Note: This bug is displayed in read-only format because
the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Description of problem:
- RHEL6 shows 100% CPU for gdm-simple-greeter when sshed using smart card. Once smart card is directly plugged into RHEL6.8, gdm-simple-greeter does not consume memory.
- RHEL7 does not show this problem.
Window's RHEL-6.8
smart-card>|
Open Putty
SSH>Pkcs11>
-> ssh user@<rhel6.8>
>Attempt "PKCS#11 smartcard"
>Token Label
login successfully
(without password)
# top
99.5 gdm-simple-greeter
->Plug smartcard directly here.
- Perform smart card login.
# top
gdm-simple-greeter does not consume memory!
pam_pkcs11.conf
pam_pkcs11 {
# Allow empty passwords
nullok = true;
# Enable debugging support.
debug = false;
# If the smart card is inserted, only use it
card_only = false;
# Do not prompt the user for the passwords but take them from the
# PAM_ items instead.
use_first_pass = false;
# Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK
# is unset.
try_first_pass = false;
# Like try_first_pass, but fail if the new PAM_AUTHTOK has not been
# previously set (intended for stacking password modules only).
use_authtok = false;
# Filename of the PKCS #11 module. The default value is "default"
use_pkcs11_module = opensc;
screen_savers = gnome-screensaver,xscreensaver,kscreensaver
pkcs11_module coolkey {
module = libcoolkeypk11.so;
description = "Cool Key"
# Slot-number to use. One for the first, two for the second and so
# on. The default value is zero which means to use the first slot
# with an available token.
slot_num = 0;
# Path to the directory where the CA certificates are stored. The
# directory must contain an openssl hash-link to each certificate.
# The default value is /etc/pam_pkcs11/cacerts.
ca_dir = /etc/pam_pkcs11/cacerts;
nss_dir = /etc/pki/nssdb;
# Path to the directory where the CRLs are stored. The directory
# must contain an openssl hash-link to each CRL. The default value
# is /etc/pam_pkcs11/crls.
crl_dir = /etc/pam_pkcs11/crls;
# Sets the Certificate verification policy.
# "none" Performs no verification
# "ca" Does CA check
# "crl_online" Downloads the CRL form the location given by the
# CRL distribution point extension of the certificate
# "crl_offline" Uses the locally stored CRLs
# "crl_auto" Is a combination of online and offline; it first
# tries to download the CRL from a possibly given CRL
# distribution point and if this fails, uses the local
# CRLs
# "ocsp_on" Turn on OCSP.
# "signature" Does also a signature check to ensure that private
# and public key matches
# You can use a combination of ca,crl, and signature flags, or just
# use "none".
cert_policy = ca, signature;
}
pkcs11_module opensc {
module = opensc-pkcs11.so;
description = "OpenSC PKCS#11 module";
# Slot-number to use. One for the first, two for the second and so
# on. The default value is zero which means to use the first slot
# with an available token.
slot_num = 0;
# Path to the directory where the CA certificates are stored. The
# directory must contain an openssl hash-link to each certificate.
# The default value is /etc/pam_pkcs11/cacerts.
ca_dir = /etc/pam_pkcs11/cacerts;
# Path to the directory where the CRLs are stored. The directory
# must contain an openssl hash-link to each CRL. The default value
# is /etc/pam_pkcs11/crls.
crl_dir = /etc/pam_pkcs11/crls;
# Sets the Certificate Policy, (see above)
cert_policy=ca, ocsp_on, signature;
}
# Default pkcs11 module
pkcs11_module default {
module = /usr/$LIB/pam_pkcs11/pkcs11_module.so;
description = "Default pkcs#11 module";
slot_num = 0;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
cert_policy=ca, signature;
