AD Smartcard Authentication for web GUI

[cwoelkers]

This seems more a feature request than anything but I thought this would be a good place to start.
My office uses smartcards for authentication of just about everything. Computer logins, web sites, email, etc and all authentication is verified via Active Directory. It has been requested by our IT security team that all remaining services, basically the servers, make use of smartcards for administrative authentication. This is easy enough with SSH, especially for those servers that can already authenticate via AD, but the Proxmox GUI looks to be an issue.
Now I have been able to get Proxmox to authenticate against AD. It would be nice if the AD groups were used but there are only a few administrators so it wasn't too hard to add them all in. The question becomes though will it be possible to use a smartcard to authenticate with? Perhaps adding it into the TFA portion of the AD authentication setup dialog?

 

[dietmar]

AFAIK there is still no generic browsers interface to smart cards (correct me if I am wrong).

 

[cwoelkers]

To my knowledge you are correct, every implementation I've seen has been OS specific with either the OS or a middleware making the request via the browser for a certificate/PIN selection than passing it on to the authentication mechanism. In this case Proxmox would probably request for a certificate and then the user would choose it and enter the PIN. Proxmox would than validate the cert via either AD, apache like an SSL client cert or a separate validation server.
A generic browser interface may be forthcoming. I have heard of a WebUSB API which would allow the browser direct access to the USB bus including smartcard readers. Also there are ways to configure Apache and Tomcat to use client certificates which is essentially what a smartcard would pass on.
So basically at this time it is a matter of the website prompting for a certificate, ala SSL client cert, and letting the OS take care of the prompting for a smartcard.