** Description changed: [Impact] Hello One of our customers attempted to use a smartcard for authentication in an sssd & Windows AD environment, but encountered apparmor denials that prevented it from working properly. They use enforce mode for apparmor In the beginning they only mentioned /etc/sssd/pki/ and /etc/sssd/pki/** r, also doc [1] mentioned the guide. so I only mentioned it here. After that, the customer added contents more they faced apparmor DENIED. Then I thought I needed a reproducer about this. so I ordered Yubikey 5 NFC which supports the PIV Smart Card. and tried to reproduce this with Fabio's reproducer. Then I can reproduce this. But the symptom the customer encountered and I saw is a little bit different. so I would like to ask you to have a discussion further. Please refer to Test Case section. [1] https://manpages.ubuntu.com/manpages/noble/man5/sssd.conf.5.html [Test Case] * Windows 1. Deploy Windows Server and enable AD & CA 2. Create User Seyeong * Ubuntu 0. You need PIV auth support smartcard - 1. sudo add-apt-repository ppa:yubico/stable && sudo apt-get update - sudo apt install libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools sssd-ad realmd adcli libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools yubico-piv-tool libengine-pkcs11-openssl libp11-3 opensc libssl-dev yubikey-manager ykcs11 -y + 1. sudo apt install libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools sssd-ad realmd adcli libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools yubico-piv-tool libengine-pkcs11-openssl libp11-3 opensc libssl-dev yubikey-manager ykcs11 yubico-piv-tools -y 2. # later than Oracular sudo apt install krb5-pkinit -y 3. make sure dns is working 4. check realm - sudo realm -v discover WIN-E7RF5O29H6J.seyeong.kim - sudo realm -v join WIN-E7RF5O29H6J.seyeong.kim 5. create CSR with smartcard ( create openssl.cnf with keyUsage, extendedKeyUsage, subjectAltName with UPN ) ykman piv reset -f yubico-piv-tool -a generate -s 9a -A RSA2048 export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/libykcs11.so openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:object=Private key for PIV Authentication;type=private;pin-value=123456" -config openssl.cnf -reqexts v3_req -out seyeongkim.csr -multivalue-rdn cat seyeongkim.csr * Windows 1. copy the CSR to Windows and approve it. then download it * Ubuntu 1. convert der to pem - openssl x509 -in seyeongkim.der -out seyeongkimissued.pem -outform pem 2. import cert to smartcard yubico-piv-tool -a import-certificate -s 9a -i seyeongkimissued.pem 3. check if it is the same. pkcs15-tool --read-certificate 1 > card-cert.pem openssl x509 -text -noout -in card-cert.pem 4. convert ca cert der to pem. openssl x509 -in certnew.der -out cacert.crt -outform pem 5. setup ca cert in Ubuntu sudo rm /usr/local/share/ca-certificates/cacert.crt sudo rm /etc/ssl/certs/cacert.pem sudo cp cacert.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates 6. setup cert for sssd mkdir -p /etc/sssd/pki/ sudo rm /etc/sssd/pki/sssd_auth_ca_db.pem sudo touch /etc/sssd/pki/sssd_auth_ca_db.pem cat cacert.crt | sudo tee -a /etc/sssd/pki/sssd_auth_ca_db.pem 7. verification for setup openssl verify -verbose card-cert.pem openssl verify -verbose -CAfile /etc/sssd/pki/sssd_auth_ca_db.pem card-cert.pem systemctl restart sssd sudo dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat card-cert.pem)" uint32:10 8. use enforce mode for apparmor 9. setup sssd, krb5, pam - for sssd, setup it to support smartcard. matching by cert CN - for krb5, add AD info - for pam, add "auth ... pam_sss.so try_cert_auth" for sssd checking 10. check the syslog First, I got DENIED like belows.( /etc/sssd/pki/ and /etc/sssd/pki/** r not included but it affects) Jun 1 23:27:52 seyeongkim kernel: [ 424.733567] audit: type=1400 audit(1748820472.096:99): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/proc/12852/cmdline" pid=858 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:04 seyeongkim kernel: [ 437.104690] audit: type=1400 audit(1748820484.468:100): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:04 seyeongkim sssd[12855]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release Jun 1 23:28:04 seyeongkim kernel: [ 437.106850] audit: type=1400 audit(1748820484.472:101): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:17 seyeongkim sssd[12856]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release Jun 1 23:28:17 seyeongkim kernel: [ 449.783639] audit: type=1400 audit(1748820497.148:102): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:17 seyeongkim kernel: [ 449.784694] audit: type=1400 audit(1748820497.148:103): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 then I added them to apparmor profile /etc/sssd/pki/ r, /etc/sssd/pki/** r, @{PROC}/[0-9]*/cmdline r, /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/** r, /etc/ssl/openssl.cnf r, But I encountered the other DENIEDs ( I could use auth with smartcard this point ) Jun 1 23:57:42 seyeongkim