Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
DescriptionAsha Akkiangady
2013-11-26 20:58:35 UTC
Description of problem:
Trying to login to desktop without a smart card shows blank screen when configured with smart card only option.
Version-Release number of selected component (if applicable):
pam_pkcs11-0.6.2-10.el7.x86_64
How reproducible:
Steps to Reproduce:
1. System authentication on this machine is
configured with userDatabase to LDAP server, kerberos support enabled, the
KDC information is provided and smart card support is enabled.
Use smart card: ON
Enforce smart card: ON
Log out behavior configured to: Ignore smart card removal
Login with smart card is successful.
# cat /etc/pam.d/smartcard-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [success=ok ignore=2 default=die] pam_pkcs11.so wait_for_card card_only
auth optional pam_krb5.so use_first_pass no_subsequent_prompt
auth sufficient pam_permit.so
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account required pam_permit.so
password required pam_pkcs11.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
2. Try to login as a user without a smart card.
Actual results:
Upon entering user name a blank screen is shown.
/var/log/messages has this:
Nov 26 12:47:14 dhcp129-98 gdm-smartcard]: argument card_only is not supported by this module
Nov 26 12:47:14 dhcp129-98 gdm-smartcard]: no suitable token available
Nov 26 12:47:14 dhcp129-98 gdm-smartcard]: argument card_only is not supported by this module
Nov 26 12:47:14 dhcp129-98 gdm-smartcard]: no suitable token available
Nov 26 12:47:16 dhcp129-98 kernel: [ 376.483820] nf_conntrack: automatic helper assignment is deprecated and it will be removed soon. Use the iptables CT target to attach helpers instead.
Note: Inserting a smartcard on the blank screen does ask for pin and able to login.
Expected results:
A message to enter smart card for the user.
Swapping the arguments "wait_for_card card_only" to "card_only wait_for_card" does request to insert a smart card when user name is entered.
# cat /etc/pam.d/smartcard-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [success=ok ignore=2 default=die] pam_pkcs11.so card_only wait_for_card
auth optional pam_krb5.so use_first_pass no_subsequent_prompt
auth sufficient pam_permit.so
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so
account required pam_permit.so
password required pam_pkcs11.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so umask=0077
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_krb5.so
Additional info:
<halfline_laptop> 1) pam_pkcs11 needs the patches that were in rhel6 moved to rhel7
<halfline_laptop> (or get rebased assuming the patches have been upstreamed)
Comment 2Ray Strode [halfline]
2013-11-26 22:07:07 UTC
right, there are two issues
1) card_only isn't a valid option to pass to pam_pkcs11 (should be fixed in authconfig)
2) pam_pkcs11 currently ignores the first argument
Comment 3Ray Strode [halfline]
2013-11-27 03:12:11 UTC
should we just rebase to the latest upstream version or move the rhel6 patches forward?
On pam_pkcs11-0.6.2-15.el7.x86_64
1. "Require smartcard for login" is enable in Sundry -> authentication -> Advanced options
2. in the login screen, if the card is removed it shows the list of users
3. Choose a local user
4. Prompts to insert the smart card
5. Smartcard is inserted
6. prompts for pin
7. pin is entered
8. Login fails twice and succeeds the third time
On RHEL 6, if "Require smartcard for login" was enabled, irrespective of the smartcard is inserted or removed, the list of users are never listed on the login screen. It keeps prompting to insert the smartcard.
Comment 6Ray Strode [halfline]
2014-02-07 22:03:15 UTC
honestly that sounds like a gnome-shell login screen bug. In theory you could have a user in the list that was associated with the smartcard, so asking for the pin isn't wrong. but what happens next is after a couple retries, it resets itself, notices the smartcard is inserted and then asks for the pin for the "right" user. that bug should probably be filed separately rather than failing qa for this bug
This request was resolved in Red Hat Enterprise Linux 7.0.
Contact your manager or support representative in case you have further questions about the request.