Bug 1262999

Summary: Kerberos User removes smart card which locked the screen (Password entered. Enforce smart card: ON.) - Gnome login hangs
Product: Red Hat Enterprise Linux 7 Reporter: Roshni <rpattath>
Component: gnome-shellAssignee: Ray Strode [halfline] <rstrode>
Status: CLOSED ERRATA QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: aakkiang, mdomonko, nkinder, rpattath, rrelyea, rstrode, tlavigne, tpelka
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: gnome-shell-3.14.4-35.el7 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1269621 (view as bug list) Environment:
Last Closed: 2015-11-19 07:21:05 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1269621    

Description Roshni 2015-09-14 20:52:01 UTC 
Description of problem:
Kerberos User removes smart card which locked the screen (Password entered. Enforce smart card: ON.) - Gnome login hangs

Version-Release number of selected component (if applicable):
pam_pkcs11-0.6.2-24.el7

How reproducible:
always

Steps to Reproduce:
1. Through authconfig:
Enable - Lock screen when smartcard removed
Enable - Smartcard required for login

2. Login using the smartcard with Kerberos user
3. Remove the smartcard which locks the screen
4. Move the mouse

Actual results:
The box to enter the password is enabled even when the smartcard is not inserted. The message appears to insert the smart card.

I type in the kerberos password and login hangs. I see the following message in /var/log/secure

Sep 14 16:44:21 dhcp129-45 gdm-smartcard]: pam_pkcs11(gdm-smartcard:auth): pam_get_pwd() failed: Conversation error

Expected results:
The password box should not be enabled unless smartcard is inserted. If it is enabled it should re-prompt to enter the smartcard when any password is entered.

Additional info:
Comment 5 Roshni 2015-09-15 15:11:20 UTC 
Seeing the same using pam_pkcs11-0.6.2-18.el7.x86_64.rpm. So changing the component to gnome-screensaver (not sure if this is the correct component).
Comment 6 Ray Strode [halfline] 2015-09-15 15:18:38 UTC 
so I think we keep the entry enabled for type ahead reasons.  We'll need to be careful to make sure we don't break type ahead in the non-smartcard case when fixing this.
Comment 8 Ray Strode [halfline] 2015-09-29 21:08:42 UTC 
i have a fix for this locally, but it breaks type ahead... still working on a fix that doesn't break type ahead.
Comment 9 Ray Strode [halfline] 2015-10-05 20:42:06 UTC 
Okay i added a fix to disable the entry after the user's keyboard goes idle.  that change keeps typeahead working, but should also fix this bug.
Comment 20 Roshni 2015-10-07 18:33:10 UTC 
[root@dhcp129-12 ~]# rpm -qi gnome-shell
Name        : gnome-shell
Version     : 3.14.4
Release     : 35.el7
Architecture: x86_64
Install Date: Tue 06 Oct 2015 02:28:27 PM EDT
Group       : User Interface/Desktops
Size        : 9690416
License     : GPLv2+
Signature   : (none)
Source RPM  : gnome-shell-3.14.4-35.el7.src.rpm
Build Date  : Mon 05 Oct 2015 05:31:57 PM EDT
Build Host  : x86-036.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://live.gnome.org/GnomeShell
Summary     : Window management and application launching for GNOME

1. Through authconfig:
Enable - Lock screen when smartcard removed
Enable - Smartcard required for login

2. Login using the smartcard with Kerberos user
3. Remove the smartcard which locks the screen
4. Move the mouse

The password prompt is not enabled and there is a message to insert the smartcard.
Comment 21 errata-xmlrpc 2015-11-19 07:21:05 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-2216.html