2021-03-17 22:22:28 |
Karl Grindley |
bug |
|
|
added bug |
2021-03-17 23:15:40 |
Seth Arnold |
information type |
Private Security |
Public |
|
2021-03-17 23:16:36 |
Seth Arnold |
tags |
|
regression-update |
|
2021-03-17 23:59:43 |
Marco Trevisan (Treviño) |
bug |
|
|
added subscriber Marco Trevisan (Treviño) |
2021-03-18 00:01:42 |
Marco Trevisan (Treviño) |
bug |
|
|
added subscriber Dimitri John Ledkov |
2021-03-18 00:04:05 |
Robie Basak |
bug |
|
|
added subscriber Robie Basak |
2021-03-18 15:06:06 |
Sergio Durigan Junior |
bug |
|
|
added subscriber Sergio Durigan Junior |
2021-03-28 22:31:17 |
Marco Trevisan (Treviño) |
attachment added |
|
Test CA certificates chain https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563/+attachment/5481720/+files/test_CA.tar.xz |
|
2021-03-28 22:51:53 |
Marco Trevisan (Treviño) |
sssd (Ubuntu): status |
New |
In Progress |
|
2021-03-28 22:51:56 |
Marco Trevisan (Treviño) |
sssd (Ubuntu): assignee |
|
Marco Trevisan (Treviño) (3v1n0) |
|
2021-03-28 22:52:01 |
Marco Trevisan (Treviño) |
sssd (Ubuntu): importance |
Undecided |
High |
|
2023-01-26 02:21:56 |
Marco Trevisan (Treviño) |
sssd (Ubuntu): status |
In Progress |
Fix Released |
|
2023-01-26 02:22:02 |
Marco Trevisan (Treviño) |
nominated for series |
|
Ubuntu Focal |
|
2023-01-26 02:22:02 |
Marco Trevisan (Treviño) |
bug task added |
|
sssd (Ubuntu Focal) |
|
2023-01-26 02:22:10 |
Marco Trevisan (Treviño) |
sssd (Ubuntu Focal): status |
New |
In Progress |
|
2023-01-26 02:22:14 |
Marco Trevisan (Treviño) |
sssd (Ubuntu Focal): importance |
Undecided |
Medium |
|
2023-01-26 02:22:18 |
Marco Trevisan (Treviño) |
sssd (Ubuntu Focal): importance |
Medium |
High |
|
2023-01-26 02:22:21 |
Marco Trevisan (Treviño) |
sssd (Ubuntu Focal): assignee |
|
Marco Trevisan (Treviño) (3v1n0) |
|
2023-01-26 03:37:23 |
Marco Trevisan (Treviño) |
description |
With the latest sssd release supporting OpenSSL PKI authentication for Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely affected many systems which are configured for PKI only authentication.
The NSSDB implementation of sssd/p11_child ONLY requires the issuing certificate to be populated to the nssdb and marked as trusted. While this may be considered a poorly configured system, it is still technically valid.
The OpenSSL implementation of the sssd/p11_child requires the FULL cert chain to the root cert (which is then also trusted by the system root chain) in order to allow a certificate to authenticate.
By upgrading to the latest packages, the conversion process from nssdb to the OpenSSL pam file fails to check the chain of trust, thereby creating a denial of service for some systems configured to require smart card/PKI authentication in the pam stack via pam_sss and require_cert_auth flag.
Note that this is a popular configuration due to many organizations are required to follow NIST 800-171 (and other) security derived policy. Often policy requires PKI based authentication to be enforced and all other authentication methods disabled. |
[ Impact ]
With the latest sssd release supporting OpenSSL PKI authentication for Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely affected many systems which are configured for PKI only authentication.
The NSSDB implementation of sssd/p11_child ONLY requires the issuing certificate to be populated to the nssdb and marked as trusted. While this may be considered a poorly configured system, it is still technically valid.
The OpenSSL implementation of the sssd/p11_child requires the FULL cert chain to the root cert (which is then also trusted by the system root chain) in order to allow a certificate to authenticate.
By upgrading to the latest packages, the conversion process from nssdb to the OpenSSL pam file fails to check the chain of trust, thereby creating a denial of service for some systems configured to require smart card/PKI authentication in the pam stack via pam_sss and require_cert_auth flag.
