1298253 – Screen lock prompts for smartcard user password and not smartcard pin when logged in using smartcard pin

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1298253 - Screen lock prompts for smartcard user password and not smartcard pin when logged in using smartcard pin

Summary: Screen lock prompts for smartcard user password and not smartcard pin when lo...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 6
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	6.8
Hardware:	Unspecified
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	Steeve Goveas
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-01-13 15:38 UTC by Roshni
Modified:	2020-05-02 18:17 UTC (History)
CC List:	9 users (show)
Fixed In Version:	sssd-1.13.3-11.el6
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-05-10 20:26:24 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	SSSD sssd issues 3966	0	None	closed	Add gnome-screensaver to the list of PAM services considered for Smartcard authentication	2020-05-02 18:17:16 UTC
Red Hat Product Errata	RHBA-2016:0782	0	normal	SHIPPED_LIVE	sssd bug fix and enhancement update	2016-05-10 22:36:00 UTC

Description Roshni 2016-01-13 15:38:38 UTC

Description of problem:
Screen lock prompts for smartcard user password and not smartcard pin when logged in using smartcard pin

Version-Release number of selected component (if applicable):
sssd-1.13.3-1.el6

How reproducible:
always

Steps to Reproduce:
1. ipa-client-install (after the required configuration changes are made)
2. Create an ipa user and add the signing certifcate on the smartcard to the ipa user
3. Change sssd.conf as follows

[pam]
pam_cert_auth = True

4. Login through gdm using the smartcard pin
5. Lock the screen

Actual results:
Locked screen prompts for smartcard user password.

Expected results:
Locked screen should prompt for smartcard pin.

Additional info:

Comment 2 Sumit Bose 2016-01-14 09:52:17 UTC

Created upstream ticket https://fedorahosted.org/sssd/ticket/2925

Comment 3 Jakub Hrozek 2016-01-20 08:27:45 UTC

* master: e9c42ec738c213bd5f351567c20d404a280b32d0
* sssd-1-13: 58e388cded594c64f9d094a2b3ac374bbd860fe5

Comment 5 Roshni 2016-01-21 16:19:58 UTC

[root@dhcp123-129 ~]# rpm -qi sssd
Name        : sssd                         Relocations: (not relocatable)
Version     : 1.13.3                            Vendor: Red Hat, Inc.
Release     : 11.el6                        Build Date: Thu 21 Jan 2016 04:19:26 AM EST
Install Date: Thu 21 Jan 2016 11:00:26 AM EST      Build Host: x86-032.build.eng.bos.redhat.com
Group       : Applications/System           Source RPM: sssd-1.13.3-11.el6.src.rpm
Size        : 35147                            License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://fedorahosted.org/sssd/
Summary     : System Security Services Daemon

[root@dhcp123-129 ~]# rpm -qi ipa-client
Name        : ipa-client                   Relocations: (not relocatable)
Version     : 3.0.0                             Vendor: Red Hat, Inc.
Release     : 50.el6                        Build Date: Thu 07 Jan 2016 03:55:55 AM EST
Install Date: Thu 14 Jan 2016 12:20:27 PM EST      Build Host: x86-032.build.eng.bos.redhat.com
Group       : System Environment/Base       Source RPM: ipa-3.0.0-50.el6.src.rpm
Size        : 318993                           License: GPLv3+
Signature   : (none)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
URL         : http://www.freeipa.org/
Summary     : IPA authentication for use on clients

Verification steps:

1. ipa-client-install --mkhomedir (after the required configuration changes are made)
2. Create an ipa user and add the signing certifcate on the smartcard to the ipa user
3. Change sssd.conf as follows

[pam]
pam_cert_auth = True

4. Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1297034 as follows
/etc/pam.d/system-auth

#auth        required      pam_env.so
#auth        sufficient    pam_fprintd.so
#auth        sufficient    pam_unix.so nullok try_first_pass
#auth        requisite     pam_succeed_if.so uid >= 500 quiet
#auth        sufficient    pam_sss.so use_first_pass
#auth        required      pam_deny.so
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

/etc/pam.d/password-auth

#auth        required      pam_env.so
#auth        sufficient    pam_unix.so nullok try_first_pass
#auth        requisite     pam_succeed_if.so uid >= 500 quiet
#auth        sufficient    pam_sss.so use_first_pass
#auth        required      pam_deny.so
auth        required      pam_env.so
auth        sufficient    pam_fprintd.so
auth        [default=1 success=ok] pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

5. Workaround for https://bugzilla.redhat.com/show_bug.cgi?id=1299066 as follows

setsebool -P allow_ypbind true

6. Login through gdm using the smartcard pin (workaround for 
7. Lock the screen
8. Locked screen prompts for smartcard pin

Comment 6 Roshni 2016-01-21 20:25:07 UTC

I am changing the bug back to ASSIGNED:

I tried this scenario:

1. Login using ipa user password (no smartcard inserted)
2. After login, insert the smartcard
3. Lock the screen while the smartcard is in the inserted state

Locked screen prompts for smartcard pin and successfully accepts the smartcard pin to unlock the screen. 

The expected behaviour is ipa user password should be prompted for by the locked screen.

Comment 7 Sumit Bose 2016-01-22 07:56:36 UTC

This is currently expected behavior (as the other way round) as long as the Smartcard belongs to the user. What should be checked is that the password is prompted if the Smartcard of a different user is entered.

Comment 8 Martin Kosek 2016-01-25 11:11:45 UTC

Should the bug be moved back to ON_QA then?

Comment 9 Roshni 2016-01-25 17:21:32 UTC

Checked the case in comment 7 and seeing expected result. Marking the bug verified

Comment 11 errata-xmlrpc 2016-05-10 20:26:24 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-0782.html

Note You need to log in before you can comment on or make changes to this bug.