Replies: 1 comment
-
|
It wasn't possible safely when we first published that feature, but since then, sssd 2.6.1 learned how to validate certs against a CA on its own -- so you actually can do this with sssd certificate mapping rules. It's not currently documented in https://cockpit-project.org/guide/latest/cert-authentication. But we have an integration test which illustrates how to do it. You need to create certificates which contain the user name in CN (or another field, but CN feels most natural). Then put the CA cert which signs the user certificates into /etc/sssd/pki/sssd_auth_ca_db.pem (like in the docs). Then write a /etc/sssd/sssd.conf with something like Then sssd should map the certificate which matches the Note that you still need to explicitly enable cert auth in the cockpit config. |
Beta Was this translation helpful? Give feedback.
-
First time here, and I assume I already know the answer to this, but thought I'd ask.
I have a team of users who are all on Windows systems but log in to RHEL VMs for the day to day work. They also utilize cockpit so they're unfamiliar with Linux CLI and it provides an easier way for them to manage their workflow.
We are smartcard only and utilizing username and password is a no go. Now since these RHEL systems are few, they are standalone and do not connect to the domain or AD.
I saw the steps to get cockpit working for smartcard authentication, but it states it requires an idM or AD. When I set it all up, the browser will prompt for the smartcard pin, but then just opens to the username and password screen. Is it possible to get this working without the idM and AD piece, or do I need to consider a different approach? Thanks all.
Beta Was this translation helpful? Give feedback.
All reactions