Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1636059

Summary: opensc does not prompt for pin while doing "su - "
Product: Red Hat Enterprise Linux 7 Reporter: amitkuma
Component: openscAssignee: Jakub Jelen <jjelen>
Status: CLOSED INSUFFICIENT_DATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.6CC: amitkuma
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-20 09:38:06 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description amitkuma 2018-10-04 11:09:44 UTC 
Description of problem:
Customer followed https://access.redhat.com/articles/3034441 for converting from coolkey to opensc.

Customer can ssh with ad-user using smart-card.

But "su - ad-user" it fails, without asking for PIN.

//system-auth
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_faillock.so preauth silent deny=5 unlock_time=600 fail_interval=900
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_faillock.so authfail deny=5 unlock_time=600 fail_interval=900
auth        required      pam_deny.so

account     required      pam_access.so listsep=,
account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=1 minlen=8 lcredit=-1 dcredit=-1 ucredit=-1 difok=0
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so


//password-auth
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        required      pam_faillock.so preauth silent deny=5 unlock_time=600 fail_interval=900
auth        [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth        [default=1 ignore=ignore success=ok] pam_localuser.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient    pam_sss.so forward_pass
auth        required      pam_deny.so

account     required      pam_access.so listsep=,
account     required      pam_faillock.so
account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so

password    requisite     pam_pwquality.so try_first_pass retry=1 minlen=8 lcredit=-1 dcredit=-1 ucredit=-1 difok=0
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    sufficient    pam_sss.so use_authtok

auth        required      pam_faillock.so authfail deny=5 unlock_time=600 fail_interval=900

password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     optional      pam_oddjob_mkhomedir.so skel=/etc/skel/ umask=0077
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so

//su-l
auth            include         su
account         include         su
password        include         su
session         optional        pam_keyinit.so force revoke
session         include         su


/etc/pam_pkcs11/pam_pkcs11.conf
use_pkcs11_module = opensc;
  pkcs11_module opensc {
    module = opensc-pkcs11.so;
    description = "OpenSC PKCS#11 module";
    # Slot-number to use. One for the first, two for the second and so
    # on. The default value is zero which means to use the first slot
    # with an available token.
    slot_num = 0;

    # Path to the directory where the NSS CA certificate database is stored.
    # you can mange the certs in this database with the certutil command in
    # the package nss-tools
    nss_dir = /etc/pki/nssdb;

    # Path to the directory where the CA certificates are stored. The
    # directory must contain an openssl hash-link to each certificate.
    # The default value is /etc/pam_pkcs11/cacerts.
    # ca_dir = /etc/pam_pkcs11/cacerts;

    # Path to the directory where the CRLs are stored. The directory
    # must contain an openssl hash-link to each CRL. The default value
    # is /etc/pam_pkcs11/crls.
    # crl_dir = /etc/pam_pkcs11/crls;

    # Sets the Certificate Policy, (see above)
    #cert_policy = ca, signature;
    cert_policy = ca, ocsp_on, signature;

  }


Version-Release number of selected component (if applicable):
opensc-0.16.0-8.20170227git777e2a3.el7.x86_64  
openscap-1.2.16-8.el7_5.x86_64         
openscap-scanner-1.2.16-8.el7_5.x86_64

How reproducible:
All times in Customer env

Steps to Reproduce:
1. Insert Smart card
2. Do su - 
3. opensc does not prompt for pin

Actual results:
Password prompt comes in.

Expected results:
PIN should be prompted.

Additional info:
configuration, logs at:
https://foobar.gsslab.pnq.redhat.com/02153659
Comment 2 Jakub Jelen 2018-10-04 13:13:16 UTC 
I do not have access to the additional info. Can you share it with me or grant me access there?
Comment 4 amitkuma 2019-10-28 11:33:59 UTC 
Customer case closed, Clearing the flag.