Bug 1564339 - pam_sss failure with su using smart card
Summary: pam_sss failure with su using smart card
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: sssd
Version: 6.10
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Sumit Bose
QA Contact: sssd-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-04-06 01:49 UTC by Scott Poore
Modified: 2018-04-26 14:40 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-04-26 14:40:49 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description Scott Poore 2018-04-06 01:49:13 UTC
Description of problem:

I am trying to setup a test for RHEL6.10 client with a smart card to authenticate on an IPA client.  ssh with the card works but, su does not:

[root@rhel6-3 etc]# !su
su - ipauser1 -c "su - ipauser1 -c whoami"
PIN for ipauser1-01 (MyEID) for user ipauser1
su: incorrect password

[root@rhel6-3 etc]# tail -3 /var/log/secure
Apr  3 19:06:06 rhel6-3 su: pam_sss(su-l:auth): authentication failure; logname=root uid=1784900527 euid=0 tty=pts/0 ruser=ipauser1 rhost= user=ipauser1
Apr  3 19:06:06 rhel6-3 su: pam_sss(su-l:auth): received for user ipauser1: 10 (User not known to the underlying authentication module)
Apr  3 19:06:06 rhel6-3 su: pam_unisu-l:session): session closed for user ipauser1

Attached is full tail output of the sssd logs while running the su.  But, right before the failure, I see:

==> ./p11_child.log <==
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): Default Module List:
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): common name: [NSS Internal PKCS #11 Module].
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): dll name: [(null)].
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): common name: [OpenSC PKCS #11 Module].
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): dll name: [opensc-pkcs11.so].
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): Dead Module List:
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): DB Module List:
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): common name: [NSS Internal Module].
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): dll name: [(null)].
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): common name: [Policy File].
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): dll name: [(null)].
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): Description [NSS User Private Key and Certificate Services                   Mozilla Foundation              ^A] Manufacturer [Mozilla Fo
undation              ^A] flags [1].
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): Description [NSS Internal Cryptographic Services                             Mozilla Foundation              ^A] Manufacturer [Mozilla Fo
undation              ^A] flags [1].
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): Description [SCM SCR 3310 (53311651713564) 00 00                             Ludovic Rousseau                ^G] Manufacturer [Ludovic Ro
usseau                ^G] flags [7].
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): Found [ipauser1-01 (MyEID)] in slot [SCM SCR 3310 (53311651713564) 00 00][0] of module [2].
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): Token is NOT friendly.
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): Login required.
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): Filtered certificates:
(Tue Apr  3 19:06:06 2018) [[sssd[p11_child[10078]]]] [do_work] (0x4000): No certificate found.

==> ./sssd_pam.log <==
(Tue Apr  3 19:06:06 2018) [sssd[pam]] [read_pipe_handler] (0x0400): EOF received, client finished
(Tue Apr  3 19:06:06 2018) [sssd[pam]] [parse_p11_child_response] (0x1000): No certificate found.
(Tue Apr  3 19:06:06 2018) [sssd[pam]] [pam_forwarder_cert_cb] (0x0020): No certificate returned, authentication failed.
(Tue Apr  3 19:06:06 2018) [sssd[pam]] [pam_reply] (0x0200): pam_reply called with result [10]: User not known to the underlying authentication module.

Version-Release number of selected component (if applicable):
This env is:
- RHEL6.10 IPA Master, 
- RHEL7.5 IPA Replica, and 
- RHEL6.10 client with sssd-1.13.3-60.el6.x86_64. 

How reproducible:
Unknown.  Seems to be reproducible.

Steps to Reproduce:
1.  Install IPA Server on RHEL6, and Replica on RHEL7.
2.  Install IPA Client on RHEL6.
3.  Setup Server and Client for Smart card authentication.
4.  Create certs for user with IPA CA and add to card
5.  su - ipauser1 -c "su - ipauser1 -c whoami"

Actual results:
su fails

Expected results:
su runs and returns whoami data.

