Description of problem: Certificate Present on Smart card: # /usr/bin/openssl x509 -in cert-prasad.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 17 (0x11) Signature Algorithm: sha256WithRSAEncryption Issuer: O=gsslab.pnq2.redhat.com Security Domain, OU=pki-tomcat, CN=CA Signing Certificate Validity Not Before: Sep 25 08:16:01 2018 GMT Not After : Sep 24 08:16:01 2023 GMT Subject: O=Token Key User/UID=prasad Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:83:b8:ea:1f:a9:74:dc:4a:43:a9:6c:72:d5:46: 4a:67:09:ab:de:33:d4:40:07:32:d6:19:3f:f6:ab: 03:57:bd:6d:5a:e7:74:f6:56:c0:5e:b7:be:bd:b3: 58:bb:52:c6:5b:22:30:68:a0:e1:9b:61:7e:94:bf: f9:d8:4b:70:29:85:71:c3:b0:1a:33:92:2f:89:fd: e7:16:b7:15:e7:51:45:4c:3a:b2:94:36:9a:d5:89: 67:e9:ea:f4:45:97:38:93:81:f5:4e:ee:ef:2a:67: 3a:e5:81:d5:ce:e1:0d:07:c3:c7:7d:38:22:19:18: 46:f4:8e:42:74:28:67:cc:25 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Key Usage: critical Key Encipherment X509v3 Subject Alternative Name: email:$request.mail$ X509v3 Subject Key Identifier: 01:84:DF:58:D0:D2:A0:BC:82:C3:DE:55:4F:CE:4A:BD:6C:D4:92:B0 X509v3 Authority Key Identifier: keyid:85:C1:17:3F:38:A1:E7:57:72:33:5A:52:9B:5A:98:63:8D:9B:EA:CF X509v3 Basic Constraints: CA:FALSE Signature Algorithm: sha256WithRSAEncryption a0:fc:99:9e:fb:05:33:bc:b0:0d:93:4f:72:98:b4:0c:a3:5c: 9b:2d:ea:e5:f5:d8:f5:af:b5:82:e4:71:49:8b:38:94:99:65: 70:8f:14:9c:e9:ee:57:75:26:a3:95:5c:de:39:a7:7c:62:33: 74:0a:e5:50:d2:86:30:f5:00:90:4a:68:ea:c8:9a:c2:76:ae: 29:8f:40:3b:0f:e8:35:fc:e3:e0:39:9d:db:a8:44:68:34:85: a6:3c:2d:5b:43:83:23:85:f0:58:20:15:45:7e:eb:52:16:34: 29:c4:9e:43:ae:76:28:08:41:f0:e8:65:44:18:f3:e6:8d:18: e1:10:22:2d:dc:22:1a:0d:4c:b2:9c:9c:0c:df:ce:a1:56:41: 2c:04:e6:54:7b:42:16:bb:db:91:67:98:ea:eb:b3:fc:0f:54: 6d:36:5c:61:f7:9a:ce:04:da:2e:2b:31:44:e6:ba:70:cd:5a: 90:2f:d5:88:29:22:b0:c3:ca:d7:0c:57:c8:68:92:a5:32:d8: ac:80:a1:33:47:47:f8:4a:82:71:f0:30:0e:ee:f6:25:2d:4c: 3c:43:74:6e:ee:b3:5d:77:f2:5d:9f:6d:ce:28:48:05:21:25: 07:e4:d5:d3:27:3d:45:14:d1:8a:25:35:8e:bd:dd:c1:a6:96: 6d:39:ea:e2 [root@localhost ~]# cat /etc/sssd/sssd.conf [sssd] domains = sysfiles services = nss,pam debug level = 10 [pam] pam_cert_auth =True debug level = 10 [domain/sysfiles] id_provider = files debug level = 10 [certmap/sysfiles/prasad] ;matchrule = <SUBJECT>,*CN=prasad.* matchrule = <SUBJECT>,*CN=O=Token Key User/UID=prasad.* [root@localhost ~]# [root@localhost ~]# service sssd status Redirecting to /bin/systemctl status sssd.service ● sssd.service - System Security Services Daemon Loaded: loaded (/usr/lib/systemd/system/sssd.service; enabled; vendor preset: enabled) Active: active (running) since Mon 2018-12-03 18:28:24 IST; 5min ago Main PID: 3809 (sssd) Tasks: 4 (limit: 4687) Memory: 32.0M CGroup: /system.slice/sssd.service ├─3809 /usr/sbin/sssd -i --logger=files ├─3810 /usr/libexec/sssd/sssd_be --domain sysfiles --uid 0 --gid 0 --logger=files ├─3811 /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files └─3812 /usr/libexec/sssd/sssd_pam --uid 0 --gid 0 --logger=files Dec 03 18:28:24 localhost.localdomain systemd[1]: Starting System Security Services Daemon... Dec 03 18:28:24 localhost.localdomain sssd[3809]: Starting up Dec 03 18:28:24 localhost.localdomain sssd[be[sysfiles]][3810]: Starting up Dec 03 18:28:24 localhost.localdomain