Comment 0 for bug 1919563

With the latest sssd release supporting OpenSSL PKI authentication for Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely affected many systems which are configured for PKI only authentication.

The NSSDB implementation of sssd/p11_child ONLY requires the issuing certificate to be populated to the nssdb and marked as trusted. While this may be considered a poorly configured system, it is still technically valid.

The OpenSSL implementation of the sssd/p11_child requires the FULL cert chain to the root cert (which is then also trusted by the system root chain) in order to allow a certificate to authenticate.

By upgrading to the latest packages, the conversion process from nssdb to the OpenSSL pam file fails to check the chain of trust, thereby creating a denial of service for some systems configured to require smart card/PKI authentication in the pam stack via pam_sss and require_cert_auth flag.

Note that this is a popular configuration due to many organizations are required to follow NIST 800-171 (and other) security derived policy. Often policy requires PKI based authentication to be enforced and all other authentication methods disabled.