Hide Forgot
Description of problem: Trying to login to desktop without a smart card shows blank screen when configured with smart card only option. Version-Release number of selected component (if applicable): pam_pkcs11-0.6.2-10.el7.x86_64 How reproducible: Steps to Reproduce: 1. System authentication on this machine is configured with userDatabase to LDAP server, kerberos support enabled, the KDC information is provided and smart card support is enabled. Use smart card: ON Enforce smart card: ON Log out behavior configured to: Ignore smart card removal Login with smart card is successful. # cat /etc/pam.d/smartcard-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=ok ignore=2 default=die] pam_pkcs11.so wait_for_card card_only auth optional pam_krb5.so use_first_pass no_subsequent_prompt auth sufficient pam_permit.so auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so account required pam_permit.so password required pam_pkcs11.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so 2. Try to login as a user without a smart card. Actual results: Upon entering user name a blank screen is shown. /var/log/messages has this: Nov 26 12:47:14 dhcp129-98 gdm-smartcard]: argument card_only is not supported by this module Nov 26 12:47:14 dhcp129-98 gdm-smartcard]: no suitable token available Nov 26 12:47:14 dhcp129-98 gdm-smartcard]: argument card_only is not supported by this module Nov 26 12:47:14 dhcp129-98 gdm-smartcard]: no suitable token available Nov 26 12:47:16 dhcp129-98 kernel: [ 376.483820] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead. Note: Inserting a smartcard on the blank screen does ask for pin and able to login. Expected results: A message to enter smart card for the user. Swapping the arguments "wait_for_card card_only" to "card_only wait_for_card" does request to insert a smart card when user name is entered. # cat /etc/pam.d/smartcard-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=ok ignore=2 default=die] pam_pkcs11.so card_only wait_for_card auth optional pam_krb5.so use_first_pass no_subsequent_prompt auth sufficient pam_permit.so auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so account required pam_permit.so password required pam_pkcs11.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so Additional info: <halfline_laptop> 1) pam_pkcs11 needs the patches that were in rhel6 moved to rhel7 <halfline_laptop> (or get rebased assuming the patches have been upstreamed)
right, there are two issues 1) card_only isn't a valid option to pass to pam_pkcs11 (should be fixed in authconfig) 2) pam_pkcs11 currently ignores the first argument
should we just rebase to the latest upstream version or move the rhel6 patches forward?
On pam_pkcs11-0.6.2-15.el7.x86_64 1. "Require smartcard for login" is enable in Sundry -> authentication -> Advanced options 2. in the login screen, if the card is removed it shows the list of users 3. Choose a local user 4. Prompts to insert the smart card 5. Smartcard is inserted 6. prompts for pin 7. pin is entered 8. Login fails twice and succeeds the third time On RHEL 6, if "Require smartcard for login" was enabled, irrespective of the smartcard is inserted or removed, the list of users are never listed on the login screen. It keeps prompting to insert the smartcard.
honestly that sounds like a gnome-shell login screen bug. In theory you could have a user in the list that was associated with the smartcard, so asking for the pin isn't wrong. but what happens next is after a couple retries, it resets itself, notices the smartcard is inserted and then asks for the pin for the "right" user. that bug should probably be filed separately rather than failing qa for this bug
filed a new bug based on comment 6 - https://bugzilla.redhat.com/show_bug.cgi?id=1063390 Verified this bug on pam_pkcs11-0.6.2-15.el7.x86_64
This request was resolved in Red Hat Enterprise Linux 7.0. Contact your manager or support representative in case you have further questions about the request.