Bug 210827
Summary: | gdm sometimes displays "Authentication Failed" when removing smart card | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Ray Strode [halfline] <rstrode> |
Component: | gdm | Assignee: | Ray Strode [halfline] <rstrode> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.0 | CC: | ckannan, tmraz |
Target Milestone: | rc | Keywords: | Reopened |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | RHEL5.0NACK | ||
Fixed In Version: | RHBA-2008-0398 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2008-05-21 16:00:53 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 229988, 439467 |
Description
Ray Strode [halfline]
2006-10-15 22:16:23 UTC
It looks like the slave is somehow getting out of sync with the greeter. what's happening is, when I remove my smart card a cancel request is sent and everything is cancelled. The slave event loop iterates a begins a new pam conversation. pam_pkcs11 asks for a password, and the slave then asks the greeter to ask the user for a password. At this point, it looks like the greeter is responding with some sort of empty string response that the slave then passes on to pam_pkcs11 and things fail from there. the reponse is either just a newline '\n' or maybe a string of NUL chars. I'm not sure yet. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux major release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Major release. This request is not yet committed for inclusion. *** Bug 215859 has been marked as a duplicate of this bug. *** per bug council on 11/17. not a rhel5 blocker. targeted for rhel5 rc's per the last bug meeting, we decided this would be fixed in the rhel 5.1 release. qa_ack+ This bug was proposed for RHEL 5, but wasn't resolved in time. devel_ack+ for RHEL 5.1. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux release. Since this bugzilla is in a component that is not approved for the current release, it has been closed with resolution deferred. You may reopen this bugzilla for consideration in the next release. This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release. i can reproduce this. devack. should be fixed in gdm-2.16.0-40.el5 Happens if you pull the card out while the pam_pkcs11 is initially connecting to it (before it puts up the Password prompt). marking MODIFIED for QA Ok. This is what I did to reproduce the problem. (1) rhel 5.2 beta - x86 build. (2) at the gdm login screen. Insert/remove an enrolled card. Tried atleast 15 times. Never saw the "Authentication Failed" message. Ray, Is this good enough verification ?. You didn't mention how to managed to reproduce the problem. Any tips/hints ? ok. Saw these notes in the errata. bug 210827: 1) configure system for smart card/username-password login 2) go to login screen 3) insert smart card 4) while the text entry field is grayed out and you see 3 dots (this is when pam_pkcs11 is connecting to the card), remove the smart card If the timing is right, you'll get an "Authentication Failed" message with the old packages, but not with the new ones So I tried the steps mentioned in comment #17. Exactly when I see the ...(3dots), I pulled out the smart card. After that the gdm login screen is unable to recognize insertion/removal events. re-assigning back to Ray to see why ... says "should be fixed in gdm-2.16.0-40.el5". I have exactly that version. same as comment #18. back to ray... ray enabled gdm debug logging and I wasn't able to reproduce this problem. Feels like this is very much related to timing. Ray will continue to investigate t'row. So, I spent some time banging on this yesterday, while talking to Chandra, Jack and Bob on irc. I couldn't reproduce the problem Chandra is seeing exactly (not surprising since it's apparently timing related), but there is another similiar issue we ran into. If you remove and insert the card 32 times (that is 16 removes and 16 inserts) then PK11_IsPresent() from that point on will always return false which means neither gdm nor pam_pkcs11 will see the card inserted anymore. At any rate, that problem and Chandra's problem in comment 18 are independent of the original issue, so we should file them as separate bugs (tentatively against pcsc-lite i guess until we figure out where in the stack the problem is). Those issues aren't likely to get resolved for 5.2 since they're problems with components not on the approved component list and it's so late in the development cycle. I've filed bug 439467 to cover the lost card status issues. Ray - over IRC u asked ... <halfline> chandra, for bug 210827 can you reproduce Authentication Failed with GA gdm and not get it anymore with the new packages? (1) I installed rhel 5.1 GA. I'm not able to reproduce the "auth failed" dialog box pop-up. I tried the hell out of it. (2) Did the same with rhel 5.2 beta (0326.0), i'm unable to try to reproduce this problem, because if I try to pull the card out when the 3dots display, gdm stop recognizing the card afterwards. So, I'm kinda stuck here... if you can't reproduce the original problem with the old packages then I don't know what else we can do. Can you try on a different hardware configuration? I reproduced the problem in qemu initially, so maybe try on slower hardware or through vmware? trying vmware now Ok. I tried this too. rhel5 u1 64bit vm ( under vmware ). removed the card as soon as I saw the 3dots upon card insertion. tried about 15 times. unable to reproduce the original problem. Okay, it's unfortunate that I'm the only one who's seen this problem. I can confirm the patch fixes the issue for me, however. Since there is no customer reports of this problem and the issue is something that rarely shows up, we shouldn't spend too much more time on this bug. Since the original reporter (ah hem, me) has confirmed the problem is addressed with the latest packages we should probably mark it VERIFIED by reporter. It's a bit unfortunate we can't reproduce, but this is probably the best we can do I guess. Okay with you Chandra? Ray, I'm fine with this. An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0398.html |