}
# Which mappers ( Cert to login ) to use?
# you can use several mappers:
#
# subject - Cert Subject to login file based mapper
# pwent - CN to getpwent() login or gecos fields mapper
# ldap - LDAP mapper
# opensc - Search certificate in ${HOME}/.eid/authorized_certificates
# openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
# mail - Compare email fields from certificate
# ms - Use Microsoft Universal Principal Name extension
# krb - Compare againts Kerberos Principal Name
# cn - Compare Common Name (CN)
# uid - Compare Unique Identifier
# digest - Certificate digest to login (mapfile based) mapper
# generic - User defined certificate contents mapped
# null - blind access/deny mapper
#
# You can select a comma-separated mapper list.
# If used null mapper should be the last in the list :-)
# Also you should select at least one mapper, otherwise
# certificate will not match :-)
use_mappers = uid, cn, subject, digest;
# When no absolute path or module info is provided, use this
# value as module search path
# TODO:
# This is not still functional: use absolute pathnames or LD_LIBRARY_PATH
mapper_search_path = /usr/$LIB/pam_pkcs11;
#
# Generic certificate contents mapper
mapper generic {
debug = true;
module = /usr/$LIB/pam_pkcs11/generic_mapper.so;
# ignore letter case on match/compare
ignorecase = false;
# Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid"
cert_item = cn;
# Define mapfile if needed, else select "none"
mapfile = file:///etc/pam_pkcs11/generic_mapping
# Decide if use getpwent() to map login
use_getpwent = false;
}
# Certificate Subject to login based mapper
# provided file stores one or more "Subject -> login" lines
mapper subject {
debug = false;
# module = /usr/$LIB/pam_pkcs11/subject_mapper.so;
module = internal;
ignorecase = false;
mapfile = file:///etc/pam_pkcs11/subject_mapping;
}
# Search public keys from $HOME/.ssh/authorized_keys to match users
mapper openssh {
debug = false;
module = /usr/$LIB/pam_pkcs11/openssh_mapper.so;
}
# Search certificates from $HOME/.eid/authorized_certificates to match users
mapper opensc {
debug = false;
module = /usr/$LIB/pam_pkcs11/opensc_mapper.so;
}
# Certificate Common Name ( CN ) to getpwent() mapper
mapper pwent {
debug = false;
ignorecase = false;
module = internal;
# module = /usr/$LIB/pam_pkcs11/pwent_mapper.so;
}
# Null ( no map ) mapper. when user as finder matchs to NULL or "nobody"
mapper null {
debug = false;
# module = /usr/$LIB/pam_pkcs11/null_mapper.so;
module = internal ;
# select behavior: always match, or always fail
default_match = false;
# on match, select returned user
default_user = nobody ;
}
# Directory ( ldap style ) mapper
mapper ldap {
debug = false;
module = /usr/$LIB/pam_pkcs11/ldap_mapper.so;
# where base directory resides
basedir = /etc/pam_pkcs11/mapdir;
# hostname of ldap server
ldaphost = "localhost";
# Port on ldap server to connect
ldapport = 389;
# Scope of search: 0 = x, 1 = y, 2 = z
scope = 2;
# DN to bind with. Must have read-access for user entries under "base"
binddn = "cn=pam,o=example,c=com";
# Password for above DN
passwd = "test";
# Searchbase for user entries
base = "ou=People,o=example,c=com";
# Attribute of user entry which contains the certificate
attribute = "userCertificate";
# Searchfilter for user entry. Must only let pass user entry for the login user.
filter = "(&(objectClass=posixAccount)(uid=%s))"
}
# Assume common name (CN) to be the login
mapper cn {
debug = false;
module = internal;
# module = /usr/$LIB/pam_pkcs11/cn_mapper.so;
ignorecase = false;
mapfile = file:///etc/pam_pkcs11/cn_map;
}
# mail - Compare email field from certificate
mapper mail {
debug = false;
module = internal;
# module = /usr/$LIB/pam_pkcs11/mail_mapper.so;
# Declare mapfile or
# leave empty "" or "none" to use no map
mapfile = file:///etc/pam_pkcs11/mail_mapping;
# Some certs store email in uppercase. take care on this
ignorecase = true;
# Also check that host matches mx domain
# when using mapfile this feature is ignored
ignoredomain = false;
}
# ms - Use Microsoft Universal Principal Name extension
# UPN is in format login@ADS_Domain. No map is needed, just
# check domain name.
mapper ms {
debug = false;
module = internal;
# module = /usr/$LIB/pam_pkcs11/ms_mapper.so;
ignorecase = false;
ignoredomain = false;
domain = "domain.com";
}
# krb - Compare againts Kerberos Principal Name
mapper krb {
debug = false;
module = internal;
# module = /usr/$LIB/pam_pkcs11/krb_mapper.so;
ignorecase = false;
mapfile = "none";
}
# uid - Maps Subject Unique Identifier field (if exist) to login
mapper uid {
debug = false;
module = internal;
# module = /usr/$LIB/pam_pkcs11/uid_mapper.so;
ignorecase = false;
mapfile = "none";
}
# digest - elaborate certificate digest and map it into a file
mapper digest {
debug = false;
module = internal;
# module = /usr/$LIB/pam_pkcs11/digest_mapper.so;
# algorithm used to evaluate certificate digest
# Select one of:
# "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160"
algorithm = "sha1";
mapfile = file:///etc/pam_pkcs11/digest_mapping;
# mapfile = "none";
}
}
- uninstalled opensc, installed coolkey still issues.
Version-Release number of selected component (if applicable):
How reproducible:
- All times in customer env
- Not in local reproduction
Steps to Reproduce:
1. mentioned above
2.
