Bug 781203
Summary: | SSO: Logged in with kerberos user id, asking smart card pin while unlocking a locked screen. | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 7 | Reporter: | Asha Akkiangady <aakkiang> |
Component: | pam_krb5 | Assignee: | Robbie Harwood <rharwood> |
Status: | CLOSED WONTFIX | QA Contact: | Asha Akkiangady <aakkiang> |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | 7.0 | CC: | aakkiang, dpal, jmagne, nalin, nsoman, pkis, prc, rrelyea, tmraz |
Target Milestone: | rc | ||
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2016-11-17 19:24:36 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Asha Akkiangady
2012-01-12 23:11:37 UTC
This is not a gnome-screensaver bug. It's either a pam_pkcs11 bug or a pam_krb5 bug, but we fixed it in pam_pkcs11 several years ago, so it's probably pam_krb5 pkinit-y bug. Basically pam_pkcs11 has something like: /* bail if the user didn't log in with smart card */ if (getenv("PKCS11_LOGIN_TOKEN_NAME") is empty) return PAM_IGNORE; So my guess is the second pam_krb5 line in the auth section is getting run and it's not ignoring the smartcard like it should. Punting forward, as the underpinnings of this setup have changed and we're not making big changes in this area in EL5 at this point. (In reply to Ray Strode [halfline] from comment #1) > Basically pam_pkcs11 has something like: > > /* bail if the user didn't log in with smart card */ > if (getenv("PKCS11_LOGIN_TOKEN_NAME") is empty) return PAM_IGNORE; > > So my guess is the second pam_krb5 line in the auth section is getting run > and it's not ignoring the smartcard like it should. With that configuration, then, a "no_subsequent_prompt" option added to that second invocation should also disable any attempts to gather PINS or passwords for PKINIT credentials. I slightly wonder why the no_subsequent_prompt option was needed when use_first_pass should have basically the same meaning. However if I add this option in authconfig, should it be always added or only in case the smartcard authentication is enabled? (In reply to Tomas Mraz from comment #6) > I slightly wonder why the no_subsequent_prompt option was needed when > use_first_pass should have basically the same meaning. > > However if I add this option in authconfig, should it be always added or > only in case the smartcard authentication is enabled? Only for the smart card case, please. Distinguishing between a user's long-term password (which use_first_pass affects) and non-password information that we may have to ask for (smart card PINs, OTP values) is... well, kind of a mess when the PAM_AUTHTOK can be any of those things, so no_subsequent_prompt, in combination with use_first_pass/try_first_pass, lets you control whether or not the module will allow the library to trigger an additional prompt, and whether or not it will just hand back the PAM_AUTHTOK if it does. |