Marco, Great! This should be easy for me to test, and I’d be happy to do so.
I may be able to do a regression test to make sure the automated NSSDB -> openssl upgrade works as well. This would mean however that the upgrade would need to drop the appropriate sssd.conf.d to configure the partial_chain config option on upgrade. I assume partial_chain will work even if the full chain is present? Karl > On Mar 28, 2021, at 4:15 PM, Marco Trevisan (Treviño) > <1919...@bugs.launchpad.net> wrote: > > So, I've done some work on SSSD upstream to make this to happen: > https://github.com/SSSD/sssd/pull/5558 > > With that we'll just be able to set on upgraders the option > `certification_verification = partial_chain`, and this will just make > the SSSD's PEM ring to work as the NSS db used to work: and so verify a > certificate if its only its issuer is in the SSSD's CA certificates DB. > > This comes with unit tests covering the case with generated > certificates, not sure if I can personally test this with real hardware > (for SRU purposes) though... We may still need to simulate it. > > At the end, it's just as doing: > openssl verify -partial_chain -CAfile intermediate_CA.pem > intermediate_CA_issued_cert.pem > > Karl, will this be enough for you? > > -- > You received this bug notification because you are subscribed to the bug > report. > https://bugs.launchpad.net/bugs/1919563 > > Title: > updated sssd with smart cards now brick systems without full cert > chain > > Status in sssd package in Ubuntu: > New > > Bug description: > With the latest sssd release supporting OpenSSL PKI authentication for > Ubuntu 20.04, the behavior between nssdb and OpenSSL has adversely > affected many systems which are configured for PKI only > authentication. > > The NSSDB implementation of sssd/p11_child ONLY requires the issuing > certificate to be populated to the nssdb and marked as trusted. While > this may be considered a poorly configured system, it is still > technically valid. > > The OpenSSL implementation of the sssd/p11_child requires the FULL > cert chain to the root cert (which is then also trusted by the system > root chain) in order to allow a certificate to authenticate. > > By upgrading to the latest packages, the conversion process from nssdb > to the OpenSSL pam file fails to check the chain of trust, thereby > creating a denial of service for some systems configured to require > smart card/PKI authentication in the pam stack via pam_sss and > require_cert_auth flag. > > Note that this is a popular configuration due to many organizations > are required to follow NIST 800-171 (and other) security derived > policy. Often policy requires PKI based authentication to be enforced > and all other authentication methods disabled. > > To manage notifications about this bug go to: > https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563/+subscriptions -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1919563 Title: updated sssd with smart cards now brick systems without full cert chain To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1919563/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs