Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • mika/sssd
  • guillem/debian-pkg-sssd
  • john.veitch/sssd
  • jgullberg/sssd
  • gioele/sssd
  • oktay454/sssd
  • sergiodj/sssd
  • 3v1n0/sssd
  • jfalk-guest/sssd
  • sathieu/sssd
  • dpward/sssd
  • sssd-team/sssd
  • ahasenack/sssd
  • jbicha/sssd
  • yrro-guest/sssd
15 results
Show changes
Commits on Source (2)
Name: SSS optional smart card authentication
Default: no
Priority: 264
Conflicts: sss-smart-card-required
Auth-Type: Primary
Auth:
[success=end default=ignore] pam_sss.so allow_missing_name try_cert_auth
Name: SSS required smart card authentication
Default: no
Priority: 264
Conflicts: sss-smart-card-optional
Auth-Type: Primary
Auth:
[success=end ignore=ignore default=die] pam_sss.so allow_missing_name require_cert_auth
......@@ -2,7 +2,10 @@
if [ "$1" = remove ] && [ "${DPKG_MAINTSCRIPT_PACKAGE_REFCOUNT:-1}" = 1 ]; then
pam-auth-update --package --remove sss
pam-auth-update --package --remove \
sss \
sss-smart-card-optional \
sss-smart-card-required
fi
#DEBHELPER#
......@@ -70,6 +70,10 @@ override_dh_install:
mkdir -p $(CURDIR)/debian/libpam-sss/usr/share/pam-configs
install -m644 debian/libpam-sss.pam-auth-update \
$(CURDIR)/debian/libpam-sss/usr/share/pam-configs/sss
install -m644 debian/libpam-sss-smart-card-optional.pam-auth-update \
$(CURDIR)/debian/libpam-sss/usr/share/pam-configs/sss-smart-card-optional
install -m644 debian/libpam-sss-smart-card-required.pam-auth-update \
$(CURDIR)/debian/libpam-sss/usr/share/pam-configs/sss-smart-card-required
install -m644 -D $(CURDIR)/debian/apparmor-profile \
$(CURDIR)/debian/sssd-common/etc/apparmor.d/usr.sbin.sssd
......
......@@ -5,3 +5,35 @@ Restrictions: isolation-container, needs-root, allow-stderr
Tests: ldap-user-group-krb5-auth
Depends: @, slapd, ldap-utils, openssl, expect, lsb-release, krb5-user, krb5-admin-server, krb5-kdc
Restrictions: isolation-container, needs-root, allow-stderr
Test-Command: sudo
bash debian/tests/sssd-softhism2-certificates-tests.sh
Features: test-name=sssd-softhism2-certificates-tests
Depends: bash,
gnutls-bin,
openssl,
passwd,
softhsm2,
sssd,
util-linux
Restrictions: needs-sudo,
allow-stderr
Test-Command: sudo env
OFFLINE_MODE=1
bash debian/tests/sssd-smart-card-pam-auth-configs-tester.sh
Features: test-name=sssd-smart-card-pam-auth-configs
Depends: bash,
gnutls-bin,
libpam-sss,
openssl,
pamtester,
passwd,
softhsm2,
sssd,
util-linux
Restrictions: breaks-testbed,
isolation-container,
needs-sudo,
allow-stderr
#!/usr/bin/env bash
# Copyright 2023 - Marco Trevisan
# Released under the GPLv3 terms
#
# A simple tool to simulate PAM authentication using SSSD smartcard settings.
#
# To be used with softhsm2 smart cards generators from
# https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a
#
# Origin: https://gist.github.com/3v1n0/d7bc0f10cf44a11288648ae9d228430d
set -xe
export DEBIAN_FRONTEND=noninteractive
required_tools=(
pamtester # debian package: pamtester
softhsm2-util # debian package: softhsm2
sssd # debian package: sssd
)
if [[ ! -v OFFLINE_MODE ]]; then
required_tools+=(
wget # debian package: wget
)
fi
if [ "$(id -u)" != 0 ] || [ -z "$SUDO_USER" ]; then
echo "This tool requires sudo!"
exit 2
fi
for cmd in "${required_tools[@]}"; do
if ! command -v "$cmd" > /dev/null; then
echo "Tool $cmd missing"
exit 1
fi
done
PIN=${PIN:-123456}
tmpdir=${TEST_TMPDIR:-$(mktemp -d -t "sssd-softhsm2-certs-XXXXXX")}
backupsdir=
alternative_pam_configs=(
sss-smart-card-optional
sss-smart-card-required
)
declare -a restore_paths
declare -a delete_paths
function restore_changes() {
for path in "${restore_paths[@]}"; do
local original_path
original_path="/$(realpath --strip --relative-base="$backupsdir" "$path")"
rm "$original_path" && mv "$path" "$original_path" || true
done
for path in "${delete_paths[@]}"; do
rm -f "$path"
#find "$(dirname "$path")" -empty -delete || true
done
pam-auth-update --disable "${alternative_pam_configs[@]}" || return 2
if [ -e /etc/sssd/sssd.conf ]; then
chmod 600 /etc/sssd/sssd.conf || return 1
systemctl restart sssd || true
else
systemctl stop sssd || true
fi
if [ -e /etc/softhsm/softhsm2.conf ]; then
chmod 600 /etc/softhsm/softhsm2.conf || return 1
fi
rm -rf "$tmpdir"
}
function backup_file() {
if [ -z "$backupsdir" ]; then
backupsdir=$(mktemp -d -t "sssd-softhsm2-backups-XXXXXX")
fi
if [ -e "$1" ]; then
local back_dir="$backupsdir/$(dirname "$1")"
local back_path="$back_dir/$(basename "$1")"
[ ! -e "$back_path" ] || return 1
mkdir -p "$back_dir" || return 1
cp -a "$1" "$back_path" || return 1
restore_paths+=("$back_path")
else
delete_paths+=("$1")
fi
}
function handle_exit() {
exit_code=$?