sssd[nss][3811]: Starting up Dec 03 18:28:24 localhost.localdomain sssd[pam][3812]: Starting up Dec 03 18:28:24 localhost.localdomain systemd[1]: Started System Security Services Daemon. [root@localhost ~]# [root@localhost sssd]# authselect current Profile ID: sssd Enabled features: - with-mkhomedir - with-smartcard [root@localhost sssd]# /etc/passwd prasad:x:1002:1002::/home/prasad:/bin/bash # ls -ltr /etc/sssd/pki/sssd_auth_ca_db.pem -rw-r--r-- 1 root root 1449 Dec 1 19:37 /etc/sssd/pki/sssd_auth_ca_db.pem [root@localhost sssd]# Version-Release number of selected component (if applicable): # rpm -qa | grep sssd sssd-2.0.0-3.fc29.x86_64 sssd-krb5-common-2.0.0-3.fc29.x86_64 sssd-ipa-2.0.0-3.fc29.x86_64 sssd-nfs-idmap-2.0.0-3.fc29.x86_64 sssd-client-2.0.0-3.fc29.x86_64 sssd-proxy-2.0.0-3.fc29.x86_64 sssd-common-pac-2.0.0-3.fc29.x86_64 sssd-krb5-2.0.0-3.fc29.x86_64 sssd-kcm-2.0.0-3.fc29.x86_64 sssd-common-2.0.0-3.fc29.x86_64 sssd-ad-2.0.0-3.fc29.x86_64 python3-sssdconfig-2.0.0-3.fc29.noarch sssd-ldap-2.0.0-3.fc29.x86_64 [root@localhost ~]# How reproducible: Always Steps to Reproduce: 1. Created sssd.conf as mentioned above 2. configured authselect for 'sssd-with-mkhomedir', 'with-smartcard' 3. copied CA file to /etc/sssd/pki 4. Added local user and added certmap section. 5. logged out, But GDM does not prompt for PIN. Actual results: PIN not prompted on GDM Expected results: PIN should be prompted. Additional info:
There is no authentication attempt recorded in sssd_pam. Did you restart gdm after calling authselect? How does the PAM configuration looks like? Does it work with su?
Dear sumit. Thanks for response. I restarted gdm. # service gdm restart Restarted server. But on console nothing PIN not asked. ||Does it work with su? test-user# su - prasad does not prompt for pin. selinux is disabled. /etc/system-auth # Generated by authselect on Tue Dec 4 17:26:13 2018 # Do not modify this file manually. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so /etc/password-auth # Generated by authselect on Tue Dec 4 17:26:13 2018 # Do not modify this file manually. auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 1000 quiet_success auth sufficient pam_sss.so forward_pass auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password sufficient pam_sss.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so /etc/smartcard-auth # Generated by authselect on Tue Dec 4 17:26:13 2018 # Do not modify this file manually. auth required pam_env.so auth sufficient pam_sss.so allow_missing_name auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account [default=bad success=ok user_unknown=ignore] pam_sss.so account required pam_permit.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session optional pam_oddjob_mkhomedir.so umask=0077 session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_sss.so
(In reply to amitkuma from comment #5) > Dear sumit. > Thanks for response. > > I restarted gdm. > # service gdm restart > Restarted server. > But on console nothing PIN not asked. > > ||Does it work with su? > test-user# su - prasad > does not prompt for pin. > It's the other way round, you have to call su as user prasad. Does this prompt fir a PIN? If not can you attach the SSSD logs and /var/log/secure or the journal output covering the su attempt?