kernel: [ 2215.357322] audit: type=1400 audit(1748822262.770:188): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.357860] audit: type=1400 audit(1748822262.770:189): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.359017] audit: type=1400 audit(1748822262.770:190): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/opensc/opensc.conf" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.363484] audit: type=1400 audit(1748822262.774:191): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.363606] audit: type=1400 audit(1748822262.774:192): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 /run/pcscd/* wr, /etc/machine-id r, /etc/opensc/opensc.conf r, With recent test, I collected net_admin DENIED which is the customer reported as well. Jun 23 04:02:18 jammy kernel: [ 5192.259462] audit: type=1400 audit(1750651338.792:71): apparmor="DENIED" operation="capable" profile="/usr/sbin/sssd" pid=1780 comm="krb5_child" capability=12 capname="net_admin" For me, above was the reproducer but the customer mentioned that they need to add belows by testing. capability net_admin, // removed in code /etc/sssd/pki/ r, /etc/sssd/pki/** r, /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/* r, /run/pcscd/* wr, // /{,var/}run/pcscd/pcscd.comm rw, changed /etc/machine-id r, /etc/opensc/opensc.conf r, [Where problems could occur] This change grants additional read and write access to files required for smartcard-based authentication, such as /etc/sssd/pki/, /etc/machine-id, and /{,var/}run/pcscd/pcscd.comm. These files are essential for establishing trust chains, retrieving system identity, and enabling communication with the pcscd daemon. While these permissions are necessary for correct functionality, especially when using hardware-backed PIV smartcards with sssd, they may broaden the attack surface if misused. Therefore, these additions should be reviewed under strict confinement principles, ensuring they are only granted to trusted components such as sssd and its helper processes. [Others]
** Description changed: [Impact] Hello One of our customers attempted to use a smartcard for authentication in an sssd & Windows AD environment, but encountered apparmor denials that prevented it from working properly. They use enforce mode for apparmor In the beginning they only mentioned /etc/sssd/pki/ and /etc/sssd/pki/** r, also doc [1] mentioned the guide. so I only mentioned it here. After that, the customer added contents more they faced apparmor DENIED. Then I thought I needed a reproducer about this. so I ordered Yubikey 5 NFC which supports the PIV Smart Card. and tried to reproduce this with Fabio's reproducer. Then I can reproduce this. But the symptom the customer encountered and I saw is a little bit different. so I would like to ask you to have a discussion further. Please refer to Test Case section. [1] https://manpages.ubuntu.com/manpages/noble/man5/sssd.conf.5.html [Test Case] * Windows 1. Deploy Windows Server and enable AD & CA 2. Create User Seyeong * Ubuntu 0. You need PIV auth support smartcard 1. sudo apt install libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools sssd-ad realmd adcli libpam-sss opensc-pkcs11 pcscd libpam-pkcs11 sssd opensc sssd-dbus sssd-tools yubico-piv-tool libengine-pkcs11-openssl libp11-3 opensc libssl-dev yubikey-manager ykcs11 yubico-piv-tools -y 2. # later than Oracular sudo apt install krb5-pkinit -y 3. make sure dns is working 4. check realm - sudo realm -v discover WIN-E7RF5O29H6J.seyeong.kim - sudo realm -v join WIN-E7RF5O29H6J.seyeong.kim 5. create CSR with smartcard ( create openssl.cnf with keyUsage, extendedKeyUsage, subjectAltName with UPN ) ykman piv reset -f yubico-piv-tool -a generate -s 9a -A RSA2048 export PKCS11_MODULE_PATH=/usr/lib/x86_64-linux-gnu/libykcs11.so openssl req -engine pkcs11 -keyform engine -new -key "pkcs11:object=Private key for PIV Authentication;type=private;pin-value=123456" -config openssl.cnf -reqexts v3_req -out seyeongkim.csr -multivalue-rdn cat seyeongkim.csr + + > openssl.cnf + [ req ] + default_bits = 2048 + prompt = no + default_md = sha256 + req_extensions = v3_req + distinguished_name = req_distinguished_name + + [ req_distinguished_name ] + CN = Seyeong Kim + OU = Users + 0.DC = kim + 1.DC = seyeong + + [ v3_req ] + keyUsage = digitalSignature + extendedKeyUsage = clientAuth + subjectAltName = @alt_names + + [ alt_names ] + otherName = 1.3.6.1.4.1.311.20.2.3;UTF8:[email protected] * Windows 1. copy the CSR to Windows and approve it. then download it * Ubuntu 1. convert der to pem - openssl x509 -in seyeongkim.der -out seyeongkimissued.pem -outform pem 2. import cert to smartcard yubico-piv-tool -a import-certificate -s 9a -i seyeongkimissued.pem 3. check if it is the same. pkcs15-tool --read-certificate 1 > card-cert.pem openssl x509 -text -noout -in card-cert.pem 4. convert ca cert der to pem. openssl x509 -in certnew.der -out cacert.crt -outform pem 5. setup ca cert in Ubuntu sudo rm /usr/local/share/ca-certificates/cacert.crt