Bug 2097048
| Summary: | Screen does not lock when smartcard reader is removed with smartcard inserted | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 8 | Reporter: | Andrew Mike <amike> |
| Component: | opensc | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED ERRATA | QA Contact: | Marek Havrila <mhavrila> |
| Severity: | medium | Docs Contact: | Mirek Jahoda <mjahoda> |
| Priority: | medium | ||
| Version: | 8.6 | CC: | alanm, brclark, casantos, gpantela, hdegoede, jjelen, jwright, mhavrila, mkielian, mkolbas, rstrode, sbarcomb, sross |
| Target Milestone: | rc | Keywords: | Triaged |
| Target Release: | 8.9 | Flags: | pm-rhel:
mirror+
|
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | opensc-0.20.0-5.el8 | Doc Type: | Bug Fix |
| Doc Text: |
.The automatic screen lock now works correctly even when a USB smart-card reader is removed
Before RHEL 8.9, the `opensc` packages incorrectly handled removing USB smart-card readers. Consequently, the system remained unlocked even if the GNOME Display Manager (GDM) was configured to lock the screen when a smart card was removed. Furthermore, after reconnecting the USB reader, the screen also did not lock after removing the smart card. In this release, the code for handling removals of USB smart-card readers has been fixed. As a result, the screen is correctly locked even when a smart card or a USB smart-card reader is removed.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-11-14 15:51:11 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Andrew Mike
2022-06-14 19:21:18 UTC
We see this issue too. Any suggestions for a work-around would be appreciated. -- Steve Ross Moving to OpenSC, as this is most likely an issue on our side. Marek checked the RHEL9 OpenSC works as expected (will check if the card works again after the reader removal again). For now, we do not have a workaround (except for the update to RHEL9), but we will consider if we will be able to backport the changes to RHEL8 or do the rebase to newer version. Jakub Jelen wrote:
> Moving to OpenSC, as this is most likely an issue on our side.
I have reproduced this issue on both a RHEL8.6 EUS machine, which uses OpenSC, and another platform (based on RHEL8.6) which uses a different PKCS #11 module. So, I question whether this is an issue with OpenSC or with, for example, (just speculating) "gsd-smartcard".
In the next couple of days, I can plan to try the other module on the stock RHEL8.6 machine.
-- Steve Ross
Marek mentioned in the private comment that this works with RHEL9, which has newer OpenSC and I vaguely remember fixing some related bugs in the OpenSC upstream. Another data-point to verify would be trying the new OpenSC 0.23.0 (for example from the below copr) on RHEL8.6 if it will work or not: https://copr.fedorainfracloud.org/coprs/jjelen/opensc-latest/ If you could test it on stock RHEL 8.6 machine with the new OpenSC, it would be very appreciated. I wrote: > In the next couple of days, I can plan to try the other module on the stock RHEL8.6 machine. I did try the other PKCS #11 module on the stock RHEL8 EUS machine. Like the stock "opensc-0.20.0-4.el8" package, the other module (correctly) locks the screen when I remove the smart card (used for authentication) from the reader, and (incorrectly) leaves the screen unlocked when I unplugged the reader+card together. So, this would lead me to believe that the issue is outside of the PKCS #11 module. Jakub wrote: > Marek mentioned in the private comment that this works with RHEL9, which has newer OpenSC > and I vaguely remember fixing some related bugs in the OpenSC upstream. > Another data-point to verify would be trying the new OpenSC 0.23.0 > (for example from the below copr) on RHEL8.6 if it will work or not: > > https://copr.fedorainfracloud.org/coprs/jjelen/opensc-latest/ > > If you could test it on stock RHEL 8.6 machine with the new OpenSC, it would be very appreciated. I installed "opensc-0.23.0-2.el8" from your site on the RHEL 8.6 machine. It (correctly) locks the screen when I remove the smart card, and (correctly!!) locks the screen when I unplugged the reader+card combination. I did *not* expect correct operation for reader+card; that points to some issue with both older the module(s). Thank you for double-checking! Jakub wrote: > Thank you for double-checking! You are welcome. And earlier wrote: > I vaguely remember fixing some related bugs in the OpenSC upstream. This is a low-priority request (so feel free to ignore it), but I am curious about which bugs these are. My searching skills for issues/Pull Requests on GitHub in OpenSC/OpenSC were not sufficient for me to find them. There was a lot of changes regarding the token/card/reader removal and reinsertion over the last couple of years. I thought it was something I was fixing, but it looks like the first merge request for this particular issue was this one (but it looks like it should already have been in 0.20.0 which is in RHEL8): https://github.com/OpenSC/OpenSC/pull/1615 There were many changes how the pcscd events are handled since then: https://github.com/OpenSC/OpenSC/pull/1970 https://github.com/OpenSC/OpenSC/pull/1923 https://github.com/OpenSC/OpenSC/pull/2051 https://github.com/OpenSC/OpenSC/pull/2077 https://github.com/OpenSC/OpenSC/pull/2418 https://github.com/OpenSC/OpenSC/pull/2600 I might have missed some though. Jakub wrote:
> There was a lot of changes regarding the token/card/reader removal and reinsertion over the last couple of years.
Thank you for the list!
The current patch for RHEL 8 contains the changes from upstream for this change: # changes related to the reader handling https://github.com/OpenSC/OpenSC/commit/31d8c2dfd14ed01b430def2f46cc718ef4b595fc https://github.com/OpenSC/OpenSC/commit/8f4a6c703b5ae7d4f44cf33c85330171afa917bf https://github.com/OpenSC/OpenSC/pull/1970 (without the first and last commits) https://github.com/OpenSC/OpenSC/pull/1923 https://github.com/OpenSC/OpenSC/pull/2051 https://github.com/OpenSC/OpenSC/pull/2077 https://github.com/OpenSC/OpenSC/pull/2418 https://github.com/OpenSC/OpenSC/pull/2600 https://github.com/OpenSC/OpenSC/commit/c2e00e9071952b30ed6d58d9b7670eb3d93ea6fb https://github.com/OpenSC/OpenSC/pull/2740 # OpenSC notify build issues https://github.com/OpenSC/OpenSC/commit/5e79a2a4abdd523cfff19824718bbb0d8ced7320 https://github.com/OpenSC/OpenSC/commit/843779fe6e0f345f483f9ce9c9739913502391eb https://github.com/OpenSC/OpenSC/commit/7936bdef15c71139a6a6159cabaf9e6101565add https://github.com/OpenSC/OpenSC/commit/1202eceeefd5ffab45648d41ed0a3076cac10920 we still have an upstream PR in progress to capture hopefully last corner case, but I will probably not wait for that one. They are available in the following PR (including a scratch build): https://gitlab.com/redhat/centos-stream/rpms/opensc/-/merge_requests/8 I will give it some more testing later this or next week. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Low: opensc security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2023:7160 |