Bug 1035017

Summary: Trying to login to desktop without a smart card shows blank screen when configured with smart card only option.
Product: Red Hat Enterprise Linux 7 Reporter: Asha Akkiangady <aakkiang>
Component: pam_pkcs11Assignee: Bob Relyea <rrelyea>
Status: CLOSED CURRENTRELEASE QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 7.0CC: jgalipea, jmagne, rpattath, rstrode
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pam_pkcs11-0.6.2-13.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-06-13 09:49:14 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Asha Akkiangady 2013-11-26 20:58:35 UTC 
Description of problem:
Trying to login to desktop without a smart card shows blank screen when configured with smart card only option. 

Version-Release number of selected component (if applicable):
pam_pkcs11-0.6.2-10.el7.x86_64

How reproducible:


Steps to Reproduce:
1. System authentication on this machine is
configured with userDatabase to LDAP server, kerberos support enabled, the
KDC information is provided and smart card support is enabled.


Use smart card: ON

Enforce smart card: ON

Log out behavior configured to: Ignore smart card removal

Login with smart card is successful.

# cat /etc/pam.d/smartcard-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=ok ignore=2 default=die] pam_pkcs11.so wait_for_card card_only
auth        optional      pam_krb5.so use_first_pass no_subsequent_prompt
auth        sufficient    pam_permit.so
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account     required      pam_permit.so

password    required      pam_pkcs11.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

2. Try to login as a user without a smart card.

Actual results:
Upon entering user name a blank screen is shown. 

/var/log/messages has this:
Nov 26 12:47:14 dhcp129-98 gdm-smartcard]: argument card_only is not supported by this module
Nov 26 12:47:14 dhcp129-98 gdm-smartcard]: no suitable token available
Nov 26 12:47:14 dhcp129-98 gdm-smartcard]: argument card_only is not supported by this module
Nov 26 12:47:14 dhcp129-98 gdm-smartcard]: no suitable token available
Nov 26 12:47:16 dhcp129-98 kernel: [  376.483820] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.

Note: Inserting a smartcard on the blank screen does ask for pin and able to login.

Expected results:
A message to enter smart card for the user.

Swapping the arguments "wait_for_card card_only" to "card_only wait_for_card" does request to insert a smart card when user name is entered.

# cat /etc/pam.d/smartcard-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        [success=ok ignore=2 default=die] pam_pkcs11.so card_only wait_for_card
auth        optional      pam_krb5.so use_first_pass no_subsequent_prompt
auth        sufficient    pam_permit.so
auth        required      pam_deny.so

account     required      pam_unix.so broken_shadow
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account     required      pam_permit.so

password    required      pam_pkcs11.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_krb5.so

Additional info:

<halfline_laptop> 1) pam_pkcs11 needs the patches that were in rhel6 moved to rhel7
<halfline_laptop> (or get rebased assuming the patches have been upstreamed)
Comment 2 Ray Strode [halfline] 2013-11-26 22:07:07 UTC 
right, there are two issues

1) card_only isn't a valid option to pass to pam_pkcs11 (should be fixed in authconfig)
2) pam_pkcs11 currently ignores the first argument
Comment 3 Ray Strode [halfline] 2013-11-27 03:12:11 UTC 
should we just rebase to the latest upstream version or move the rhel6 patches forward?
Comment 5 Roshni 2014-02-07 17:54:43 UTC 
On pam_pkcs11-0.6.2-15.el7.x86_64 

1. "Require smartcard for login" is enable in Sundry -> authentication -> Advanced options
2. in the login screen, if the card is removed it shows the list of users
3. Choose a local user
4. Prompts to insert the smart card
5. Smartcard is inserted
6. prompts for pin
7. pin is entered
8. Login fails twice and succeeds the third time

On RHEL 6, if "Require smartcard for login" was enabled, irrespective of the smartcard is inserted or removed, the list of users are never listed on the login screen. It keeps prompting to insert the smartcard.
Comment 6 Ray Strode [halfline] 2014-02-07 22:03:15 UTC 
honestly that sounds like a gnome-shell login screen bug.  In theory you could have a user in the list that was associated with the smartcard, so asking for the pin isn't wrong. but what happens next is after a couple retries, it resets itself, notices the smartcard is inserted and then asks for the pin for the "right" user.  that bug should probably be filed separately rather than failing qa for this bug
Comment 7 Roshni 2014-02-10 15:53:18 UTC 
filed a new bug based on comment 6 - https://bugzilla.redhat.com/show_bug.cgi?id=1063390

Verified this bug on pam_pkcs11-0.6.2-15.el7.x86_64
Comment 8 Ludek Smid 2014-06-13 09:49:14 UTC 
This request was resolved in Red Hat Enterprise Linux 7.0.

Contact your manager or support representative in case you have further questions about the request.