Bug 1983683

Summary: pam rpm delivered smartcard-auth contains pam_pkcs11.so that is known to be removed in RHEL 8
Product: Red Hat Enterprise Linux 8 Reporter: Chetan Patil <cpatil>
Component: pamAssignee: Iker Pedrosa <ipedrosa>
Status: VERIFIED --- QA Contact: Anuj Borah <aborah>
Severity: medium Docs Contact:
Priority: low    
Version: 8.3CC: aboscatt, afarley, atikhono, dchen, ipedrosa, jjelen, mescanfe, nmunoz, pbrezina, peter.vreman, sbose, tscherf
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: pam-1.3.1-26.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Chetan Patil 2021-07-19 13:43:16 UTC
Description of problem:

pam_pkcs11.so is deprecated in RHEL 8.

But pam_pkcs11 can be still seen in configuration file.

Version-Release number of selected component (if applicable):

RHEL 8.4

How reproducible:


Steps to Reproduce:
1.# sudo rm -f /etc/pam.d/smartcard-auth

2.# sudo yum reinstall pam

3.

# cat /etc/pam.d/smartcard-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
auth        required      pam_env.so
auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card                                         <=== Module can be seen
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    optional      pam_pkcs11.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Actual results:

auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card  can be seen in configuration file.

Expected results:
Below should not be seen in /etc/pam.d/smartcard-auth
auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card 

Additional info:

Comment 1 Iker Pedrosa 2021-07-19 13:59:15 UTC
Can I have a look at the announcement that pam_pkcs11 will be removed in RHEL8?

Comment 2 Chetan Patil 2021-07-19 15:36:12 UTC
Following are the documents for same,

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/upgrading_from_rhel_7_to_rhel_8/troubleshooting_upgrading-from-rhel-7-to-rhel-8#known-issues_troubleshooting

In above document there is an Important note that states pam_pkcs11 is deprecated,

~~~
During the in-place upgrade, the deprecated pam_krb5 or pam_pkcs11 pluggable authentication modules (PAM) are removed. Consequently, if the PAM configuration on your RHEL 7 system contains the pam_krb5 or pam_pkcs11 modules and if these modules have the required or requisite control values, performing the in-place upgrade might result in locking you out of the system. To work around this problem, reconfigure your RHEL 7 system to not use pam_krb5 or pam_pkcs11 before you start the upgrade process.
~~~



https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/considerations_in_adopting_rhel_8/index#package-replacements_changes-to-packages

Comment 3 Iker Pedrosa 2021-07-20 07:22:53 UTC
Good catch! Thank you.

I guess it also affects Fedora and RHEL9.