Smart card authentication

Note:
This documentation has moved to a new home! Please update your bookmarks to the new URL for the up-to-date version of this page.

3 Likes

I think we should skip the 18.04 documentation, or move it elsewhere. It is distracting in this guide, and not even the old https://help.ubuntu.com site lists 18.04 anymore.

You need to install sssd-dbus for this to work.

This section is confusing, because the config file that is presented won’t work on its own. It also uses a different file for the CAs, and not the one you created before in the " Configure SSSD Certificate Authorities database" section.
Also in the certmap rule here, you are suddenly talking about domain, and no longer the implicit_files bit, and you are also no longer enabling that domain (enable_files_domain = True). Changing directions mid-document like this I think is confusing. If you are building up to a final config file, and intended to show it here, then it should follow what was described so far.

I suggest to instruct to copy the pam-auth config files to /usr/share/pam-configs and then run the pam-auth-update command, conditional on the sssd packages not having had yet the SRU you are planning for. Perhaps with a different name, so they don’t clash with the future SRU. Or show the final common-{auth,password,…} files as they should be. Just showing the pam_sss lines like here will lead to bad configurations.

Then you don’t even need to have a “after 23.10” and “before 23.10” distinction, which also looks odd because neither are LTS releases.

Showing a few simpler examples might help here. That regexp is quite specific (and it has to be: we only want one certificate to match). Perhaps show an example using <SAN:rfc822Name>, which even has a shortname variant which could even map directly to the username. And after one or two examples, link to the Ubuntu Manpage: sss-certmap - SSSD Certificate Matching and Mapping Rules manpage.

We are also not talking about matching rules here, and I understand it’s because we are limiting this doc to the local user case (implicit_files domain). But maybe it’s worth to document the default value that matchrule assumes in this case, and which makes this all work.

Note that pam_pkcs11 will search for “pam_pkcs11.conf” instead of “pkcs11.conf” by default.
I spent hours trying to figure out why the example configuration file wasn’t working. Turns out it couldn’t find the config file, but the debug error wasn’t clear about that.

I think this is missing card-cert.pem from the end of the line