Note that this is a popular configuration due to many organizations are required to follow NIST 800-171 (and other) security derived policy. Often policy requires PKI based authentication to be enforced and all other authentication methods disabled.
[ Test case ]
Testing this fix in any system is complex because it depends on certificates with partial authentication, so ideally we should:
1. Configure SSSD to include an intermediate certificate for the smart card in use in
/etc/sssd/pki/sssd_auth_ca_db.pem
2. Launch:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem
And this should NOT return a certificate, then launch it with:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --verify=partial_chain
And this MUST return the card certificate.
Alternatively, you should try to login. Ensuring that /etc/sssd/sssd.conf contains:
[pam]
pam_cert_verification = partial_chain #or other_option, partial_chain
---
However, given that testing this is complex without specific hardware, I've setup a test case that automates all this, creating keyrings with partially trusted certificates and a software-generated smartcard (using softhsm2) so that this can be all tested easily, see:
https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a
So, basically you only have to:
1. wget https://gist.githubusercontent.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/2daaaff2bad33c089278d4ea9498e80223e1d730/sssd-softhism2-certificates-tests.sh
2. sudo bash sssd-softhism2-certificates-tests.sh
(sudo can be avoided by /usr/libexec/sssd/p11_child to an user path and calling the
script with SSSD_P11_CHILD=/path/to/p11_child env variable)
3. Ensure that "Test completed, Root CA and intermediate issued certificates verified!"
is printed and the script returns properly
This will:
- Generate a test Root Certificate Authority (and will emit a cert from it)
- Generate a test Intermediate Certificate Authority (and will emit a cert)
- Generate a test Sub Intermediate Certificate Authority (and will emit a cert)
- Test the certificates themselves with openssl
- For each certificate will create various fake smartcards
- Will test each smartcard how it behaves when used via p11_child with both
partial and full verification, and doing full p11_child authentication.
Before to this SRU, the script fails with this error:
(Thu Jan 26 04:36:16:676491 2023) [p11_child[257107]] [read_certs] (0x4000): found cert[Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001]
(Thu Jan 26 04:36:16:676970 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [0].
(Thu Jan 26 04:36:16:677197 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [2][unable to get issuer certificate].
(Thu Jan 26 04:36:16:677438 2023) [p11_child[257107]] [read_certs] (0x0040): Certificate [Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001] not valid, skipping.
(Thu Jan 26 04:36:16:677709 2023) [p11_child[257107]] [do_card] (0x4000): No certificate found.
+ grep -qs 00112233445566778899FFAABBCCDDEEFF012345 /tmp/sssd-softhsm2-sGxAXC/SSSD-child-2678.output
+ return 2
+ echo 'Unexpected failure!'
[ Regression potential ]
SSSD p11_child functionalities did not change by default and they're now strictly tested (they were not fully before this SRU).
However we may set some systems to use a weaker auth mode for PAM authentication with smart cards, but this is still a secure mode. |
|
2023-01-26 03:44:23 |
Launchpad Janitor |
merge proposal linked |
|
https://code.launchpad.net/~3v1n0/ubuntu/+source/sssd/+git/sssd/+merge/436361 |
|
2023-01-26 13:45:52 |
Marco Trevisan (Treviño) |
description |
[ Impact ]
With the latest sssd release supporting OpenSSL PKI authentication for Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely affected many systems which are configured for PKI only authentication.
The NSSDB implementation of sssd/p11_child ONLY requires the issuing certificate to be populated to the nssdb and marked as trusted. While this may be considered a poorly configured system, it is still technically valid.
The OpenSSL implementation of the sssd/p11_child requires the FULL cert chain to the root cert (which is then also trusted by the system root chain) in order to allow a certificate to authenticate.
By upgrading to the latest packages, the conversion process from nssdb to the OpenSSL pam file fails to check the chain of trust, thereby creating a denial of service for some systems configured to require smart card/PKI authentication in the pam stack via pam_sss and require_cert_auth flag.
Note that this is a popular configuration due to many organizations are required to follow NIST 800-171 (and other) security derived policy. Often policy requires PKI based authentication to be enforced and all other authentication methods disabled.
[ Test case ]
Testing this fix in any system is complex because it depends on certificates with partial authentication, so ideally we should:
1. Configure SSSD to include an intermediate certificate for the smart card in use in
/etc/sssd/pki/sssd_auth_ca_db.pem
2. Launch:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem
And this should NOT return a certificate, then launch it with:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --verify=partial_chain
And this MUST return the card certificate.