Hey sumit, My bad after adding opensc module to nssdb its gone for asking PIN on GDM. # modutil -add libopensc -libfile /usr/lib64/opensc-pkcs11.so -dbdir /etc/pki/nssdb This may be good thing to include in documentation. But now at GDM prompt flickers at, Its not allowing to enter PIN either, just flickering: "Sorry that didn't work. Please try again." and when I click cancel. "Authentication Error" # useradd prasad # sssd.conf [sssd] domains = amit services = nss, pam certificate_verification = no_verification certificate_verification = no_ocsp debug_level = 10 [pam] debug_level = 10 pam_cert_auth = True [nss] debug_level = 10 [domain/amit] id_provider = files debug_level = 10 [certmap/amit/prasad] matchrule = <SUBJECT>.*CN=prasad.* # authselect select sssd with-mkhomedir with-smartcard <succeed> # My smart-card user certificate: # /usr/bin/openssl x509 -in /root/cert-prasad.pem -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 17 (0x11) Signature Algorithm: sha256WithRSAEncryption Issuer: O=gsslab.pnq2.redhat.com Security Domain, OU=pki-tomcat, CN=CA Signing Certificate Validity Not Before: Dec 20 06:16:31 2018 GMT Not After : Dec 19 06:16:31 2023 GMT Subject: CN=prasad, O=Token Key User/UID=prasad Subject Public Key Info: I find "Section [certmap/amit/prasad] is not allowed in sssd.log"? # cd /var/log/sssd # grep -r . -e prasad ./sssd_amit.log:(Wed Dec 26 16:52:52 2018) [sssd[be[amit]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=prasad@amit,cn=users,cn=amit,cn=sysdb]. ./sssd_amit.log:(Wed Dec 26 16:52:53 2018) [sssd[be[amit]]] [enum_files_users] (0x1000): User found (prasad, x, 1005, 1005, , /home/prasad, /bin/bash) ./sssd_amit.log:(Wed Dec 26 16:52:53 2018) [sssd[be[amit]]] [sysdb_store_user] (0x1000): User prasad@amit does not exist. ./sssd_amit.log:(Wed Dec 26 16:52:53 2018) [sssd[be[amit]]] [sysdb_ldb_msg_difference] (0x2000): Added attr [isPosix] to entry [name=prasad@amit,cn=users,cn=amit,cn=sysdb] ./sssd_amit.log:(Wed Dec 26 16:52:53 2018) [sssd[be[amit]]] [sysdb_set_entry_attr] (0x0200): Entry [name=prasad@amit,cn=users,cn=amit,cn=sysdb] has set [cache, ts_cache] attrs. ./sssd_amit.log:(Wed Dec 26 16:52:53 2018) [sssd[be[amit]]] [sysdb_store_user] (0x0400): User "prasad@amit" has been stored ./sssd_amit.log:(Wed Dec 26 16:52:53 2018) [sssd[be[amit]]] [sysdb_delete_recursive] (0x4000): Trying to delete [name=prasad@amit,cn=groups,cn=amit,cn=sysdb]. ./sssd_amit.log:(Wed Dec 26 16:52:53 2018) [sssd[be[amit]]] [enum_files_groups] (0x1000): Group found (prasad, 1005) ./sssd_amit.log:(Wed Dec 26 16:52:53 2018) [sssd[be[amit]]] [sysdb_check_ts_cache] (0x2000): Cannot find TS cache entry for [name=prasad@amit,cn=groups,cn=amit,cn=sysdb]: [2]: No such file or directory ./sssd_amit.log:(Wed Dec 26 16:52:53 2018) [sssd[be[amit]]] [sysdb_store_group] (0x1000): Group prasad@amit does not exist. ./sssd_amit.log:(Wed Dec 26 16:52:53 2018) [sssd[be[amit]]] [sysdb_ldb_msg_difference] (0x2000): Added attr [isPosix] to entry [name=prasad@amit,cn=groups,cn=amit,cn=sysdb] ./sssd_amit.log:(Wed Dec 26 16:52:53 2018) [sssd[be[amit]]] [sysdb_set_entry_attr] (0x0200): Entry [name=prasad@amit,cn=groups,cn=amit,cn=sysdb] has set [cache, ts_cache] attrs. ./sssd_amit.log:(Wed Dec 26 16:52:53 2018) [sssd[be[amit]]] [sysdb_store_group] (0x0400): Group "prasad@amit" has been stored ./sssd.log:(Wed Dec 26 16:52:52:802291 2018) [sssd] [sss_ini_call_validators] (0x0020): [rule/allowed_sections]: Section [certmap/amit/prasad] is not allowed. Check for typos. <<<<<<<<<
I'm having similar problems getting GDM to prompt for smartcard login. On a freshly installed F29 system with smartcard auth enabled, gdm does not react at all to my yubikey being inserted. I've not changed the modutil config: modutil -list -dbdir /etc/pki/nssdb Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal Crypto Services uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.43 slots: 1 slot attached status: loaded slot: NSS FIPS 140-2 User Private Key Services token: NSS FIPS 140-2 Certificate DB uri: pkcs11:token=NSS%20FIPS%20140-2%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203 2. p11-kit-proxy library name: p11-kit-proxy.so uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1 slots: 1 slot attached status: loaded slot: Yubico YubiKey OTP+FIDO+CCID 00 00 token: Orion Poplawski uri: pkcs11:token=Orion%20Poplawski;manufacturer=piv_II;serial=d75c91b27c25efbd;model=PKCS%2315%20emulated ----------------------------------------------------------- Do we still need to install the opensc module or is p11-kit-proxy supposed to handle this (as it seems to do)?
