Bug 1734012

Summary: RHEL6.10 shows gdm-simple-greeter consuming 100% CPU when ssh using smart card
Product: Red Hat Enterprise Linux 6 Reporter: amitkuma
Component: gdmAssignee: Ray Strode [halfline] <rstrode>
Status: CLOSED WONTFIX QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.10CC: jwright, pbhoot, toneata
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-02-17 13:43:43 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description amitkuma 2019-07-29 12:47:45 UTC 
Description of problem:

- RHEL6 shows 100% CPU for gdm-simple-greeter when sshed using smart card. Once smart card is directly plugged into RHEL6.8, gdm-simple-greeter does not consume memory.

- RHEL7 does not show this problem.

        Window's                    RHEL-6.8
smart-card>|
Open Putty
   SSH>Pkcs11>
      -> ssh user@<rhel6.8>
      >Attempt "PKCS#11 smartcard"
      >Token Label

      login successfully
      (without password)
                                    # top
                                       99.5 gdm-simple-greeter


                                 ->Plug smartcard directly here.
                                  - Perform smart card login.
                                   # top
                                     gdm-simple-greeter does not consume memory!

pam_pkcs11.conf
pam_pkcs11 {
  # Allow empty passwords
  nullok = true;

  # Enable debugging support.
  debug = false;

  # If the smart card is inserted, only use it
  card_only = false;

  # Do not prompt the user for the passwords but take them from the
  # PAM_ items instead.
  use_first_pass = false;

  # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK
  # is unset.
  try_first_pass = false;

  # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been
  # previously set (intended for stacking password modules only).
  use_authtok = false;

  # Filename of the PKCS #11 module. The default value is "default"
  use_pkcs11_module = opensc;

  screen_savers = gnome-screensaver,xscreensaver,kscreensaver

  pkcs11_module coolkey {
    module = libcoolkeypk11.so;
    description = "Cool Key"
    # Slot-number to use. One for the first, two for the second and so
    # on. The default value is zero which means to use the first slot
    # with an available token.
    slot_num = 0;

    # Path to the directory where the CA certificates are stored. The
    # directory must contain an openssl hash-link to each certificate.
    # The default value is /etc/pam_pkcs11/cacerts.
    ca_dir = /etc/pam_pkcs11/cacerts;
    nss_dir = /etc/pki/nssdb;

    # Path to the directory where the CRLs are stored. The directory
    # must contain an openssl hash-link to each CRL. The default value
    # is /etc/pam_pkcs11/crls.
    crl_dir = /etc/pam_pkcs11/crls;

    # Sets the Certificate verification policy.
    # "none"        Performs no verification
    # "ca"          Does CA check
    # "crl_online"  Downloads the CRL form the location given by the
    #               CRL distribution point extension of the certificate
    # "crl_offline" Uses the locally stored CRLs
    # "crl_auto"    Is a combination of online and offline; it first
    #               tries to download the CRL from a possibly given CRL
    #               distribution point and if this fails, uses the local
    #               CRLs
    # "ocsp_on"     Turn on OCSP.
    # "signature"   Does also a signature check to ensure that private
    #               and public key matches
    # You can use a combination of ca,crl, and signature flags, or just
    # use "none".
    cert_policy = ca, signature;
  }

  pkcs11_module opensc {
    module = opensc-pkcs11.so;
    description = "OpenSC PKCS#11 module";
    # Slot-number to use. One for the first, two for the second and so
    # on. The default value is zero which means to use the first slot
    # with an available token.
    slot_num = 0;

    # Path to the directory where the CA certificates are stored. The
    # directory must contain an openssl hash-link to each certificate.
    # The default value is /etc/pam_pkcs11/cacerts.
    ca_dir = /etc/pam_pkcs11/cacerts;

    # Path to the directory where the CRLs are stored. The directory
    # must contain an openssl hash-link to each CRL. The default value
    # is /etc/pam_pkcs11/crls.
    crl_dir = /etc/pam_pkcs11/crls;

    # Sets the Certificate Policy, (see above)
    cert_policy=ca, ocsp_on, signature;
  }

  # Default pkcs11 module
  pkcs11_module default {
    module = /usr/$LIB/pam_pkcs11/pkcs11_module.so;
    description = "Default pkcs#11 module";
    slot_num = 0;
    ca_dir = /etc/pam_pkcs11/cacerts;
    crl_dir = /etc/pam_pkcs11/crls;
    cert_policy=ca, signature;
  }

  # Which mappers ( Cert to login ) to use?
  # you can use several mappers:
  #
  # subject - Cert Subject to login file based mapper
  # pwent   - CN to getpwent() login or gecos fields mapper
  # ldap    - LDAP mapper
  # opensc  - Search certificate in ${HOME}/.eid/authorized_certificates
  # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
  # mail    - Compare email fields from certificate
  # ms      - Use Microsoft Universal Principal Name extension
  # krb     - Compare againts Kerberos Principal Name
  # cn      - Compare Common Name (CN)
  # uid     - Compare Unique Identifier
  # digest  - Certificate digest to login (mapfile based) mapper
  # generic - User defined certificate contents mapped
  # null    - blind access/deny mapper
  #
  # You can select a comma-separated mapper list.
  # If used null mapper should be the last in the list :-)
  # Also you should select at least one mapper, otherwise
  # certificate will not match :-)
  use_mappers = uid, cn, subject, digest;