Alternatively, you should try to login. Ensuring that /etc/sssd/sssd.conf contains:
[pam]
pam_cert_verification = partial_chain #or other_option, partial_chain
---
However, given that testing this is complex without specific hardware, I've setup a test case that automates all this, creating keyrings with partially trusted certificates and a software-generated smartcard (using softhsm2) so that this can be all tested easily, see:
https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a
So, basically you only have to:
1. wget https://gist.githubusercontent.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/2daaaff2bad33c089278d4ea9498e80223e1d730/sssd-softhism2-certificates-tests.sh
2. sudo bash sssd-softhism2-certificates-tests.sh
(sudo can be avoided by /usr/libexec/sssd/p11_child to an user path and calling the
script with SSSD_P11_CHILD=/path/to/p11_child env variable)
3. Ensure that "Test completed, Root CA and intermediate issued certificates verified!"
is printed and the script returns properly
This will:
- Generate a test Root Certificate Authority (and will emit a cert from it)
- Generate a test Intermediate Certificate Authority (and will emit a cert)
- Generate a test Sub Intermediate Certificate Authority (and will emit a cert)
- Test the certificates themselves with openssl
- For each certificate will create various fake smartcards
- Will test each smartcard how it behaves when used via p11_child with both
partial and full verification, and doing full p11_child authentication.
Before to this SRU, the script fails with this error:
(Thu Jan 26 04:36:16:676491 2023) [p11_child[257107]] [read_certs] (0x4000): found cert[Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001]
(Thu Jan 26 04:36:16:676970 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [0].
(Thu Jan 26 04:36:16:677197 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [2][unable to get issuer certificate].
(Thu Jan 26 04:36:16:677438 2023) [p11_child[257107]] [read_certs] (0x0040): Certificate [Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001] not valid, skipping.
(Thu Jan 26 04:36:16:677709 2023) [p11_child[257107]] [do_card] (0x4000): No certificate found.
+ grep -qs 00112233445566778899FFAABBCCDDEEFF012345 /tmp/sssd-softhsm2-sGxAXC/SSSD-child-2678.output
+ return 2
+ echo 'Unexpected failure!'
[ Regression potential ]
SSSD p11_child functionalities did not change by default and they're now strictly tested (they were not fully before this SRU).
However we may set some systems to use a weaker auth mode for PAM authentication with smart cards, but this is still a secure mode. |
[ Impact ]
With the latest sssd release supporting OpenSSL PKI authentication for Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely affected many systems which are configured for PKI only authentication.
The NSSDB implementation of sssd/p11_child ONLY requires the issuing certificate to be populated to the nssdb and marked as trusted. While this may be considered a poorly configured system, it is still technically valid.
The OpenSSL implementation of the sssd/p11_child requires the FULL cert chain to the root cert (which is then also trusted by the system root chain) in order to allow a certificate to authenticate.
By upgrading to the latest packages, the conversion process from nssdb to the OpenSSL pam file fails to check the chain of trust, thereby creating a denial of service for some systems configured to require smart card/PKI authentication in the pam stack via pam_sss and require_cert_auth flag.
Note that this is a popular configuration due to many organizations are required to follow NIST 800-171 (and other) security derived policy. Often policy requires PKI based authentication to be enforced and all other authentication methods disabled.
[ Test case ]
Testing this fix in any system is complex because it depends on certificates with partial authentication, so ideally we should:
1. Configure SSSD to include an intermediate certificate for the smart card in use in
/etc/sssd/pki/sssd_auth_ca_db.pem
2. Launch:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem
And this should NOT return a certificate, then launch it with:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --verify=partial_chain
And this MUST return the card certificate.
Alternatively, you should try to login. Ensuring that /etc/sssd/sssd.conf contains:
[pam]
pam_cert_verification = partial_chain #or other_option, partial_chain
---
However, given that testing this is complex without specific hardware, I've setup a test case that automates all this, creating keyrings with partially trusted certificates and a software-generated smartcard (using softhsm2) so that this can be all tested easily, see:
https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a
So, basically you only have to:
0. sudo apt install gnutls-bin openssl softhsm2 && \
sudo apt-mark auto gnutls-bin openssl softhsm2
1. wget https://gist.githubusercontent.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/2daaaff2bad33c089278d4ea9498e80223e1d730/sssd-softhism2-certificates-tests.sh
2. sudo bash sssd-softhism2-certificates-tests.sh
(sudo can be avoided by /usr/libexec/sssd/p11_child to an user path and calling the
script with SSSD_P11_CHILD=/path/to/p11_child env variable)