Additional info:



And here's the pam configs:

[root@rhel6-3 ~]# cat /etc/pam.d/su
#%PAM-1.0
auth                sufficient        pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth                sufficient        pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth                required        pam_wheel.so use_uid
auth                include                system-auth
account                sufficient        pam_succeed_if.so uid = 0 use_uid quiet
account                include                system-auth
password        include                system-auth
session                include                system-auth
session                optional        pam_xauth.so

[root@rhel6-3 ~]# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
#auth        required      pam_env.so
#auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdmdm:kdmscreensaver:gnome-screensaver:kscreensaver quiet use_uid
#auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so card_only
#auth        sufficient    pam_fprintd.so
# auth        sufficient    pam_unix.so nullok try_first_pass
#auth        requisite     pam_succeed_if.so uid >= 500 quiet
#auth        sufficient    pam_sss.so use_first_pass
#auth        required      pam_deny.so

auth        required      pam_env.so
auth        [default=1 success=ok] pam_localuser.so
#auth        sufficient pam_localuser.so
auth        [success=done ignore=ignore default=die] pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     optional      pam_oddjob_mkhomedir.so umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

And sssd:

[root@rhel6-3 ~]# cat /etc/sssd/sssd.conf
[domain/ipa.test]
debug_level = 10
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = ipa.test
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ipa_hostname = rhel6-3.ipa.test
chpass_provider = ipa
ipa_server = _srv_, rhel6-2.ipa.test
ldap_tls_cacert = /etc/ipa/ca.crt
krb5_auth_timeout = 60

[sssd]
debug_level = 10
services = nss, sudo, pam, ssh, ifp
certificate_verification = no_ocsp
domains = ipa.test

[nss]
debug_level = 10
homedir_substring = /home

[pam]
debug_level = 10
pam_cert_auth=true
p11_child_timeout = 60

[sudo]
debug_level = 10

[autofs]
debug_level = 10

[ssh]
debug_level = 10

[pac]
debug_level = 10

[ifp]
debug_level = 10

[root@rhel6-3 ~]#

Comment 3 Scott Poore 2018-04-26 14:40:49 UTC
Determined the cause to be that there was some issue reading the pin from the card because I had not finalized the initialization on the card.

Per:

https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card

I needed to run pkcs15-init -F after creating the pin.  After that, it worked:

[root@rhel6-2 certuser]# pkcs15-init --erase-card --use-default-transport-keys
Using reader with a card: SCM Microsystems Inc. SCR 3310 [CCID Interface] (53311651713564) 00 00

[root@rhel6-2 certuser]# pkcs15-init --create-pkcs15 --use-default-transport-keys \
>     --pin redhat --puk redhat --so-pin redhat --so-puk redhat
Using reader with a card: SCM Microsystems Inc. SCR 3310 [CCID Interface] (53311651713564) 00 00

[root@rhel6-2 certuser]# pkcs15-init --store-pin --auth-id 01 --label certuser \
>     --so-pin redhat --pin redhat --puk redhat
Using reader with a card: SCM Microsystems Inc. SCR 3310 [CCID Interface] (53311651713564) 00 00

[root@rhel6-2 certuser]# pkcs15-init --finalize
Using reader with a card: SCM Microsystems Inc. SCR 3310 [CCID Interface] (53311651713564) 00 00

[root@rhel6-2 certuser]# pkcs15-init --store-private-key certuser.key \
>     --auth-id 01 --id 01 --label mycert --so-pin redhat --pin redhat
Using reader with a card: SCM Microsystems Inc. SCR 3310 [CCID Interface] (53311651713564) 00 00

[root@rhel6-2 certuser]# pkcs15-init --store-certificate certuser.crt \
>     --auth-id 01 --id 01 --label mycert --format pem --so-pin redhat --pin redhat
Using reader with a card: SCM Microsystems Inc. SCR 3310 [CCID Interface] (53311651713564) 00 00


[root@rhel6-3 certuser]# !su
su - certuser -c "su - certuser -c whoami"
PIN for certuser (MyEID) for user certuser
certuser


Note You need to log in before you can comment on or make changes to this bug.