If I restart gdm with the smartcard inserted I get prompted for the cert/pin.
Some more details - I'm running with the user list disabled so at boot I'm presented with a "Username" prompt. If I enter my username and click next I'm presented with a prompt for my pin and I'm able to log in. So it works, but I'm used to seeing the prompt change on card insertion to asking which certificate I want to use to login with (my card has multiple certificates).
(In reply to Orion Poplawski from comment #10) > Some more details - I'm running with the user list disabled so at boot I'm > presented with a "Username" prompt. If I enter my username and click next > I'm presented with a prompt for my pin and I'm able to log in. So it works, > but I'm used to seeing the prompt change on card insertion to asking which > certificate I want to use to login with (my card has multiple certificates). Hi, can you check if /etc/dconf/db/distro.d/20-authselect or similar exists and what is the content? There should be something like [org/gnome/login-screen] enable-smartcard-authentication=true ... to enable this feature. Additionally does /usr/share/dconf/profile/gdm exists and contains 'system-db:distro' besides other entries? bye, Sumit
Another idea, Yubikeys are special here because from the PKCS#11 perspective they are reader and Smartcard in one device. The NSS calls used by gdm might simply not be able to detect the insertion. Do you have the chance to test with a "real" Smartcard reader and a Smartcard? bye, Sumit
# cat /etc/dconf/db/distro.d/20-authselect # Generated by authselect on Mon May 6 14:25:55 2019 # Do not modify this file manually. [org/gnome/login-screen] enable-smartcard-authentication=true enable-fingerprint-authentication=false enable-password-authentication=true [org/gnome/settings-daemon/peripherals/smartcard] removal-action='lock-screen' # cat /usr/share/dconf/profile/gdm user-db:user system-db:local system-db:site system-db:distro file-db:/usr/share/gdm/greeter-dconf-defaults I *think* all that is not working is detection of the card triggering a response in the gdm display - the login with the PIN works. Unfortunately I do not have access to any other smartcard devices. EL7 and Fedora 28 reacted to the insertion of the yubikey though.
Hi, can you check on EL7 and F28 systems where the insertion is detected if the OpenSC PKCS#11 module is added to /etc/pki/nssdb directly or via p11-kit-proxy.so as on F29? If it is added directly (I guess it is) can you try to add it to /etc/pki/nssdb on F29 as well? HTH bye, Sumit
On the older systems, the OpenSC module is directly added to /etc/pki/nssdb. If I try to add it to F29 I get: # modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile /usr/lib64/opensc-pkcs11.so WARNING: Manually adding a module while p11-kit is enabled could cause duplicate module registration in your security database. It is suggested to configure the module through p11-kit configuration file instead. Type 'q <enter>' to abort, or <enter> to continue: ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 error.". I also appear to be unable to replace p11-kit-proxy with OpenSC.
This message is a reminder that Fedora 29 is nearing its end of life. Fedora will stop maintaining and issuing updates for Fedora 29 on 2019-11-26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '29'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 29 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This seems to be working for me with F31 and authselect enable-feature with-smartcard-required. GDM prompts me to "Please enter smart card" and detects it when inserted.
Fedora 29 changed to end-of-life (EOL) status on 2019-11-26. Fedora 29 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.