  # When no absolute path or module info is provided, use this
  # value as module search path
  # TODO:
  # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH 
  mapper_search_path = /usr/$LIB/pam_pkcs11;

  # 
  # Generic certificate contents mapper
  mapper generic {
        debug = true;
        module = /usr/$LIB/pam_pkcs11/generic_mapper.so;
        # ignore letter case on match/compare
        ignorecase = false;
        # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
        cert_item  = cn;
        # Define mapfile if needed, else select "none"
        mapfile = file:///etc/pam_pkcs11/generic_mapping
        # Decide if use getpwent() to map login
        use_getpwent = false;
  }

  # Certificate Subject to login based mapper
  # provided file stores one or more "Subject -> login" lines
  mapper subject {
        debug = false;
        # module = /usr/$LIB/pam_pkcs11/subject_mapper.so;
        module = internal;
        ignorecase = false;
        mapfile = file:///etc/pam_pkcs11/subject_mapping;
  }

  # Search public keys from $HOME/.ssh/authorized_keys to match users
  mapper openssh {
        debug = false;
        module = /usr/$LIB/pam_pkcs11/openssh_mapper.so;
  }

  # Search certificates from $HOME/.eid/authorized_certificates to match users
  mapper opensc {
        debug = false;
        module = /usr/$LIB/pam_pkcs11/opensc_mapper.so;
  }

  # Certificate Common Name ( CN ) to getpwent() mapper
  mapper pwent {
        debug = false;
        ignorecase = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/pwent_mapper.so;
  }

  # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody"
  mapper null {
        debug = false;
        # module = /usr/$LIB/pam_pkcs11/null_mapper.so;
        module = internal ;
        # select behavior: always match, or always fail
        default_match = false;
        # on match, select returned user
        default_user = nobody ;
  }

  # Directory ( ldap style ) mapper
  mapper ldap {
        debug = false;
        module = /usr/$LIB/pam_pkcs11/ldap_mapper.so;
        # where base directory resides
        basedir = /etc/pam_pkcs11/mapdir;
        # hostname of ldap server
        ldaphost = "localhost";
        # Port on ldap server to connect
        ldapport = 389;
        # Scope of search: 0 = x, 1 = y, 2 = z
        scope = 2;
        # DN to bind with. Must have read-access for user entries under "base"
        binddn = "cn=pam,o=example,c=com";
        # Password for above DN
        passwd = "test";
        # Searchbase for user entries
        base = "ou=People,o=example,c=com";
        # Attribute of user entry which contains the certificate
        attribute = "userCertificate";
        # Searchfilter for user entry. Must only let pass user entry for the login user.
        filter = "(&(objectClass=posixAccount)(uid=%s))"
  }

  # Assume common name (CN) to be the login
  mapper cn {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/cn_mapper.so;
        ignorecase = false;
        mapfile = file:///etc/pam_pkcs11/cn_map;
  }

  # mail -  Compare email field from certificate
  mapper mail {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/mail_mapper.so;
        # Declare mapfile or
        # leave empty "" or "none" to use no map 
        mapfile = file:///etc/pam_pkcs11/mail_mapping;
        # Some certs store email in uppercase. take care on this
        ignorecase = true;
        # Also check that host matches mx domain
        # when using mapfile this feature is ignored
        ignoredomain = false;
  }

  # ms - Use Microsoft Universal Principal Name extension
  # UPN is in format login@ADS_Domain. No map is needed, just
  # check domain name.
  mapper ms {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/ms_mapper.so;
        ignorecase = false;
        ignoredomain = false;
        domain = "domain.com";
  }

  # krb  - Compare againts Kerberos Principal Name
  mapper krb {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/krb_mapper.so;
        ignorecase = false;
        mapfile = "none";
  }

  # uid  - Maps Subject Unique Identifier field (if exist) to login
  mapper uid {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/uid_mapper.so;
        ignorecase = false;
        mapfile = "none";
  }

  # digest - elaborate certificate digest and map it into a file
  mapper digest {
        debug = false;
        module = internal;
        # module = /usr/$LIB/pam_pkcs11/digest_mapper.so;
        # algorithm used to evaluate certificate digest
        # Select one of:
        # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
        algorithm = "sha1";
        mapfile = file:///etc/pam_pkcs11/digest_mapping;
        # mapfile = "none";
  }

}

- uninstalled opensc, installed coolkey still issues.

Version-Release number of selected component (if applicable):


How reproducible:
- All times in customer env
- Not in local reproduction


Steps to Reproduce:
1. mentioned above
2.
3.

Actual results:
gdm-simple-greeter consumes 100% CPU on smart card login

Expected results:
gdm-simple-greeter should not consume 100% CPU on smart card login

Additional info:
- RHEL 7  is fine, and didn't see the 100%cpu issue
- It doesn't show high cpu for non smart card ssh login
- disabling selinux does not solve the problem.
Comment 3 amitkuma 2019-08-06 13:01:43 UTC 
Hey ray,
Thanks for taking up.
We have asked strace for gdm-simple-greeter.