3.
Actual results:
gdm-simple-greeter consumes 100% CPU on smart card login
Expected results:
gdm-simple-greeter should not consume 100% CPU on smart card login
Additional info:
- RHEL 7 is fine, and didn't see the 100%cpu issue
- It doesn't show high cpu for non smart card ssh login
- disabling selinux does not solve the problem.
Description of problem: - RHEL6 shows 100% CPU for gdm-simple-greeter when sshed using smart card. Once smart card is directly plugged into RHEL6.8, gdm-simple-greeter does not consume memory. - RHEL7 does not show this problem. Window's RHEL-6.8 smart-card>| Open Putty SSH>Pkcs11> -> ssh user@<rhel6.8> >Attempt "PKCS#11 smartcard" >Token Label login successfully (without password) # top 99.5 gdm-simple-greeter ->Plug smartcard directly here. - Perform smart card login. # top gdm-simple-greeter does not consume memory! pam_pkcs11.conf pam_pkcs11 { # Allow empty passwords nullok = true; # Enable debugging support. debug = false; # If the smart card is inserted, only use it card_only = false; # Do not prompt the user for the passwords but take them from the # PAM_ items instead. use_first_pass = false; # Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK # is unset. try_first_pass = false; # Like try_first_pass, but fail if the new PAM_AUTHTOK has not been # previously set (intended for stacking password modules only). use_authtok = false; # Filename of the PKCS #11 module. The default value is "default" use_pkcs11_module = opensc; screen_savers = gnome-screensaver,xscreensaver,kscreensaver pkcs11_module coolkey { module = libcoolkeypk11.so; description = "Cool Key" # Slot-number to use. One for the first, two for the second and so # on. The default value is zero which means to use the first slot # with an available token. slot_num = 0; # Path to the directory where the CA certificates are stored. The # directory must contain an openssl hash-link to each certificate. # The default value is /etc/pam_pkcs11/cacerts. ca_dir = /etc/pam_pkcs11/cacerts; nss_dir = /etc/pki/nssdb; # Path to the directory where the CRLs are stored. The directory # must contain an openssl hash-link to each CRL. The default value # is /etc/pam_pkcs11/crls. crl_dir = /etc/pam_pkcs11/crls; # Sets the Certificate verification policy. # "none" Performs no verification # "ca" Does CA check # "crl_online" Downloads the CRL form the location given by the # CRL distribution point extension of the certificate # "crl_offline" Uses the locally stored CRLs # "crl_auto" Is a combination of online and offline; it first # tries to download the CRL from a possibly given CRL # distribution point and if this fails, uses the local # CRLs # "ocsp_on" Turn on OCSP. # "signature" Does also a signature check to ensure that private # and public key matches # You can use a combination of ca,crl, and signature flags, or just # use "none". cert_policy = ca, signature; } pkcs11_module opensc { module = opensc-pkcs11.so; description = "OpenSC PKCS#11 module"; # Slot-number to use. One for the first, two for the second and so # on. The default value is zero which means to use the first slot # with an available token. slot_num = 0; # Path to the directory where the CA certificates are stored. The # directory must contain an openssl hash-link to each certificate. # The default value is /etc/pam_pkcs11/cacerts. ca_dir = /etc/pam_pkcs11/cacerts; # Path to the directory where the CRLs are stored. The directory # must contain an openssl hash-link to each CRL. The default value # is /etc/pam_pkcs11/crls. crl_dir = /etc/pam_pkcs11/crls; # Sets the Certificate Policy, (see above) cert_policy=ca, ocsp_on, signature; } # Default pkcs11 module pkcs11_module default { module = /usr/$LIB/pam_pkcs11/pkcs11_module.so; description = "Default pkcs#11 module"; slot_num = 0; ca_dir = /etc/pam_pkcs11/cacerts; crl_dir = /etc/pam_pkcs11/crls; cert_policy=ca, signature; } # Which mappers ( Cert to login ) to use? # you can use several mappers: # # subject - Cert Subject to login file based mapper # pwent - CN to getpwent() login or gecos fields mapper # ldap - LDAP mapper # opensc - Search certificate in ${HOME}/.eid/authorized_certificates # openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys # mail - Compare email fields from certificate # ms - Use Microsoft Universal Principal Name extension # krb - Compare againts Kerberos Principal Name # cn - Compare Common Name (CN) # uid - Compare Unique Identifier # digest - Certificate digest to login (mapfile based) mapper # generic - User defined certificate contents mapped # null - blind access/deny mapper # # You can select a comma-separated mapper list. # If used null mapper should be the last in the list :-) # Also you should select at least one