Ubuntu
sssd package

Bug #1919563
Comment #17

Comment 17 for bug 1919563

Revision history for this message

Karl Grindley (karlg100) wrote on 2021-03-28: Re: [Bug 1919563] updated sssd with smart cards now brick systems without full cert chain

#17

Marco,

Great! This should be easy for me to test, and I’d be happy to do so.

I may be able to do a regression test to make sure the automated NSSDB -> openssl upgrade works as well. This would mean however that the upgrade would need to drop the appropriate sssd.conf.d to configure the partial_chain config option on upgrade.

I assume partial_chain will work even if the full chain is present?

Karl

> On Mar 28, 2021, at 4:15 PM, Marco Trevisan (Treviño) <email address hidden> wrote:
>
> So, I've done some work on SSSD upstream to make this to happen:
> https://github.com/SSSD/sssd/pull/5558
>
> With that we'll just be able to set on upgraders the option
> `certification_verification = partial_chain`, and this will just make
> the SSSD's PEM ring to work as the NSS db used to work: and so verify a
> certificate if its only its issuer is in the SSSD's CA certificates DB.
>
> This comes with unit tests covering the case with generated
> certificates, not sure if I can personally test this with real hardware
> (for SRU purposes) though... We may still need to simulate it.
>
> At the end, it's just as doing:
> openssl verify -partial_chain -CAfile intermediate_CA.pem intermediate_CA_issued_cert.pem
>
> Karl, will this be enough for you?
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1919563
>
> Title:
> updated sssd with smart cards now brick systems without full cert
> chain
>
> Status in sssd package in Ubuntu:
> New
>
> Bug description:
> With the latest sssd release supporting OpenSSL PKI authentication for
> Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely
> affected many systems which are configured for PKI only
> authentication.
>
> The NSSDB implementation of sssd/p11_child ONLY requires the issuing
> certificate to be populated to the nssdb and marked as trusted. While
> this may be considered a poorly configured system, it is still
> technically valid.
>
> The OpenSSL implementation of the sssd/p11_child requires the FULL
> cert chain to the root cert (which is then also trusted by the system
> root chain) in order to allow a certificate to authenticate.
>
> By upgrading to the latest packages, the conversion process from nssdb
> to the OpenSSL pam file fails to check the chain of trust, thereby
> creating a denial of service for some systems configured to require
> smart card/PKI authentication in the pam stack via pam_sss and
> require_cert_auth flag.
>
> Note that this is a popular configuration due to many organizations
> are required to follow NIST 800-171 (and other) security derived
> policy. Often policy requires PKI based authentication to be enforced
> and all other authentication methods disabled.
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563/+subscriptions

Marco,

Great!  This should be easy for me to test, and I’d be happy to do so.

I may be able to do a regression test to make sure the automated NSSDB -> openssl upgrade works as well.  This would mean however that the upgrade would need to drop the appropriate sssd.conf.d to configure the partial_chain config option on upgrade.

I assume partial_chain will work even if the full chain is present?

Karl

> On Mar 28, 2021, at 4:15 PM, Marco Trevisan (Treviño) <1919563@bugs.launchpad.net> wrote:
> 
> So, I've done some work on SSSD upstream to make this to happen:
> https://github.com/SSSD/sssd/pull/5558
> 
> With that we'll just be able to set on upgraders the option
> `certification_verification = partial_chain`, and this will just make
> the SSSD's PEM ring to work as the NSS db used to work: and so verify a
> certificate if its only its issuer is in the SSSD's CA certificates DB.
> 
> This comes with unit tests covering the case with generated
> certificates, not sure if I can personally test this with real hardware
> (for SRU purposes) though... We may still need to simulate it.
> 
> At the end, it's just as doing:
>  openssl verify -partial_chain -CAfile intermediate_CA.pem intermediate_CA_issued_cert.pem
> 
> Karl, will this be enough for you?
> 
> -- 
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/1919563
> 
> Title:
>  updated sssd with smart cards now brick systems without full cert
>  chain
> 
> Status in sssd package in Ubuntu:
>  New
> 
> Bug description:
>  With the latest sssd release supporting OpenSSL PKI authentication for
>  Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely
>  affected many systems which are configured for PKI only
>  authentication.
> 
>  The NSSDB implementation of sssd/p11_child ONLY requires the issuing
>  certificate to be populated to the nssdb and marked as trusted.  While
>  this may be considered a poorly configured system, it is still
>  technically valid.
> 
>  The OpenSSL implementation of the sssd/p11_child requires the FULL
>  cert chain to the root cert (which is then also trusted by the system
>  root chain) in order to allow a certificate to authenticate.
> 
>  By upgrading to the latest packages, the conversion process from nssdb
>  to the OpenSSL pam file fails to check the chain of trust, thereby
>  creating a denial of service for some systems configured to require
>  smart card/PKI authentication in the pam stack via pam_sss and
>  require_cert_auth flag.
> 
>  Note that this is a popular configuration due to many organizations
>  are required to follow NIST 800-171 (and other) security derived
>  policy.  Often policy requires PKI based authentication to be enforced
>  and all other authentication methods disabled.
> 
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563/+subscriptions

Ubuntusssd package

Comment 17 for bug 1919563

Ubuntu
sssd package