*{directive}[[:space:]]+(on|off)$"
+ "/{directive} on/' {filename}")
+ ],
+ commands_to_run_when_false=[
+ self._interpolate_ocsp_directive_file_into_command(
+ " sed -i.ipabkp '/<\/VirtualHost>/i {directive} on' "
+ "{filename}")
+ ]
+ )
+
+ def _interpolate_ocsp_directive_file_into_command(self, fmt_line):
+ return self._format_command(
+ fmt_line, self.nss_ocsp_directive, self.nss_conf)
+
+ def _format_command(self, fmt_line, directive, filename):
+ return fmt_line.format(directive=directive, filename=filename)
+
+ def mark_httpd_cert_as_trusted(self):
+ self.log.comment(
+ 'mark the HTTP certificate as trusted peer to avoid '
+ 'chicken-egg startup issue')
+ self.log.command(
+ self._interpolate_nssnickname_directive_file_into_command(
+ "http_cert_nick=$(grep '{directive}' {filename} |"
+ " cut -f 2 -d ' ')"))
+
+ self.log.exit_on_failed_command(
+ 'certutil -M -n $http_cert_nick -d "{}" -t "Pu,u,u"'.format(
+ paths.HTTPD_ALIAS_DIR),
+ ['Can not set trust flags on HTTP certificate'])
+
+ def _interpolate_nssnickname_directive_file_into_command(self, fmt_line):
+ return self._format_command(
+ fmt_line, self.nss_nickname_directive, self.nss_conf)
+
+ def restart_httpd(self):
+ self.log.comment('finally restart apache')
+ self.log.command('systemctl restart httpd')
+
+ def record_httpd_ocsp_status(self):
+ self.log.comment('store the OCSP upgrade state')
+ self.log.command(
+ "python -c 'from ipaserver.install import sysupgrade; "
+ "sysupgrade.set_upgrade_state(\"httpd\", "
+ "\"{}\", True)'".format(NSS_OCSP_ENABLED))
+
+ def check_and_enable_pkinit(self):
+ self.log.comment('check whether PKINIT is configured on the master')
+ self.log.command(
+ "if ipa-pkinit-manage status | grep -q 'enabled'")
+ self.log.command('then')
+ self.log.command(' echo "PKINIT already enabled"')
+ self.log.command('else')
+ self.log.exit_on_failed_command(
+ 'ipa-pkinit-manage enable',
+ ['Failed to issue PKINIT certificates to local KDC'],
+ indent_spaces=2)
+ self.log.command('fi')
+
+ def enable_ok_to_auth_as_delegate_on_http_principal(self):
+ self.log.comment('Enable OK-AS-DELEGATE flag on the HTTP principal')
+ self.log.comment('This enables smart card login to WebUI')
+ self.log.command(
+ 'output=$(ipa service-mod HTTP/$(hostname -f) '
+ '--ok-to-auth-as-delegate=True 2>&1)')
+ self.log.exit_on_predicate(
+ '[ "$?" -ne "0" -a '
+ '-z "$(echo $output | grep \'no modifications\')" ]',
+ ["Failed to set OK_AS_AUTH_AS_DELEGATE flag on HTTP principal"]
+ )
+
+
+@register()
+class config_client_for_smart_card_auth(Advice):
+ """
+ Configures smart card authentication on FreeIPA client
+ """
+ smart_card_ca_cert_variable_name = "SC_CA_CERT"
+
+ description = ("Instructions for enabling Smart Card authentication on "
+ " a single FreeIPA client. Configures Smart Card daemon, "
+ "set the system-wide trust store and configures SSSD to "
+ "allow smart card logins to desktop")
+
+ opensc_module_name = "OpenSC"
+ pkcs11_shared_lib = '/usr/lib64/opensc-pkcs11.so'
+ smart_card_service_file = 'pcscd.service'
+ smart_card_socket = 'pcscd.socket'
+ systemwide_nssdb = paths.NSS_DB_DIR
+
+ def get_info(self):
+ self.log.exit_on_nonroot_euid()
+ self.check_and_set_ca_cert_path()
+ self.check_and_remove_pam_pkcs11()
+ self.install_opensc_and_dconf_packages()
+ self.start_enable_smartcard_daemon()
+ self.add_pkcs11_module_to_systemwide_db()
+ self.upload_smartcard_ca_certificate_to_systemwide_db()
+ self.run_authconfig_to_configure_smart_card_auth()
+ self.restart_sssd()
+
+ def check_and_set_ca_cert_path(self):
+ ca_path_variable = self.smart_card_ca_cert_variable_name
+ self.log.command("{}=$1".format(ca_path_variable))
+ self.log.exit_on_predicate(
+ '[ -z "${}" ]'.format(ca_path_variable),
+ ['You need to provide the path to the PEM file containing CA '
+ 'signing the Smart Cards']
+ )
+ self.log.exit_on_predicate(
+ '[ ! -f "${}" ]'.format(ca_path_variable),
+ ['Invalid CA certificate filename: ${}'.format(ca_path_variable),
+ 'Please check that the path exists and is a valid file']
+ )
+
+ def check_and_remove_pam_pkcs11(self):
+ self.log.command('rpm -qi pam_pkcs11 > /dev/null')
+ self.log.commands_on_predicate(
+ '[ "$?" -eq "0" ]',
+ [
+ 'yum remove -y pam_pkcs11'
+ ]
+ )
+
+ def install_opensc_and_dconf_packages(self):
+ self.log.comment(
+ 'authconfig often complains about missing dconf, '
+ 'install it explicitly')
+ self.log.exit_on_failed_command(
+ 'yum install -y {} dconf'.format(self.opensc_module_name.lower()),
+ ['Could not install OpenSC package']
+ )
+
+ def start_enable_smartcard_daemon(self):
+ self.log.command(
+ 'systemctl start {service} {socket} '
+ '&& systemctl enable {service} {socket}'.format(
+ service=self.smart_card_service_file,
+ socket=self.smart_card_socket))
+
+ def add_pkcs11_module_to_systemwide_db(self):
+ module_name = self.opensc_module_name
+ nssdb = self.systemwide_nssdb
+ shared_lib = self.pkcs11_shared_lib
+
+ self.log.commands_on_predicate(
+ 'modutil -dbdir {} -list | grep -q {}'.format(
+ nssdb, module_name),
+ [
+ 'echo "{} PKCS#11 module already configured"'.format(
+ module_name)
+ ],
+ commands_to_run_when_false=[
+ 'echo "" | modutil -dbdir {} -add "{}" -libfile {}'.format(
+ nssdb, module_name, shared_lib),
+ ]
+ )
+
+ def upload_smartcard_ca_certificate_to_systemwide_db(self):
+ self.log.command(
+ 'certutil -d {} -A -i ${} -n "Smart Card CA" -t CT,C,C'.format(
+ self.systemwide_nssdb, self.smart_card_ca_cert_variable_name
+ )
+ )
+
+ def run_authconfig_to_configure_smart_card_auth(self):
+ self.log.exit_on_failed_command(
+ 'authconfig --enablesmartcard --smartcardmodule=sssd --updateall',
+ [
+ 'Failed to configure Smart Card authentication in SSSD'
+ ]
+ )
+
+ def restart_sssd(self):
+ self.log.command('systemctl restart sssd.service')
--
2.9.4