mapper, otherwise # certificate will not match :-) use_mappers = uid, cn, subject, digest; # When no absolute path or module info is provided, use this # value as module search path # TODO: # This is not still functional: use absolute pathnames or LD_LIBRARY_PATH mapper_search_path = /usr/$LIB/pam_pkcs11; # # Generic certificate contents mapper mapper generic { debug = true; module = /usr/$LIB/pam_pkcs11/generic_mapper.so; # ignore letter case on match/compare ignorecase = false; # Use one of "cn" , "subject" , "kpn" , "email" , "upn" or "uid" cert_item = cn; # Define mapfile if needed, else select "none" mapfile = file:///etc/pam_pkcs11/generic_mapping # Decide if use getpwent() to map login use_getpwent = false; } # Certificate Subject to login based mapper # provided file stores one or more "Subject -> login" lines mapper subject { debug = false; # module = /usr/$LIB/pam_pkcs11/subject_mapper.so; module = internal; ignorecase = false; mapfile = file:///etc/pam_pkcs11/subject_mapping; } # Search public keys from $HOME/.ssh/authorized_keys to match users mapper openssh { debug = false; module = /usr/$LIB/pam_pkcs11/openssh_mapper.so; } # Search certificates from $HOME/.eid/authorized_certificates to match users mapper opensc { debug = false; module = /usr/$LIB/pam_pkcs11/opensc_mapper.so; } # Certificate Common Name ( CN ) to getpwent() mapper mapper pwent { debug = false; ignorecase = false; module = internal; # module = /usr/$LIB/pam_pkcs11/pwent_mapper.so; } # Null ( no map ) mapper. when user as finder matchs to NULL or "nobody" mapper null { debug = false; # module = /usr/$LIB/pam_pkcs11/null_mapper.so; module = internal ; # select behavior: always match, or always fail default_match = false; # on match, select returned user default_user = nobody ; } # Directory ( ldap style ) mapper mapper ldap { debug = false; module = /usr/$LIB/pam_pkcs11/ldap_mapper.so; # where base directory resides basedir = /etc/pam_pkcs11/mapdir; # hostname of ldap server ldaphost = "localhost"; # Port on ldap server to connect ldapport = 389; # Scope of search: 0 = x, 1 = y, 2 = z scope = 2; # DN to bind with. Must have read-access for user entries under "base" binddn = "cn=pam,o=example,c=com"; # Password for above DN passwd = "test"; # Searchbase for user entries base = "ou=People,o=example,c=com"; # Attribute of user entry which contains the certificate attribute = "userCertificate"; # Searchfilter for user entry. Must only let pass user entry for the login user. filter = "(&(objectClass=posixAccount)(uid=%s))" } # Assume common name (CN) to be the login mapper cn { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/cn_mapper.so; ignorecase = false; mapfile = file:///etc/pam_pkcs11/cn_map; } # mail - Compare email field from certificate mapper mail { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/mail_mapper.so; # Declare mapfile or # leave empty "" or "none" to use no map mapfile = file:///etc/pam_pkcs11/mail_mapping; # Some certs store email in uppercase. take care on this ignorecase = true; # Also check that host matches mx domain # when using mapfile this feature is ignored ignoredomain = false; } # ms - Use Microsoft Universal Principal Name extension # UPN is in format login@ADS_Domain. No map is needed, just # check domain name. mapper ms { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/ms_mapper.so; ignorecase = false; ignoredomain = false; domain = "domain.com"; } # krb - Compare againts Kerberos Principal Name mapper krb { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/krb_mapper.so; ignorecase = false; mapfile = "none"; } # uid - Maps Subject Unique Identifier field (if exist) to login mapper uid { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/uid_mapper.so; ignorecase = false; mapfile = "none"; } # digest - elaborate certificate digest and map it into a file mapper digest { debug = false; module = internal; # module = /usr/$LIB/pam_pkcs11/digest_mapper.so; # algorithm used to evaluate certificate digest # Select one of: # "null","md2","md4","md5","sha","sha1","dss","dss1","ripemd160" algorithm = "sha1"; mapfile = file:///etc/pam_pkcs11/digest_mapping; # mapfile = "none"; } } - uninstalled opensc, installed coolkey still issues. Version-Release number of selected component (if applicable): How reproducible: - All times in customer env - Not in local reproduction Steps to Reproduce: 1. mentioned above 2. 3. Actual results: gdm-simple-greeter consumes 100% CPU on smart card login Expected results: gdm-simple-greeter should not consume 100% CPU on smart card login Additional info: - RHEL 7 is fine, and didn't see the 100%cpu issue - It doesn't show high cpu for non smart card ssh login - disabling selinux does not solve the problem.