3. Ensure that "Test completed, Root CA and intermediate issued certificates verified!"
is printed and the script returns properly
This will:
- Generate a test Root Certificate Authority (and will emit a cert from it)
- Generate a test Intermediate Certificate Authority (and will emit a cert)
- Generate a test Sub Intermediate Certificate Authority (and will emit a cert)
- Test the certificates themselves with openssl
- For each certificate will create various fake smartcards
- Will test each smartcard how it behaves when used via p11_child with both
partial and full verification, and doing full p11_child authentication.
Before to this SRU, the script fails with this error:
(Thu Jan 26 04:36:16:676491 2023) [p11_child[257107]] [read_certs] (0x4000): found cert[Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001]
(Thu Jan 26 04:36:16:676970 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [0].
(Thu Jan 26 04:36:16:677197 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [2][unable to get issuer certificate].
(Thu Jan 26 04:36:16:677438 2023) [p11_child[257107]] [read_certs] (0x0040): Certificate [Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001] not valid, skipping.
(Thu Jan 26 04:36:16:677709 2023) [p11_child[257107]] [do_card] (0x4000): No certificate found.
+ grep -qs 00112233445566778899FFAABBCCDDEEFF012345 /tmp/sssd-softhsm2-sGxAXC/SSSD-child-2678.output
+ return 2
+ echo 'Unexpected failure!'
[ Regression potential ]
SSSD p11_child functionalities did not change by default and they're now strictly tested (they were not fully before this SRU).
However we may set some systems to use a weaker auth mode for PAM authentication with smart cards, but this is still a secure mode. |
|
2023-01-27 15:48:19 |
Marco Trevisan (Treviño) |
description |
[ Impact ]
With the latest sssd release supporting OpenSSL PKI authentication for Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely affected many systems which are configured for PKI only authentication.
The NSSDB implementation of sssd/p11_child ONLY requires the issuing certificate to be populated to the nssdb and marked as trusted. While this may be considered a poorly configured system, it is still technically valid.
The OpenSSL implementation of the sssd/p11_child requires the FULL cert chain to the root cert (which is then also trusted by the system root chain) in order to allow a certificate to authenticate.
By upgrading to the latest packages, the conversion process from nssdb to the OpenSSL pam file fails to check the chain of trust, thereby creating a denial of service for some systems configured to require smart card/PKI authentication in the pam stack via pam_sss and require_cert_auth flag.
Note that this is a popular configuration due to many organizations are required to follow NIST 800-171 (and other) security derived policy. Often policy requires PKI based authentication to be enforced and all other authentication methods disabled.
[ Test case ]
Testing this fix in any system is complex because it depends on certificates with partial authentication, so ideally we should:
1. Configure SSSD to include an intermediate certificate for the smart card in use in
/etc/sssd/pki/sssd_auth_ca_db.pem
2. Launch:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem
And this should NOT return a certificate, then launch it with:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --verify=partial_chain
And this MUST return the card certificate.
Alternatively, you should try to login. Ensuring that /etc/sssd/sssd.conf contains:
[pam]
pam_cert_verification = partial_chain #or other_option, partial_chain
---
However, given that testing this is complex without specific hardware, I've setup a test case that automates all this, creating keyrings with partially trusted certificates and a software-generated smartcard (using softhsm2) so that this can be all tested easily, see:
https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a
So, basically you only have to:
0. sudo apt install gnutls-bin openssl softhsm2 && \
sudo apt-mark auto gnutls-bin openssl softhsm2
1. wget https://gist.githubusercontent.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/2daaaff2bad33c089278d4ea9498e80223e1d730/sssd-softhism2-certificates-tests.sh
2. sudo bash sssd-softhism2-certificates-tests.sh
(sudo can be avoided by /usr/libexec/sssd/p11_child to an user path and calling the
script with SSSD_P11_CHILD=/path/to/p11_child env variable)
3. Ensure that "Test completed, Root CA and intermediate issued certificates verified!"
is printed and the script returns properly
This will:
- Generate a test Root Certificate Authority (and will emit a cert from it)
- Generate a test Intermediate Certificate Authority (and will emit a cert)
- Generate a test Sub Intermediate Certificate Authority (and will emit a cert)
- Test the certificates themselves with openssl
- For each certificate will create various fake smartcards
- Will test each smartcard how it behaves when used via p11_child with both
partial and full verification, and doing full p11_child authentication.
