Can I use X.509 certificates to identify a user with SSSD using "id_provider=files"

[buentead]

I'd like to avoid user/password on IoT gateways to login to Cockpit for security reasons. Hence, I tried to set up Cockpit for Certificate authentication. I'd like to use the local Linux users, as the IoT gateways are not part of an MS-AD or simlar. The user name is in the CN of the certificate subject. Following a describtion of what I did so far.

The user certificate is signed by a CA, which I included in /etc/sssd/pki/sssd_auth_ca_db.pem.
The /etc/sssd/sssd.conf file content is:

[sssd]
enable_files_domain = true

[pam]
pam_cert_auth = True

[certmap/implicit_files/local_user]
matchrule = <ISSUER>.*CN=myIssuerCN.*
maprule = LDAPU1:(user={subject_dn_component.CN})

The /etc/cockpit/cockpit.conf contains:

[WebService]
ClientCertAuthentication = true

So when I call https://<gateway-ip>:9090 the web-browser prompts me to select the certificate. Unfortunately, the cockpit-ws returns:
cockpit-session: No matching user for certificate

I couldn't find any helpful information how I could fix this issue. Hence my question here:
Is it possible to use X.509 certificates with SSSD id_provider=files (using local users) for Cockpit?

[buentead]

Yes, certificate authentication with just the local Linux users is possible. There is no central Identity Management System such as MS-AD required. The /etc/sssd/sssd.conf file, however, need to be different according to the design page Certificate mapping and matching rules for all providers. The following example works for me as the required user 'admin' is in the CN of the subject:

[SSSD]
enable_files_domain = true

[domain/implicit_files]
id_provider=files

[certmap/implicit_files/admin]
matchrule = <SUBJECT>^.*CN=admin.*$

Important is the rule name within the certmap section, which is the Linux user, 'admin' in the example above. The matchrule is used to assign a certificate content to this user. Whereas the validity of the signed certificate is already checked against the /etc/sssd/pki/sssd_auth_ca_db.pem CA chain.

[martinpitt]

@saner20 You are most probably missing the sssd-dbus package -- at least that's the name in Fedora/RHEL/Debian.

[saner20]

@martinpitt yes, after running rpm -qa | grep ssd that package is not on my system. Is that all I need to install to successfully map certificates?

[martinpitt]

@saner20 Package wise that should be all. Config-wise I don't know, but should be.

[saner20]

Adding sssd-dbus package was an issue and it has helped with logging, but now I am getting an error from the p11_child.log and the sssd_ifp.log. I am not positive if it's because my pem isn't formatted properly or because my certmap configuration in the sssd.conf is incorrect.
(0x0040): X509_LOOKUP_load_file [/etc/sssd/pki/sssd_auth_ca_db.pem] failed [33558541][error:0200100D:system library:fopen:Permission denied].
` [ifp] [ifp_users_find_by_valid_cert_step] (0x0040): /usr/libexec/sssd/p11_child failed with status [1]. Check p11_child logs for more information.

• (2024-08-14 15:43:40): [ifp] [sbus_issue_request_done] (0x0040): org.freedesktop.sssd.infopipe.Users.FindByValidCertificate: Error [1432158298]: Invalid certificate provided`

[saner20]

My issues was selinux related. SELinux was preventing access to sssd_auth_ca_db.pem.
SELinux is preventing /usr/libexec/sssd/p11_child from read access on the file /etc/sssd/pki/sssd_auth_ca_db.pem