Bug 1674397

Summary: GDM does not indicate that smartcard is required
Product: Red Hat Enterprise Linux 8 Reporter: tfolinux
Component: authselectAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: Scott Poore <spoore>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.0CC: aakkiang, adam.winberg, dpal, hdegoede, pbrezina, rstrode, sbose, spoore
Target Milestone: rc   
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-11-05 22:33:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1682278    
Bug Blocks: 1701002    
Attachments:
Description Flags
Image of login prompt for smart card none

Description tfolinux 2019-02-11 09:26:14 UTC 
Description of problem:

Even though dconf is setup to only allow smartcard auth in the login-screen, a password prompt appear in GDM if no smartcard is inserted. When smartcard is inserted, the prompt does not change to a pin prompt, instead it still asks for 'password' and inputting PIN at this point fails. After a long while, gdm seems to actually detect the smartcard and changes to prompt for pin, and login is then possible. 

Configuration is set up with 

$ authselect sssd with-smartcard-required with-smartcard

Version-Release number of selected component (if applicable):
gdm-3.28.3-9.el8.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Setup system to only allow smartcard auth as per 'authselect sssd with-smartcard-required with-smartcard'
2. Boot to GDM without smartcard inserted
3.

Actual results:
GDM prompts for password

Expected results:
GDM should prompt user to insert smartcard

Additional info:
Adding 'require_cert_auth' to pam_sss in /etc/pam.d/smartcard-auth does the trick, but should it really be necessary since gdm is already configured to only allow smartcards via dconf? If so, authselect should add this parameter.
Comment 1 Ray Strode [halfline] 2019-02-11 12:29:05 UTC 
thanks for debugging this.  it does indeed sound like an authselect bug.
Comment 2 Pavel Březina 2019-02-12 14:55:32 UTC 
I suppose the dconf contains following settings:

[org/gnome/login-screen]
enable-smartcard-authentication=true
enable-fingerprint-authentication=false
enable-password-authentication=false

AFAIK /etc/pam.d/smartcard-auth does not need the 'require_cert_auth' option because this pam stack only does smartcard authentication. Sumit, is this correct?

I find it strange that gdm parse pam files instead of relying purely on dconf settings.
Comment 3 adam winberg 2019-02-13 09:28:44 UTC 
I found this upstream, sounds like the very same issue:
https://pagure.io/SSSD/sssd/issue/3883
Comment 4 Sumit Bose 2019-02-13 10:40:38 UTC 
(In reply to Pavel Březina from comment #2)
> I suppose the dconf contains following settings:
> 
> [org/gnome/login-screen]
> enable-smartcard-authentication=true
> enable-fingerprint-authentication=false
> enable-password-authentication=false
> 
> AFAIK /etc/pam.d/smartcard-auth does not need the 'require_cert_auth' option
> because this pam stack only does smartcard authentication. Sumit, is this
> correct?
> 
> I find it strange that gdm parse pam files instead of relying purely on
> dconf settings.

gdm does not parse the files, it uses the dconf information to decide which service name (gdm-password, gdm-fingerprint or gdm-smartcard) is used with pam_start().

Ray, can you explain how gdm works if only enable-smartcard-authentication=true is set? I was under the impression that pam_start with gdm-smartcard as service name is only called if gdm detects that a Smartcard is inserted so that no option for the PAM module to wait for a Smartcard is needed? Or will it be called unconditionally if it is the only authentication configured in dconf?

Thanks.

bye,
Sumit
Comment 5 Ray Strode [halfline] 2019-02-13 10:59:01 UTC 
(In reply to Sumit Bose from comment #4)
> will it be called unconditionally if it is the
> only authentication configured in dconf?
Yes. if password authentication is disabled we need require_cert_auth.  pretty sure we had to do async update once to fix this in authconfig in rhel 7
Comment 6 Sumit Bose 2019-02-13 11:44:00 UTC 
Ray, thanks for the feedback.

Pavel, can you handle the authselect side with this ticket? I'll try to fix https://pagure.io/SSSD/sssd/issue/3883 / https://bugzilla.redhat.com/show_bug.cgi?id=1645249 so that a proper message is shown as well.

bye,
Sumit
Comment 7 Pavel Březina 2019-02-13 12:16:46 UTC 
Sure, does this qualify for 8.0 blocker?
Comment 11 Pavel Březina 2019-02-22 08:48:03 UTC 
Authselect part is fixed upstream: https://github.com/pbrezina/authselect/pull/138
Comment 20 Scott Poore 2019-08-02 19:23:04 UTC 
Created attachment 1600125 [details]
Image of login prompt for smart card

Verified.

Version ::

sssd-client-2.2.0-5.el8.x86_64
gdm-3.28.3-22.el8.x86_64
authselect-1.1-2.el8.x86_64

Results ::

[root@rhel8-2 ~]# authselect enable-feature with-smartcard-required
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

[root@rhel8-2 ~]# systemctl restart sssd gdm
[root@rhel8-2 ~]# 


Then connecting via virt-viewer and redirecting usb smart card reader without card inserted.  I see:

Please enter smart card
Comment 22 errata-xmlrpc 2019-11-05 22:33:32 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:3647