Before to this SRU, the script fails with this error:
(Thu Jan 26 04:36:16:676491 2023) [p11_child[257107]] [read_certs] (0x4000): found cert[Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001]
(Thu Jan 26 04:36:16:676970 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [0].
(Thu Jan 26 04:36:16:677197 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [2][unable to get issuer certificate].
(Thu Jan 26 04:36:16:677438 2023) [p11_child[257107]] [read_certs] (0x0040): Certificate [Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001] not valid, skipping.
(Thu Jan 26 04:36:16:677709 2023) [p11_child[257107]] [do_card] (0x4000): No certificate found.
+ grep -qs 00112233445566778899FFAABBCCDDEEFF012345 /tmp/sssd-softhsm2-sGxAXC/SSSD-child-2678.output
+ return 2
+ echo 'Unexpected failure!'
[ Regression potential ]
SSSD p11_child functionalities did not change by default and they're now strictly tested (they were not fully before this SRU).
However we may set some systems to use a weaker auth mode for PAM authentication with smart cards, but this is still a secure mode. |
[ Impact ]
With the latest sssd release supporting OpenSSL PKI authentication for Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely affected many systems which are configured for PKI only authentication.
The NSSDB implementation of sssd/p11_child ONLY requires the issuing certificate to be populated to the nssdb and marked as trusted. While this may be considered a poorly configured system, it is still technically valid.
The OpenSSL implementation of the sssd/p11_child requires the FULL cert chain to the root cert (which is then also trusted by the system root chain) in order to allow a certificate to authenticate.
By upgrading to the latest packages, the conversion process from nssdb to the OpenSSL pam file fails to check the chain of trust, thereby creating a denial of service for some systems configured to require smart card/PKI authentication in the pam stack via pam_sss and require_cert_auth flag.
Note that this is a popular configuration due to many organizations are required to follow NIST 800-171 (and other) security derived policy. Often policy requires PKI based authentication to be enforced and all other authentication methods disabled.
[ Test case ]
Testing this fix in any system is complex because it depends on certificates with partial authentication, so ideally we should:
1. Configure SSSD to include an intermediate certificate for the smart card in use in
/etc/sssd/pki/sssd_auth_ca_db.pem
2. Launch:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem
And this should NOT return a certificate, then launch it with:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --verify=partial_chain
And this MUST return the card certificate.
Alternatively, you should try to login. Ensuring that /etc/sssd/sssd.conf contains:
[pam]
pam_cert_verification = partial_chain #or other_option, partial_chain
---
However, given that testing this is complex without specific hardware, I've setup a test case that automates all this, creating keyrings with partially trusted certificates and a software-generated smartcard (using softhsm2) so that this can be all tested easily, see:
https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a
So, basically you only have to:
0. sudo apt install gnutls-bin openssl softhsm2 && \
sudo apt-mark auto gnutls-bin openssl softhsm2
1. wget https://gist.githubusercontent.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-softhism2-certificates-tests.sh
2. sudo bash sssd-softhism2-certificates-tests.sh
(sudo can be avoided by /usr/libexec/sssd/p11_child to an user path and calling the
script with SSSD_P11_CHILD=/path/to/p11_child env variable)
3. Ensure that "Test completed, Root CA and intermediate issued certificates verified!"
is printed and the script returns properly
This will:
- Generate a test Root Certificate Authority (and will emit a cert from it)
- Generate a test Intermediate Certificate Authority (and will emit a cert)
- Generate a test Sub Intermediate Certificate Authority (and will emit a cert)
- Test the certificates themselves with openssl
- For each certificate will create various fake smartcards
- Will test each smartcard how it behaves when used via p11_child with both
partial and full verification, and doing full p11_child authentication.
Before to this SRU, the script fails with this error:
(Thu Jan 26 04:36:16:676491 2023) [p11_child[257107]] [read_certs] (0x4000): found cert[Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001]
(Thu Jan 26 04:36:16:676970 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [0].
(Thu Jan 26 04:36:16:677197 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [2][unable to get issuer certificate].
