AD Smartcard Authentication for web GUI

[cwoelkers]

This seems more a feature request than anything but I thought this would be a good place to start.
My office uses smartcards for authentication of just about everything. Computer logins, web sites, email, etc and all authentication is verified via Active Directory. It has been requested by our IT security team that all remaining services, basically the servers, make use of smartcards for administrative authentication. This is easy enough with SSH, especially for those servers that can already authenticate via AD, but the Proxmox GUI looks to be an issue.
Now I have been able to get Proxmox to authenticate against AD. It would be nice if the AD groups were used but there are only a few administrators so it wasn't too hard to add them all in. The question becomes though will it be possible to use a smartcard to authenticate with? Perhaps adding it into the TFA portion of the AD authentication setup dialog?

 

[dietmar]

AFAIK there is still no generic browsers interface to smart cards (correct me if I am wrong).

 

[cwoelkers]

To my knowledge you are correct, every implementation I've seen has been OS specific with either the OS or a middleware making the request via the browser for a certificate/PIN selection than passing it on to the authentication mechanism. In this case Proxmox would probably request for a certificate and then the user would choose it and enter the PIN. Proxmox would than validate the cert via either AD, apache like an SSL client cert or a separate validation server.
A generic browser interface may be forthcoming. I have heard of a WebUSB API which would allow the browser direct access to the USB bus including smartcard readers. Also there are ways to configure Apache and Tomcat to use client certificates which is essentially what a smartcard would pass on.
So basically at this time it is a matter of the website prompting for a certificate, ala SSL client cert, and letting the OS take care of the prompting for a smartcard.

 

[CoyoteDen]

Sorry to revive this old thread but just in case anyone stumbles across this on Google, I wanted to let you know it can be done with some modifications to PVE.

I don’t want to post code unless there’s interest because I’m not entirely sure it’s airtight, but the gist of it is:

1. Modify the server’s SSL config in PVE/Services/pveproxy.pm to verify the client cert if present, and put the x509 certificate’s CN in the request handle. You’ll need a CA bundle file of course, load it from /etc/pve so it’s clustered.
2. Write a script that borrows code from Auth/PVE.pm to take a username and CN, do hash(shared_secret+CN) and crypt that into priv/shadow.cfg for the user.
3. Modify PVE/APIServer/AnyEvent.pm’s proxy_request function so if the uri is /api2/extjs/access/ticket, the realm is pve, and the client cert CN is in reqstate->hdl, do a hash(shared_secret+CN) and send that as the password parameter.

And it just works. It’s basically reusing the PVE realm to map certificate names to users and log them in. The point of the shared_secret is so the password isn’t just a hash of the CN, shared_secret should be a read from a file in /etc/pve that shell users can’t access.

Oh yeah and you’ll want to modify the JavaScript (I forget what file it was) to allowblank on the password field. Users will insert their smart card, etc… enter the PIN when loading the UI, enter their username and select realm PVE if not saved, leave password blank and hit login.