RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1448503 - allow empty responses from PAM modules at login screen
Summary: allow empty responses from PAM modules at login screen
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: gnome-shell
Version: 7.4
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Ray Strode [halfline]
QA Contact: Roshni
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-05-05 15:16 UTC by Ray Strode [halfline]
Modified: 2017-08-01 22:44 UTC (History)
7 users (show)

Fixed In Version: gnome-shell-3.22.3-15.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1448209
Environment:
Last Closed: 2017-08-01 22:44:12 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
GNOME Bugzilla 752739 0 None None None 2019-04-18 04:51:23 UTC
Red Hat Product Errata RHBA-2017:2098 0 normal SHIPPED_LIVE gnome-shell-extensions, gnome-shell, mutter bug fix and enhancement update 2017-08-01 19:36:42 UTC

Description Ray Strode [halfline] 2017-05-05 15:16:44 UTC 
+++ This bug was initially created as a clone of Bug #1448209 +++

--- Additional comment from Sumit Bose on 2017-05-05 05:44:20 EDT ---

Hi Ray,

thank you again for the very fast handling of this.

I have another question about a change in behavior I see. SSSD currently asks the user to enter the matching card and press enter to acknowledge this [1]. A  PAM_PROMPT_ECHO_OFF conversation is used for this and in 7.3 it was possible to just press enter to proceed.

With the 7.4 it looks like an empty input is not accepted and a different key has to be pressed first. Is this expected? Is there a way to allow empty inputs e.g. with a dconf setting?


[1] Since with SSSD the communication with the Smartcard is not done in the PAM client process but by a component of SSSD I picked this way to save resources on the client and SSSD side.

The alternative would be a busy-waiting client which shows a PAM_ERROR_MSG (PAM_TEXT_INFO messages are not displayed on this screen) and checks SSSD on a regular basis.

bye,
Sumit

--- Additional comment from Ray Strode [halfline] on 2017-05-05 11:14:43 EDT ---

We could could certainly change gnome-shell to allow empty responses from PAM modules. That would need to be filed as a separate gnome-shell bug, of course.  I'll just clone this one, I guess, and we can talk about it there.
Comment 2 Ray Strode [halfline] 2017-05-05 15:22:57 UTC 
As an aside, I feel like this is a bad user experience. Having to have the user both insert the smartcard and then confirm they inserted the smartcard is repetitive.  The system knows when a smartcard is inserted, so giving a good user experience is just a plumbing problem.  It should be possible to do this plumbing without busy-waiting or polling, though maybe it requires fixing the interface between sssd and pam_sss ?

PAM_TEXT_INFO messages should work fine. This is what pam_pkc11 does:

      if (login_token_name) {•
        sprintf(prompt,•
                _("Please insert your smart card called \"%.32s\"."),•
                login_token_name);•
        pam_prompt(pamh, PAM_TEXT_INFO, NULL, prompt);•
      } else {•
        pam_prompt(pamh, PAM_TEXT_INFO, NULL,•
                 _("Please insert your smart card."));•
      }•
...
      rv = wait_for_token(ph, configuration->slot_num,•
                          login_token_name, &slot_num);•

Anyway, regardless, we've regressed behavior from 7.3, so devack+ to mop the regression up.
Comment 3 Sumit Bose 2017-05-05 19:46:34 UTC 
I agree that the user experience can be improved here. But I also would like to try to use the resources efficiently.

Since gdm already waits for a Smartcard event my original idea was send the message to gdm with pam_prompt and then send a PAM return code which would have the same effect as the Cancel button so that gdm can continue waiting for a Smartcart to be inserted. But iirc I didn't found a suitable PAM return code for this.

About the interface between sssd and pam_sss, it is already possible to the send a request to SSSD and the waiting with poll() on the socket for a reply from SSSD. But so far didn't want to implement a waiting feature in SSSD's Smartcard component because the client (gdm) is already waiting on it. But of course this can be done as well.
Comment 4 Ray Strode [halfline] 2017-05-05 20:08:13 UTC 
(In reply to Sumit Bose from comment #3)

> Since gdm already waits for a Smartcard event my original idea was send the
> message to gdm with pam_prompt and then send a PAM return code which would
> have the same effect as the Cancel button so that gdm can continue waiting
> for a Smartcart to be inserted. But iirc I didn't found a suitable PAM
> return code for this.
well, actually GDM doesn't know about smartcard events at all really.  gnome-settings-daemon monitors smartcard state and exports it to the session, and gnome-shell uses that information to decide whether or not to ask GDM to start a smartcard authentication conversation (of course, depending on if it's an unlock screen or a login screen, gnome-shell may ask GDM to start a smartcard conversation in other cases too).

It would certainly be possible for gnome-shell to cancel the PAM conversation and start a fresh one when the user inserts a smartcard, but that's a bit of a hammer approach. It could lead to blinking messages and delays.  And remember, gnome-shell doesn't know exactly what smartcard is getting asked for.

