Bug 1736265 - Smart Card auth of local user: endless loop if wrong PIN was provided
Summary: Smart Card auth of local user: endless loop if wrong PIN was provided
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: sssd
Version: 8.0
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: 8.1
Assignee: SSSD Maintainers
QA Contact: Scott Poore
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-08-01 16:23 UTC by Alexey Tikhonov
Modified: 2020-05-02 19:11 UTC (History)
9 users (show)

Fixed In Version: sssd-2.2.0-15.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-11-05 22:34:54 UTC
Type: Bug
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 5019 0 None closed Smart Card auth of local user: endless loop if wrong PIN was provided 2020-09-28 14:08:40 UTC
Github SSSD sssd issues 5027 0 None closed Smart Card auth of local user: endless loop if wrong PIN was provided 2020-09-28 14:08:40 UTC
Red Hat Product Errata RHSA-2019:3651 0 None None None 2019-11-05 22:35:01 UTC

Description Alexey Tikhonov 2019-08-01 16:23:56 UTC
When I enter wrong PIN:
```
$ su certtets
PIN for test
^C
```
^^^ from user point of view everything seems to be hung.

Meantime sssd_pam & p11_child are in endless(?) loop trying to Login to (already locked) SC.

Issue seems to appear if `try_cert_auth` or `require_cert_auth` options are used.

Comment 2 Jakub Hrozek 2019-08-14 12:10:46 UTC
* master: 5574de0f87e72d85547add9a48f9ac0def27f47d

Comment 4 Scott Poore 2019-08-21 13:27:30 UTC
Verified.

Version ::

sssd-2.2.0-16.el8.x86_64

Results ::

First reproducing issue:

[root@rhel8-2 sssd]# rpm -q sssd
sssd-2.2.0-11.el8.x86_64

[root@rhel8-2 sssd]# p11tool --provider /usr/lib64/opensc-pkcs11.so --export 'pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=sctest%20%28MyEID%29;id=%01;object=Certificate;type=cert' --outfile /tmp/card1.crt 

[root@rhel8-2 sssd]# dbus-send --system --print-reply --dest=org.freedesktop.sssd.infopipe /org/freedesktop/sssd/infopipe/Users org.freedesktop.sssd.infopipe.Users.ListByCertificate string:"$(cat /tmp/card1.crt)" uint32:10
method return time=1566393299.786685 sender=:1.256 -> destination=:1.255 serial=6 reply_serial=2
   array [
      object path "/org/freedesktop/sssd/infopipe/Users/example_2ecom/1778400201"
      object path "/org/freedesktop/sssd/infopipe/Users/shadowutils/1000"
   ]

[root@rhel8-2 sssd]# cat /etc/sssd/sssd.conf 
[domain/example.com]

debug_level = 9
krb5_auth_timeout = 60

id_provider = ipa
ipa_server = _srv_, rhel8-1.example.com
ipa_domain = example.com
ipa_hostname = rhel8-2.example.com
auth_provider = ipa
chpass_provider = ipa
access_provider = ipa
cache_credentials = True
# ldap_tls_cacert = /etc/ipa/ca.crt
# ldap_uri = ldaps://rhel8-1.example.com
# ldap_search_base = dc=example,dc=com
# ldap_schema = IPA
krb5_store_password_if_offline = True
sudo_provider = ipa
ldap_uri = ldap://rhel8-1.example.com
ldap_sudo_search_base = ou=sudoers,dc=example,dc=com

[sssd]
# user = sssd
debug_level = 9
services = nss, pam, ssh, sudo
domains = example.com, shadowutils

[nss]
debug_level = 9
homedir_substring = /home

[pam]
debug_level = 9
p11_child_timeout = 60
pam_cert_auth = True

[sudo]
debug_level = 9

[autofs]
debug_level = 9

[ssh]
debug_level = 9

[pac]
debug_level = 9

[ifp]
debug_level = 9

[secrets]
debug_level = 9

[session_recording]
debug_level = 9

[domain/shadowutils]
debug_level = 9
id_provider = files

[certmap/shadowutils/localuser]
debug_level = 9
matchrule = <SUBJECT>.*CN=ipauser1.*

[root@rhel8-2 sssd]# grep localuser /etc/passwd
localuser:x:1000:1000:local user:/home/localuser:/bin/bash

[root@rhel8-2 sssd]# su - localuser -c 'su - localuser -c whoami'
PIN for sctest (MyEID): 
localuser

^^^ so it works as expected with correct pin for local user ^^^

Now to see failure:

[root@rhel8-2 sssd]# time su - localuser -c 'su - localuser -c whoami'
PIN for sctest (MyEID): 
Password: 
localuser

real	1m34.613s
user	0m0.135s
sys	0m0.064s

Took 90secs roughly to failover to password prompt.

Now before verifying I need to unlock the pin:

[root@rhel8-2 sssd]# pkcs15-tool -u --pin redhat --puk redhat --auth-id 01
Using reader with a card: SCM Microsystems Inc. SCR 3310 [CCID Interface] (53311651713564) 00 00

Now upgrading and testing:

[root@rhel8-2 sssd]# dnf -y update sssd
...
Upgraded:
  libipa_hbac-2.2.0-16.el8.x86_64                      libsss_idmap-2.2.0-16.el8.x86_64                
  python3-libipa_hbac-2.2.0-16.el8.x86_64              python3-sss-2.2.0-16.el8.x86_64                 
  python3-sssdconfig-2.2.0-16.el8.noarch               sssd-2.2.0-16.el8.x86_64                        
  sssd-ad-2.2.0-16.el8.x86_64                          sssd-client-2.2.0-16.el8.x86_64                 
  sssd-common-2.2.0-16.el8.x86_64                      sssd-common-pac-2.2.0-16.el8.x86_64             
  sssd-dbus-2.2.0-16.el8.x86_64                        sssd-ipa-2.2.0-16.el8.x86_64                    
  sssd-kcm-2.2.0-16.el8.x86_64                         sssd-krb5-2.2.0-16.el8.x86_64                   
  sssd-krb5-common-2.2.0-16.el8.x86_64                 sssd-ldap-2.2.0-16.el8.x86_64                   
  sssd-polkit-rules-2.2.0-16.el8.x86_64                sssd-proxy-2.2.0-16.el8.x86_64                  
  sssd-tools-2.2.0-16.el8.x86_64                      

Complete!

[root@rhel8-2 sssd]# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; systemctl start sssd

[root@rhel8-2 sssd]# time su - localuser -c 'su - localuser -c whoami'
PIN for sctest (MyEID): 
su: Authentication failure

real	0m16.113s
user	0m0.099s
sys	0m0.033s

Comment 6 errata-xmlrpc 2019-11-05 22:34:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2019:3651


Note You need to log in before you can comment on or make changes to this bug.