Bug 1260081 - smartcard removal/insertion not detected (7.2 beta)
smartcard removal/insertion not detected (7.2 beta)
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gnome-settings-daemon (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: Rui Matos
Desktop QE
: Regression, TestBlocker
: 1251545 1259515 1272919 (view as bug list)
Depends On:
  Show dependency treegraph
Reported: 2015-09-04 07:52 EDT by adam winberg
Modified: 2017-07-03 11:03 EDT (History)
8 users (show)

See Also:
Fixed In Version: gnome-settings-daemon-3.14.4-9.el7
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-11-19 03:28:43 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
GNOME Bugzilla 751040 None None None Never

  None (edit)
Description adam winberg 2015-09-04 07:52:41 EDT
Description of problem:
We are using smartcard login which work quite well on RHEL7.1. When upgrading to 7.2 smartcard events does not work correctly. 

running gnome-settings-daemon in debug mode shows no detection of insertion or removal of smartcard - no output at all on these events, in fact.

Login via gdm (pam_pkcs11) and other tools such as pklogin_finder works.

Most noticable effect is that the screen does not lock on smartcard removal, despite gnome-settings-daemon being configured to do so. 

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Configure gnome-settings-daemon to lock screen on smart card removal
2. Log into gnome with smartcard.
3. Remove smartcard

Actual results:
Nothing happens

Expected results:
Screen lock.

Additional info:
Comment 4 adam winberg 2015-09-07 05:04:58 EDT
Running command

$ OPENSC_DEBUG=3 /usr/libexec/gnome-settings-daemon -r --debug 2>&1 

on a RHEL 7.1 machine yields a lot more output than on 7.2. On 7.1, the output line
"(gnome-settings-daemon:22222): smartcard-plugin-DEBUG: attempting to load NSS database '/etc/pki/nssdb'"

is followed by a lots and lots of opensc-pkcs11 debug output, indicating that the connection between gsd -> nss -> opensc -> card is actually working. 

on 7.2, there is no opensc debug output at all.
Comment 5 adam winberg 2015-09-07 06:48:23 EDT

pcscd in debug mode shows that smartcard insertion and removal is detected by pcscd:

Card inserted into Alcor Micro AU9540 ...
Card removed from Alcor Micro AU9549 ...
Comment 6 adam winberg 2015-09-08 07:03:20 EDT
to clarify, on 7.1 gsd debug output shows:

(gnome-settings-daemon:26374): smartcard-plugin-DEBUG: Getting list of suitable drivers
(gnome-settings-daemon:26374): smartcard-plugin-DEBUG: Activating driver 'OpenSC PKCS #11 Module'
(gnome-settings-daemon:26374): smartcard-plugin-DEBUG: watching for smartcard events

on 7.2, gsd output stops after:

(gnome-settings-daemon:26374): smartcard-plugin-DEBUG: Getting list of suitable drivers
Comment 7 adam winberg 2015-09-10 08:00:10 EDT
some more debugging...

in gsd-smartcard-manager.c gsd tries to get a list of all pkcs11 modules from nssdb, via
driver_list = SECMOD_GetDefaultModuleList();

in function 'activate_all_drivers_async'. However, this only returns one module for me, the "NSS Internal PKCS #11 Module". Even though I have the opensc module added in nssdb, this is never returned from SECMOD_GetDefaultModuleList(). 

content of my nssdb:
$ modutil -list -dbdir /etc/pki/nssdb/

Listing of PKCS #11 Modules
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. p11-kit-trust
	library name: /usr/lib64/pkcs11/p11-kit-trust.so
	 slots: 2 slots attached
	status: loaded

	 slot: /etc/pki/ca-trust/source
	token: System Trust

	 slot: /usr/share/pki/ca-trust-source
	token: Default Trust

  3. OpenSC PKCS #11 Module
	library name: /usr/lib64/pkcs11/opensc-pkcs11.so
	 slots: 2 slots attached
	status: loaded

	 slot: Virtual hotplug slot

	 slot: Alcor Micro AU9540 00 00
	token: Instant EID IP9 (identification)

Not sure if I am doing something really stupid or if it's a bug in nss rather than gsd. 