(Thu Jan 26 04:36:16:677438 2023) [p11_child[257107]] [read_certs] (0x0040): Certificate [Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001] not valid, skipping.
(Thu Jan 26 04:36:16:677709 2023) [p11_child[257107]] [do_card] (0x4000): No certificate found.
+ grep -qs 00112233445566778899FFAABBCCDDEEFF012345 /tmp/sssd-softhsm2-sGxAXC/SSSD-child-2678.output
+ return 2
+ echo 'Unexpected failure!'
[ Regression potential ]
SSSD p11_child functionalities did not change by default and they're now strictly tested (they were not fully before this SRU).
However we may set some systems to use a weaker auth mode for PAM authentication with smart cards, but this is still a secure mode. |
|
2023-09-21 19:13:20 |
Andreas Hasenack |
bug |
|
|
added subscriber Andreas Hasenack |
2023-10-05 17:36:36 |
Andreas Hasenack |
sssd (Ubuntu Focal): status |
In Progress |
Incomplete |
|
2023-10-09 04:34:48 |
Marco Trevisan (Treviño) |
description |
[ Impact ]
With the latest sssd release supporting OpenSSL PKI authentication for Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely affected many systems which are configured for PKI only authentication.
The NSSDB implementation of sssd/p11_child ONLY requires the issuing certificate to be populated to the nssdb and marked as trusted. While this may be considered a poorly configured system, it is still technically valid.
The OpenSSL implementation of the sssd/p11_child requires the FULL cert chain to the root cert (which is then also trusted by the system root chain) in order to allow a certificate to authenticate.
By upgrading to the latest packages, the conversion process from nssdb to the OpenSSL pam file fails to check the chain of trust, thereby creating a denial of service for some systems configured to require smart card/PKI authentication in the pam stack via pam_sss and require_cert_auth flag.
Note that this is a popular configuration due to many organizations are required to follow NIST 800-171 (and other) security derived policy. Often policy requires PKI based authentication to be enforced and all other authentication methods disabled.
[ Test case ]
Testing this fix in any system is complex because it depends on certificates with partial authentication, so ideally we should:
1. Configure SSSD to include an intermediate certificate for the smart card in use in
/etc/sssd/pki/sssd_auth_ca_db.pem
2. Launch:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem
And this should NOT return a certificate, then launch it with:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --verify=partial_chain
And this MUST return the card certificate.
Alternatively, you should try to login. Ensuring that /etc/sssd/sssd.conf contains:
[pam]
pam_cert_verification = partial_chain #or other_option, partial_chain
---
However, given that testing this is complex without specific hardware, I've setup a test case that automates all this, creating keyrings with partially trusted certificates and a software-generated smartcard (using softhsm2) so that this can be all tested easily, see:
https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a
So, basically you only have to:
0. sudo apt install gnutls-bin openssl softhsm2 && \
sudo apt-mark auto gnutls-bin openssl softhsm2
1. wget https://gist.githubusercontent.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-softhism2-certificates-tests.sh
2. sudo bash sssd-softhism2-certificates-tests.sh
(sudo can be avoided by /usr/libexec/sssd/p11_child to an user path and calling the
script with SSSD_P11_CHILD=/path/to/p11_child env variable)
3. Ensure that "Test completed, Root CA and intermediate issued certificates verified!"
is printed and the script returns properly
This will:
- Generate a test Root Certificate Authority (and will emit a cert from it)
- Generate a test Intermediate Certificate Authority (and will emit a cert)
- Generate a test Sub Intermediate Certificate Authority (and will emit a cert)
- Test the certificates themselves with openssl
- For each certificate will create various fake smartcards
- Will test each smartcard how it behaves when used via p11_child with both
partial and full verification, and doing full p11_child authentication.
Before to this SRU, the script fails with this error:
(Thu Jan 26 04:36:16:676491 2023) [p11_child[257107]] [read_certs] (0x4000): found cert[Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001]
(Thu Jan 26 04:36:16:676970 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [0].
(Thu Jan 26 04:36:16:677197 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [2][unable to get issuer certificate].
(Thu Jan 26 04:36:16:677438 2023) [p11_child[257107]] [read_certs] (0x0040): Certificate [Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001] not valid, skipping.
(Thu Jan 26 04:36:16:677709 2023) [p11_child[257107]] [do_card] (0x4000): No certificate found.
