Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1740763

Summary: [RFE] pam_sss allow_missing_name should allow whitespace-only string
Product: Red Hat Enterprise Linux 8 Reporter: Sneha Veeranki <sveerank>
Component: sssdAssignee: Pavel Březina <pbrezina>
Status: CLOSED ERRATA QA Contact: sssd-qe <sssd-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 8.1CC: aakkiang, aboscatt, bdellasc, dapospis, grajaiya, jhrozek, lslebodn, mhavrila, mzidek, pbrezina, sbose, sgoveas, spoore, tscherf
Target Milestone: rcKeywords: FutureFeature, RFE
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: x86_64   
OS: Linux   
Whiteboard: sync-to-jira
Fixed In Version: sssd-2.2.3-2.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-04-28 16:56:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Sneha Veeranki 2019-08-13 15:22:34 UTC 
Description of problem:
OpenSC - Kerberos User uses virtual terminal with smart card special login case.

Version-Release number of selected component (if applicable):
Was unable to choose virtual terminal. Hence chose gnome-terminal as it was the closest match I could find!

How reproducible:
Always

Steps to Reproduce:
1. Set the below settings:

Use smart card: ON

Enforce smart card: ON

Log out behavior configured to: Activate screen saver.

2. The Kerberos user inserts the smart card.

3. User logs in using the tty virtual terminal screen e.g. ctrl + alt + F2
User types a ' ' or space at the user prompt.

Actual results:
Displays the below prompt:
Please enter the smart card
Login incorrect
Login incorrect
Login incorrect

Expected results:
Should prompt for the smart card pin

Additional info:
Comment 2 Jiri Koten 2019-08-15 13:04:32 UTC 
*** Bug 1740766 has been marked as a duplicate of this bug. ***
Comment 3 Pavel Březina 2019-09-04 11:01:42 UTC 
Can you please attache /etc/pam.d/system-auth and /etc/pam.d/smartcard-auth? Thank you.
Comment 5 Pavel Březina 2019-09-16 08:01:47 UTC 
Sumit, can you look at this please? It looks like pam_sss issue.
Comment 6 Sumit Bose 2019-09-24 13:17:15 UTC 
Hi,

I think currently what you described is expected (although the output is not nice). Even when enforcing Smartcard authentication you typically have to provide a username. Currently the only exception is the Smartcard mode of GDM.

I think you are looking for a functionality similar to the 'card_only' option pf pam_pkcs11. To my knowledge this option was not set by authconfig on RHEL7 and so if was not added to authselect or as a feature to SSSD.

The pam_sss.so option 'allow_missing_name' is nearly what you are looking for but it currently handles only really empty/missing user names, so a single space is currently treated as a name and does not trigger the lookup of the name from the certificate.

My suggestion would be to treat this ticket as RFE and enhance the 'allow_missing_name' option to treat white-space as missing name as well.

bye,
Sumit
Comment 7 Pavel Březina 2019-10-02 12:19:16 UTC 
Thank you Sumit. I'm switching the component to sssd since no change in authselect is required.
Comment 8 Pavel Březina 2019-10-17 09:28:10 UTC 
Upstream ticket:
https://pagure.io/SSSD/sssd/issue/4101
Comment 9 Pavel Březina 2019-11-05 11:01:27 UTC 
Upstream PR:
https://github.com/SSSD/sssd/pull/928
Comment 10 Pavel Březina 2019-11-19 12:42:44 UTC 
* `master`
    * 456e576b85670b76e0da3dc13fe349b7445842ff - pam_sss: treat whitespace name as missing name if allow_missing_name is set
Comment 11 Michal Zidek 2020-01-15 12:14:02 UTC 
This bug was fixed as part of the rebase we did in RHEL 8.2.0. It would be good to fully ack it and include in the erratum.
Comment 13 Sneha Veeranki 2020-03-02 20:22:16 UTC 
Verified on RHEL 8.2.0

sssd-2.2.3-17.el8.x86_64
nss-pam-ldapd-0.9.9-3.el8.x86_64
pam-1.3.1-8.el8.x86_64

The Kerberos user inserts the smart card.
User logs in using the tty virtual terminal screen e.g. ctrl + alt + F2
User types a ' ' or space at the user prompt.

I still see the same output as before:

Please enter the smart card
Login incorrect
Login incorrect
Login incorrect
Comment 15 Sumit Bose 2020-03-03 10:53:28 UTC 
(In reply to Sneha Veeranki from comment #13)
> Verified on RHEL 8.2.0
> 
> sssd-2.2.3-17.el8.x86_64
> nss-pam-ldapd-0.9.9-3.el8.x86_64
> pam-1.3.1-8.el8.x86_64
> 
> The Kerberos user inserts the smart card.
> User logs in using the tty virtual terminal screen e.g. ctrl + alt + F2
> User types a ' ' or space at the user prompt.
> 
> I still see the same output as before:
> 
> Please enter the smart card
> Login incorrect
> Login incorrect
> Login incorrect

Hi,

did you test with the same PAM configuration as shown in comment #4? As mentioned in comment #6 you have to add 'allow_missing_name' to the pam_sss line in system-auth.

HTH

bye,
Sumit
Comment 19 Sneha Veeranki 2020-03-09 14:38:52 UTC 
I ran authselect select sssd with-smartcard with-mkhomedir --force
Then made the necessary modifications as specified in comment 17. Although the smart card is inserted, I see  

Please enter the smart card
Login incorrect
Login incorrect
Login incorrect

The smart card is not detected and the pin is not prompted on the virtual terminal most of the times. Occasionally it is detected prompts to choose a certificate and enter a pin.
Comment 20 Sumit Bose 2020-03-10 10:40:56 UTC 
Hi,

so far I'm not able the reproduce the triple 'Login incorrect' you are seeing but nevertheless you should put 'allow_missing_name' to the pam_sss.so line with 'try_cert_auth', e.g.:

auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
auth        [default=2 ignore=ignore success=ok]         pam_localuser.so
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth allow_missing_name
auth        sufficient                                   pam_unix.so nullok try_first_pass
auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so


The reason is that an empty name ' ' will make 'pam_succeed_if.so uid >= 1000 quiet' fail because there is no uid of ' '. This will trigger the action 'default=1' which will skip the next line and jump directly to 'pam_sss.so try_cert_auth'.

HTH

bye,
Sumit
Comment 21 Sneha Veeranki 2020-03-10 15:42:33 UTC 
Thanks Sumit. That worked!

Logged in using the tty virtual terminal screen and entered a space at the user prompt. However, when I give a ' ' instead of space, it doesn't work. Is it the expected behavior?
Comment 22 Sumit Bose 2020-03-11 06:27:51 UTC 
(In reply to Sneha Veeranki from comment #21)
> Thanks Sumit. That worked!
> 
> Logged in using the tty virtual terminal screen and entered a space at the
> user prompt. However, when I give a ' ' instead of space, it doesn't work.
> Is it the expected behavior?

Hi,

what do you mean my ' '? If this is just pressing the return/enter key without entering anything else then yes, this is expected.

bye,
Sumit
Comment 24 errata-xmlrpc 2020-04-28 16:56:02 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:1863
Comment 33 Red Hat Bugzilla 2023-09-18 00:17:05 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 120 days