I appreciate any pointers and will gladly provide more info if needed.
Comment 8 Ray Strode [halfline] 2015-09-10 13:11:12 EDT
*** Bug 1251545 has been marked as a duplicate of this bug. ***
Comment 9 adam winberg 2015-09-10 13:46:27 EDT
hm, just realized we use the nssdb sql format, so the above modutil command show contents of this. Don't know how gsd deals with this, but it works in 7.1. We have the env. variable NSS_DEFAULT_DB_TYPE set to 'sql', which should be enough to get the correct nssdb from gsd, no?
Comment 10 adam winberg 2015-09-10 13:48:13 EDT
I'm not authorized to view the bug which this one has been marked a duplicate of. Could someone enlighten me what that bug is about, or maybe make it public?
Comment 11 Ray Strode [halfline] 2015-09-10 14:01:25 EDT
Hi Adam, it was the other way around. we took an internal bug reported by QE and duplicated it to your bug since your bug is public.  The internal bug doesn't add any details you haven't already contributed.
Comment 12 Ray Strode [halfline] 2015-09-10 14:04:27 EDT
*** Bug 1259515 has been marked as a duplicate of this bug. ***
Comment 13 Ray Strode [halfline] 2015-09-10 15:41:49 EDT
so what's going on here is the sharing plugin in gnome-settings-daemon is using nm client api to initialize nss with insufficient flags.  then the smartcard plugin gets loaded later and its init function becomes a noop.

We can workaround this in the smartcard plugin by changing the init function it uses.
Comment 14 adam winberg 2015-09-11 02:16:02 EDT
ah, great!

Quick workaround for me right now is to disable the sharing plugin in gnome-settings-daemon.
Comment 16 Roshni 2015-09-14 13:02:25 EDT
Using gnome-settings-daemon-3.14.4-8.el7 I still the issue in the bug description. This is what I am trying

1. Configure using authconfig to lock screen on smart card removal
2. Log into gnome with smartcard.
3. Remove smartcard and the screen is not locked
Comment 17 Ray Strode [halfline] 2015-09-14 13:44:11 EDT
Thanks for the quick turnaround. I've reproduced the failure and see the problem.

I didn't notice during my own testing because I neglected to undo the workaround Adam alluded to in comment 14.

Will build fix shortly.
Comment 18 Michal Domonkos 2015-09-15 04:16:49 EDT
I just tried the new
and it really fixes the issue.  The screen now locks when the card is removed and the PIN prompt is displayed when putting it back.  Cool!
Comment 19 Roshni 2015-09-16 10:53:26 EDT

I see that the issue reported in this bug is working fine. But I see the following issue:

- Enable smartcard login
- Disable "Require smartcard for Login"
- Login using smartcard with kerberos user
- Lock the screen
- When the smartcard is not inserted, the kerberos password is prompted (no message to insert smartcard) and unlocks the screen when the password is provided.

Expected behavior is

A message is displayed to the user asking them to insert the smart card they used to login previously (Kerberos password should not be prompted)

I am marking the bug assigned, let me know if this issue is not related to this component.
Comment 20 Ray Strode [halfline] 2015-09-16 11:28:49 EDT
yup, please file that separately against gnome-shell
Comment 21 Roshni 2015-09-18 10:15:13 EDT
Thanks, I have opened a new bug https://bugzilla.redhat.com/show_bug.cgi?id=1263759
Comment 23 Ray Strode [halfline] 2015-10-21 08:45:43 EDT
*** Bug 1272919 has been marked as a duplicate of this bug. ***
Comment 25 errata-xmlrpc 2015-11-19 03:28:43 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.