+ grep -qs 00112233445566778899FFAABBCCDDEEFF012345 /tmp/sssd-softhsm2-sGxAXC/SSSD-child-2678.output
+ return 2
+ echo 'Unexpected failure!'
[ Regression potential ]
SSSD p11_child functionalities did not change by default and they're now strictly tested (they were not fully before this SRU).
However we may set some systems to use a weaker auth mode for PAM authentication with smart cards, but this is still a secure mode. |
[ Impact ]
With the latest sssd release supporting OpenSSL PKI authentication for Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely affected many systems which are configured for PKI only authentication.
The NSSDB implementation of sssd/p11_child ONLY requires the issuing certificate to be populated to the nssdb and marked as trusted. While this may be considered a poorly configured system, it is still technically valid.
The OpenSSL implementation of the sssd/p11_child requires the FULL cert chain to the root cert (which is then also trusted by the system root chain) in order to allow a certificate to authenticate.
By upgrading to the latest packages, the conversion process from nssdb to the OpenSSL pam file fails to check the chain of trust, thereby creating a denial of service for some systems configured to require smart card/PKI authentication in the pam stack via pam_sss and require_cert_auth flag.
Note that this is a popular configuration due to many organizations are required to follow NIST 800-171 (and other) security derived policy. Often policy requires PKI based authentication to be enforced and all other authentication methods disabled.
[ Test case ]
Testing this fix in any system is complex because it depends on certificates with partial authentication, so ideally we should:
1. Configure SSSD to include an intermediate certificate for the smart card in use in
/etc/sssd/pki/sssd_auth_ca_db.pem
2. Launch:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem
And this should NOT return a certificate, then launch it with:
sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 \
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --verify=partial_chain
And this MUST return the card certificate.
Alternatively, you should try to login. Ensuring that /etc/sssd/sssd.conf contains:
[pam]
pam_cert_verification = partial_chain #or other_option, partial_chain
---
However, given that testing this is complex without specific hardware, I've setup a test case that automates all this, creating keyrings with partially trusted certificates and a software-generated smartcard (using softhsm2) so that this can be all tested easily, see:
https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a
So, basically you only have to:
0. sudo apt install gnutls-bin openssl softhsm2 && \
sudo apt-mark auto gnutls-bin openssl softhsm2
1. wget https://gist.githubusercontent.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-softhism2-certificates-tests.sh
2. sudo bash sssd-softhism2-certificates-tests.sh
(sudo can be avoided by copying /usr/libexec/sssd/p11_child to an user
local path and calling the script with
SSSD_P11_CHILD=$HOME/path/to/p11_child env variable)
3. Ensure that "Test completed, Root CA and intermediate issued certificates verified!"
is printed and the script returns properly
This will:
- Generate a test Root Certificate Authority (and will emit a cert from it)
- Generate a test Intermediate Certificate Authority (and will emit a cert)
- Generate a test Sub Intermediate Certificate Authority (and will emit a cert)
- Test the certificates themselves with openssl
- For each certificate will create various fake smartcards
- Will test each smartcard how it behaves when used via p11_child with both
partial and full verification, and doing full p11_child authentication.
Before to this SRU, the script fails with this error:
(Thu Jan 26 04:36:16:676491 2023) [p11_child[257107]] [read_certs] (0x4000): found cert[Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001]
(Thu Jan 26 04:36:16:676970 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [0].
(Thu Jan 26 04:36:16:677197 2023) [p11_child[257107]] [do_verification] (0x0040): X509_verify_cert failed [2][unable to get issuer certificate].
(Thu Jan 26 04:36:16:677438 2023) [p11_child[257107]] [read_certs] (0x0040): Certificate [Test Organization Intermediate Trusted Certificate 0001][/O=Test Organization/OU=Test Organization Unit/CN=Test Organization Intermediate Trusted Certificate 0001] not valid, skipping.
(Thu Jan 26 04:36:16:677709 2023) [p11_child[257107]] [do_card] (0x4000): No certificate found.
+ grep -qs 00112233445566778899FFAABBCCDDEEFF012345 /tmp/sssd-softhsm2-sGxAXC/SSSD-child-2678.output
+ return 2
+ echo 'Unexpected failure!'
[ Regression potential ]
SSSD p11_child functionalities did not change by default and they're now strictly tested (they were not fully before this SRU).
However we may set some systems to use a weaker auth mode for PAM authentication with smart cards, but this is still a secure mode. |
|