> About the interface between sssd and pam_sss, it is already possible to the
> send a request to SSSD and the waiting with poll() on the socket for a reply
> from SSSD. But so far didn't want to implement a waiting feature in SSSD's
> Smartcard component because the client (gdm) is already waiting on it. But
> of course this can be done as well.
So SSSD isn't actively watching smartcard state at the moment?
Comment 5 Ray Strode [halfline] 2017-05-05 20:40:22 UTC 
(In reply to Ray Strode [halfline] from comment #4)

> And remember, gnome-shell doesn't know exactly what smartcard is
> getting asked for.
That's not really true I guess.  It knows what the login card is.
Comment 6 Sumit Bose 2017-05-10 19:21:14 UTC 
(In reply to Ray Strode [halfline] from comment #4)
> (In reply to Sumit Bose from comment #3)
> 

> > About the interface between sssd and pam_sss, it is already possible to the
> > send a request to SSSD and the waiting with poll() on the socket for a reply
> > from SSSD. But so far didn't want to implement a waiting feature in SSSD's
> > Smartcard component because the client (gdm) is already waiting on it. But
> > of course this can be done as well.
> So SSSD isn't actively watching smartcard state at the moment?

No, because I'm not sure if SSSD would be the right place. Maybe a DBus interface for pcscd would be more flexible? Maybe we should talk with other people like Bob, Nalin and Nikos what they think might be the best solution for this kind of service. If there is an agreement I won't mind implementing this as part of SSSD, but maybe pcscd itself or p11-kit might be good alternatives as well?

Btw, I came across another use case we have for accepting just hitting enter without entering anything else. In an environment where a single certificate can be mapped to multiple accounts (e.g. a personal account and an functional account like data base admin) SSSD can be configured to not only ask for the PIN but an optional "user name hint" to disambiguate the case where a certificate is mapped to multiple accounts. But a user who knows that his certificate is only mapped to a single account should be able to just skip the "user name hint". The same scheme is offered by AD this is why I use the term "user name hint" here as well.

Shall I ask out QE team to give QA_ACK+ to this ticket?
Comment 7 Ray Strode [halfline] 2017-05-10 20:40:56 UTC 
(In reply to Sumit Bose from comment #6)
> No, because I'm not sure if SSSD would be the right place.
Well, at the end of the day, I think anything that accesses smartcards should know when they're added and removed.  NSS provides an API to be told that information (SECMOD_WaitForAnyTokenEvent) which is what pam_pkcs11 and gnome-settings-daemon use.  I guess you could just use that too?

> Maybe a DBus interface for pcscd would be more flexible? 
I don't think it's necessarily true that all security tokens use pcscd.

> Btw, I came across another use case we have for accepting just hitting enter
> without entering anything else. In an environment where a single certificate
> can be mapped to multiple accounts (e.g. a personal account and an
> functional account like data base admin) SSSD can be configured to not only
> ask for the PIN but an optional "user name hint" to disambiguate the case
> where a certificate is mapped to multiple accounts. But a user who knows
> that his certificate is only mapped to a single account should be able to
> just skip the "user name hint". The same scheme is offered by AD this is why
> I use the term "user name hint" here as well.
why doesn't pam_sss check that the certificate only maps to one user account and just skip asking the question?

> Shall I ask out QE team to give QA_ACK+ to this ticket?
sure.
Comment 9 Sumit Bose 2017-06-06 09:09:18 UTC 
(In reply to Ray Strode [halfline] from comment #7)
> (In reply to Sumit Bose from comment #6)
...
> why doesn't pam_sss check that the certificate only maps to one user account
> and just skip asking the question?
> 

This would of course be possible but we were asked to do it like AD which has the optional user name prompt as can be seen e.g. in https://sbose.fedorapeople.org/sc/AD_SC_auth_2users.webm e.g. around time 4:20.
Comment 10 Ray Strode [halfline] 2017-06-06 15:46:46 UTC 
okay, that seems like a suboptimal user experience, but I guess it's neither here nor there.  we just need to fix mutter to support it regardless.
Comment 12 Roshni 2017-06-26 14:13:46 UTC 
[root@dhcp129-184 ~]# rpm -qi gnome-shell
Name        : gnome-shell
Version     : 3.22.3
Release     : 16.el7
Architecture: x86_64
Install Date: Mon 26 Jun 2017 07:50:42 AM MDT
Group       : User Interface/Desktops
Size        : 10177850
License     : GPLv2+
Signature   : (none)
Source RPM  : gnome-shell-3.22.3-16.el7.src.rpm
Build Date  : Thu 15 Jun 2017 08:58:11 AM MDT
Build Host  : x86-030.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : https://wiki.gnome.org/Projects/GnomeShell
Summary     : Window management and application launching for GNOME

After the required smartcard is entered and enter is pressed, the smartcard pin is prompted for.
Comment 13 errata-xmlrpc 2017-08-01 22:44:12 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2098
Note You need to log in before you can comment on or make changes to this bug.