IntenseWebs/freeipa
3
0
Fork 0
mirror of https://salsa.debian.org/freeipa-team/freeipa.git synced 2025-02-25 18:55:28 -06:00
Code Issues Packages Projects Releases Wiki Activity

Add PKINIT support to ipa-client-install

Browse Source 
The ``ipa-client-install`` command now supports PKINIT for client
enrollment. Existing X.509 client certificates can be used to
authenticate a host.

Also restart KRB5 KDC during ``ipa-certupdate`` so KDC picks up new CA
certificates for PKINIT.

*Requirements*

- The KDC must trust the CA chain of the client certificate.
- The client must be able to verify the KDC's PKINIT cert.
- The host entry must exist. This limitation may be removed in the
  future.
- A certmap rule must match the host certificate and map it to a single
  host entry.

*Example*

```
ipa-client-install \
    --pkinit-identity=FILE:/path/to/cert.pem,/path/to/key.pem \
    --pkinit-anchor=/path/to/kdc-ca-bundle.pem
```

Fixes: https://pagure.io/freeipa/issue/9271
Fixes: https://pagure.io/freeipa/issue/9269
Signed-off-by: Christian Heimes <cheimes@redhat.com>
Reviewed-By: Alexander Bokovoy <abokovoy@redhat.com>
This commit is contained in:
Christian Heimes
2022-11-14 15:57:00 +01:00
committed by Alexander Bokovoy
parent f15da10454
commit dbebed2e3a
15 changed files with 606 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
client/man/ipa-client-install.1
View File

@@ -11,7 +11,7 @@ Configures a client machine to use IPA for authentication and identity services.
By default this configures SSSD to connect to an IPA server for authentication and authorization. Optionally one can instead configure PAM and NSS (Name Switching Service) to work with an IPA server over Kerberos and LDAP.
An authorized user is required to join a client machine to IPA. This can take the form of a kerberos principal or a one\-time password associated with the machine.
An authorized account is required to join a client machine to IPA. This can take the form of a kerberos principal, a one\-time password associated with the machine, or PKINIT identity associated with the machine.
This same tool is used to unconfigure IPA and attempts to return the machine to its previous state. Part of this process is to unenroll the host from the IPA server. Unenrollment consists of disabling the principal key on the IPA server so that it may be re\-enrolled. The machine principal in /etc/krb5.keytab (host/<fqdn>@REALM) is used to authenticate to the IPA server to unenroll itself. If this principal does not exist then unenrollment will fail and an administrator will need to disable the host principal (ipa host\-disable <fqdn>).
@@ -229,6 +229,22 @@ first. When this option is not specified, \fBipa\-client\-install\fR will back
up SSSD config and create new one. The back up version will be restored during
uninstall.
.SS "PKINIT OPTIONS"
.TP
\fB\-\-pkinit\-identity=\fIDENTITY\fR
Identity string for PKINIT authentication to use to join the IPA realm,
for example 'FILE:/path/to/cert.pem,/path/to/key.pem'. See krb5.conf(5)
for more information. The option is mutually exclusive with
\fB\-\-password\fR and \fB\-\-keytab\fR.
.TP
\fB\-\-pkinit\-anchor\fR=\fIFILEDIR\fR
Trust anchors (root and intermediate CA certs) for PKINIT. \fIFILEDIR\fR is
either the absolute path to a PEM bundle (for example
'FILE:/etc/pki/tls/cert.pem') or to an OpenSSL hash directory (for example
'DIR:/etc/ssl/certs/'). The option can be used multiple times. PKINIT
requires the full trust chain of the Kerberos KDC server as well as the full
trust chain of the identity certificate.
.SS "UNINSTALL OPTIONS"
.TP
\fB\-\-uninstall\fR