URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented:
"""
master:
* 0569c02f17f853d97280f52f4a7fefecc72cf45d Extend the advice printing code by
some useful abstractions
* e418e9a4ca747886c53d05ae8059
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
flo-renaud commented:
"""
Hi @martbab
Thank you for the fix. Works as expected.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/854#issuecommen
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented:
"""
@martbab, definitely `authconfig` in fc25 is too old for this. On F26 I have
version 7.0.1-1. It does announce support for SSSD smartcard enable
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented:
"""
Also I get the following error when running authconfig:
```console
authconfig: Authentication module /lib64/security/pam_pkcs11.so is missing.
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented:
"""
Note that "directly" may actually mean using a virtualized remote smart card
access which is provided via virtualized USB pass-through done by y
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented:
"""
@martbab, this actually makes full sense -- if you want to increase the
security of your IPA masters, you might force using smart cards only to
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented:
"""
@flo regarding enabling Smart Card login ( add PKCS#11 module, configure SSSD
and such), do we really need to setup this on server? I do not e
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented:
"""
@flo ah sorry I missed that. I will incorporate it into advise then.
"""
See the full comment at
https://github.com/freeipa/freeipa/pull/854#
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
flo-renaud commented:
"""
Hi @martbab
I think @abbra was referring to this
[section](https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/h
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented:
"""
That section[1] only instructs to configure `pam_cert_auth=true` in the SSSD's
`pam` section which is already done on both server and client,
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented:
"""
It is all documented in
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7-Beta/html/Linux_Domain_Identity_Authentication_
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented:
"""
@abbra thanks for review. Is `pam_pkcs11` removal necessary for client? Also
what option does the recipe need to pass to `authconfig` to prope
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
abbra commented:
"""
Thanks. Comments so far:
* client configuration does not make sure to ask for a removal of `pam_pkcs11`
package
* client configuration does not
URL: https://github.com/freeipa/freeipa/pull/854
Title: #854: server-side and client-side advises for configuring smart card auth
martbab commented:
"""
@flo @abbra I have rebased PR and included also a recipe for client
configuration for the sake of completeness.
"""
See the full comment at
14 matches
Mail list logo