restore_changes || return 1
if [ $exit_code = 0 ]; then
rm -rf "$backupsdir"
set +x
echo "Script completed successfully!"
else
set +x
echo "Script failed, check the log!"
echo " Backup preserved at $backupsdir"
echo " PAM Log: /var/log/auth.log"
echo " SSSD PAM Log: /var/log/sssd/sssd_pam.log"
echo " SSSD p11_child Log: /var/log/sssd/p11_child.log"
fi
}
trap 'handle_exit' EXIT
tester="$(dirname "$0")"/sssd-softhism2-certificates-tests.sh
if [ ! -e "$tester" ] && [[ ! -v OFFLINE_MODE ]]; then
echo "Required $tester missing, we're downloading it..."
tester="$tmpdir/sssd-softhism2-certificates-tests.sh"
wget -q -c https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-softhism2-certificates-tests.sh \
-O "$tester"
[ -e "$tester" ] || exit 1
elif [ ! -e "$tester" ] && [[ -v OFFLINE_MODE ]]; then
echo "Required $tester missing"
exit 1
fi
export PIN TEST_TMPDIR="$tmpdir" GENERATE_SMART_CARDS=1 KEEP_TEMPORARY_FILES=1 NO_SSSD_TESTS=1
bash "$tester"
find "$tmpdir" -type d -exec chmod 777 {} \;
find "$tmpdir" -type f -exec chmod 666 {} \;
backup_file /etc/sssd/sssd.conf
rm -f /etc/sssd/sssd.conf
user_home="$(runuser -u "$SUDO_USER" -- sh -c 'echo ~')"
mkdir -p "$user_home"
chown "$SUDO_USER:$SUDO_USER" "$user_home"
user_config="$(runuser -u "$SUDO_USER" -- sh -c 'echo ${XDG_CONFIG_HOME:-~/.config}')"
system_config="/etc"
softhsm2_conf_paths=(
"$SUDO_USER:$user_config/softhsm2/softhsm2.conf"
"root:$system_config/softhsm/softhsm2.conf"
)
for path_pair in "${softhsm2_conf_paths[@]}"; do
IFS=":" read -r -a path <<< "${path_pair}"
path="${path[1]}"
backup_file "$path"
rm -f "$path"
done
function test_authentication() {
pam_service="$1"
certificate_config="$2"
ca_db="$3"
verification_options="$4"
mkdir -p -m 700 /etc/sssd
echo "Using CA DB '$ca_db' with verification options: '$verification_options'"
cat <<EOF > /etc/sssd/sssd.conf || return 2
[sssd]
enable_files_domain = True
services = pam
#certificate_verification = $verification_options
[certmap/implicit_files/$SUDO_USER]
matchrule = <SUBJECT>.*Test Organization.*
[pam]
pam_cert_db_path = $ca_db
pam_cert_verification = $verification_options
pam_cert_auth = True
pam_verbosity = 10
debug_level = 10
EOF
chmod 600 /etc/sssd/sssd.conf || return 2
for path_pair in "${softhsm2_conf_paths[@]}"; do
IFS=":" read -r -a path <<< "${path_pair}"
user="${path[0]}"
path="${path[1]}"
runuser -u "$user" -- mkdir -p "$(dirname "$path")" || return 2
runuser -u "$user" -- ln -sf "$certificate_config" "$path" || return 2
runuser -u "$user" -- softhsm2-util --show-slots | grep "Test Organization" \
|| return 2
done
systemctl restart sssd || return 2
pam-auth-update --disable "${alternative_pam_configs[@]}" || return 2
for alternative in "${alternative_pam_configs[@]}"; do
pam-auth-update --enable "$alternative" || return 2
cat /etc/pam.d/common-auth
echo -n -e "$PIN" | runuser -u "$SUDO_USER" -- \
pamtester -v "$pam_service" "$SUDO_USER" authenticate || return 2
echo -n -e "$PIN" | runuser -u "$SUDO_USER" -- \
pamtester -v "$pam_service" "" authenticate || return 2
if echo -n -e "wrong${PIN}" | runuser -u "$SUDO_USER" -- \
pamtester -v "$pam_service" "$SUDO_USER" authenticate; then
echo "Unexpected pass!"
return 2
fi
if echo -n -e "wrong${PIN}" | runuser -u "$SUDO_USER" -- \
pamtester -v "$pam_service" "" authenticate; then
echo "Unexpected pass!"
return 2
fi
if echo -n -e "$PIN" | pamtester -v "$pam_service" root authenticate; then
echo "Unexpected pass!"
return 2
fi
done
}
test_authentication \
login \
"$tmpdir/softhsm2-test-root-CA-trusted-certificate-0001.conf" \
"$tmpdir/test-full-chain-CA.pem"
test_authentication \
login \
"$tmpdir/softhsm2-test-sub-intermediate-CA-trusted-certificate-0001.conf" \
"$tmpdir/test-full-chain-CA.pem"
test_authentication \
login \
"$tmpdir/softhsm2-test-sub-intermediate-CA-trusted-certificate-0001.conf" \
"$tmpdir/test-sub-intermediate-CA.pem" \
"partial_chain"
This diff is collapsed.