sudo rm /etc/ssl/certs/cacert.pem sudo cp cacert.crt /usr/local/share/ca-certificates/ sudo update-ca-certificates 6. setup cert for sssd mkdir -p /etc/sssd/pki/ sudo rm /etc/sssd/pki/sssd_auth_ca_db.pem sudo touch /etc/sssd/pki/sssd_auth_ca_db.pem cat cacert.crt | sudo tee -a /etc/sssd/pki/sssd_auth_ca_db.pem 7. verification for setup openssl verify -verbose card-cert.pem openssl verify -verbose -CAfile /etc/sssd/pki/sssd_auth_ca_db.pem card-cert.pem systemctl restart sssd sudo dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat card-cert.pem)" uint32:10 8. use enforce mode for apparmor 9. setup sssd, krb5, pam - for sssd, setup it to support smartcard. matching by cert CN - for krb5, add AD info - for pam, add "auth ... pam_sss.so try_cert_auth" for sssd checking 10. check the syslog First, I got DENIED like belows.( /etc/sssd/pki/ and /etc/sssd/pki/** r not included but it affects) Jun 1 23:27:52 seyeongkim kernel: [ 424.733567] audit: type=1400 audit(1748820472.096:99): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/proc/12852/cmdline" pid=858 comm="sssd_nss" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:04 seyeongkim kernel: [ 437.104690] audit: type=1400 audit(1748820484.468:100): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:04 seyeongkim sssd[12855]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release Jun 1 23:28:04 seyeongkim kernel: [ 437.106850] audit: type=1400 audit(1748820484.472:101): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12855 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:17 seyeongkim sssd[12856]: p11-kit: 'modules != NULL' not true at p11_kit_modules_finalize_and_release Jun 1 23:28:17 seyeongkim kernel: [ 449.783639] audit: type=1400 audit(1748820497.148:102): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/ssl/openssl.cnf" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:28:17 seyeongkim kernel: [ 449.784694] audit: type=1400 audit(1748820497.148:103): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/usr/share/p11-kit/modules/" pid=12856 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 then I added them to apparmor profile /etc/sssd/pki/ r, /etc/sssd/pki/** r, @{PROC}/[0-9]*/cmdline r, /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/** r, /etc/ssl/openssl.cnf r, But I encountered the other DENIEDs ( I could use auth with smartcard this point ) Jun 1 23:57:42 seyeongkim kernel: [ 2215.357322] audit: type=1400 audit(1748822262.770:188): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.357860] audit: type=1400 audit(1748822262.770:189): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/machine-id" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.359017] audit: type=1400 audit(1748822262.770:190): apparmor="DENIED" operation="open" profile="/usr/sbin/sssd" name="/etc/opensc/opensc.conf" pid=13192 comm="p11_child" requested_mask="r" denied_mask="r" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.363484] audit: type=1400 audit(1748822262.774:191): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 Jun 1 23:57:42 seyeongkim kernel: [ 2215.363606] audit: type=1400 audit(1748822262.774:192): apparmor="DENIED" operation="connect" profile="/usr/sbin/sssd" name="/run/pcscd/pcscd.comm" pid=13192 comm="p11_child" requested_mask="wr" denied_mask="wr" fsuid=0 ouid=0 /run/pcscd/* wr, /etc/machine-id r, /etc/opensc/opensc.conf r, With recent test, I collected net_admin DENIED which is the customer reported as well. Jun 23 04:02:18 jammy kernel: [ 5192.259462] audit: type=1400 audit(1750651338.792:71): apparmor="DENIED" operation="capable" profile="/usr/sbin/sssd" pid=1780 comm="krb5_child" capability=12 capname="net_admin" For me, above was the reproducer but the customer mentioned that they need to add belows by testing. capability net_admin, // removed in code /etc/sssd/pki/ r, /etc/sssd/pki/** r, /usr/share/p11-kit/modules/ r, /usr/share/p11-kit/modules/* r, /run/pcscd/* wr, // /{,var/}run/pcscd/pcscd.comm rw, changed /etc/machine-id r, /etc/opensc/opensc.conf r, [Where problems could occur] This change grants additional read and write access to files required for smartcard-based authentication, such as /etc/sssd/pki/, /etc/machine-id, and /{,var/}run/pcscd/pcscd.comm. These files are essential for establishing trust chains, retrieving system identity, and enabling communication with the pcscd daemon. While these permissions are necessary for correct functionality, especially when using hardware-backed PIV smartcards with sssd, they may broaden the attack surface if misused. Therefore, these additions should be reviewed under strict confinement principles, ensuring they are only granted to trusted components such as sssd and its helper processes. [Others] -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2109673 Title: Authentication with smartcard is not working with apparmor DENIED To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2109673/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
