Can I use X.509 certificates to identify a user with SSSD using "id_provider=files" #19421

buentead · 2023-10-03T11:56:20Z

buentead
Oct 3, 2023

I'd like to avoid user/password on IoT gateways to login to Cockpit for security reasons. Hence, I tried to set up Cockpit for Certificate authentication. I'd like to use the local Linux users, as the IoT gateways are not part of an MS-AD or simlar. The user name is in the CN of the certificate subject. Following a describtion of what I did so far.

The user certificate is signed by a CA, which I included in /etc/sssd/pki/sssd_auth_ca_db.pem.
The /etc/sssd/sssd.conf file content is:

[sssd]
enable_files_domain = true

[pam]
pam_cert_auth = True

[certmap/implicit_files/local_user]
matchrule = <ISSUER>.*CN=myIssuerCN.*
maprule = LDAPU1:(user={subject_dn_component.CN})

The /etc/cockpit/cockpit.conf contains:

[WebService]
ClientCertAuthentication = true

So when I call https://<gateway-ip>:9090 the web-browser prompts me to select the certificate. Unfortunately, the cockpit-ws returns:
cockpit-session: No matching user for certificate

I couldn't find any helpful information how I could fix this issue. Hence my question here:
Is it possible to use X.509 certificates with SSSD id_provider=files (using local users) for Cockpit?

Answered by buentead

Oct 4, 2023

Yes, certificate authentication with just the local Linux users is possible. There is no central Identity Management System such as MS-AD required. The /etc/sssd/sssd.conf file, however, need to be different according to the design page Certificate mapping and matching rules for all providers. The following example works for me as the required user 'admin' is in the CN of the subject:

[SSSD]
enable_files_domain = true

[domain/implicit_files]
id_provider=files

[certmap/implicit_files/admin]
matchrule = <SUBJECT>^.*CN=admin.*$

Important is the rule name within the certmap section, which is the Linux user, 'admin' in the example above. The matchrule is used to assign a certificate content…

View full answer

buentead · 2023-10-04T11:46:49Z

buentead
Oct 4, 2023
Author

Yes, certificate authentication with just the local Linux users is possible. There is no central Identity Management System such as MS-AD required. The /etc/sssd/sssd.conf file, however, need to be different according to the design page Certificate mapping and matching rules for all providers. The following example works for me as the required user 'admin' is in the CN of the subject:

[SSSD]
enable_files_domain = true

[domain/implicit_files]
id_provider=files

[certmap/implicit_files/admin]
matchrule = <SUBJECT>^.*CN=admin.*$

Important is the rule name within the certmap section, which is the Linux user, 'admin' in the example above. The matchrule is used to assign a certificate content to this user. Whereas the validity of the signed certificate is already checked against the /etc/sssd/pki/sssd_auth_ca_db.pem CA chain.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Can I use X.509 certificates to identify a user with SSSD using "id_provider=files" #19421

{{title}}

Replies: 1 comment

{{title}}

Select a reply

Can I use X.509 certificates to identify a user with SSSD using "id_provider=files" #19421

buentead Oct 3, 2023

Replies: 1 comment

buentead Oct 4, 2023 Author

buentead
Oct 3, 2023

buentead
Oct 4, 2023
Author