1845640 – [RFE] Root user should be able to login with password when all users are forced to login with smart card (but see comment 3)

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1845640 - [RFE] Root user should be able to login with password when all users are forced to login with smart card (but see comment 3)

Summary: [RFE] Root user should be able to login with password when all users are forc...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Red Hat Enterprise Linux 9
Classification:	Red Hat
Component:	sssd
Sub Component:
Version:	9.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	low
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Sumit Bose
QA Contact:	sssd-qe
Docs Contact:
URL:
Whiteboard:	sync-to-jira
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-06-09 17:38 UTC by Vinay Mishra
Modified:	2022-04-20 06:04 UTC (History)
CC List:	11 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-04-20 06:04:30 UTC
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Comment 2 Sumit Bose 2020-10-22 10:39:02 UTC

Hi,

to put it a bit more general this ticket is about requiring Smartcard authentication but not for all users and maybe for not all services where Smartcard authentication might be possible. This requires some design (maybe the prompting configuration can be used at least for parts of it) and it should be checked if there should be some interactions with authconfig and how GDM will handle this feature.

Changing this ticket to an RFE.

bye,
Sumit

Comment 3 Alexey Tikhonov 2021-08-31 18:43:00 UTC

Comment from Sumit:
```
Currently pam_sss does not handle a user called "root" at
all, but if Smartcard authentication is enforced and "root" should log
in with a Smartcard as well (yes, the opposite of what is asked in the
ticket) who else then SSSD should handle it. So from the SSSD side we
need a special case with Smartcard authentication for the root user.

If this is fixed we can decide if it would be better to configure if the
root use should use Smartcard or password if Smartcard authentication is
required in sssd.conf or in the pam configuration, i.e. in authselect.
```

Comment 4 Alexey Tikhonov 2021-08-31 18:46:27 UTC

At this stage this RFE should target RHEL9. Once/if implemented, backport to RHEL8 might be considered.

Comment 13 Ding-Yi Chen 2022-04-20 06:04:30 UTC

The issue can be addressed by following line:

~~~
auth        [success=5 default=ignore]                   pam_succeed_if.so uid eq 0 quiet
~~~


An example auth type in /etc/pam.d/system-auth:

~~~
auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        [success=5 default=ignore]                   pam_succeed_if.so uid eq 0 quiet
auth        [success=1 default=ignore]                   pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth        [success=done ignore=ignore default=die]     pam_sss.so require_cert_auth ignore_authinfo_unavail
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=2 ignore=ignore success=ok]         pam_localuser.so
auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
auth        sufficient                                   pam_unix.so nullok
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        required                                     pam_deny.so
~~~

You can save it as custom authselect profile [1]


Should there be a strong business justification for creating a new authselect feature like  `with-smartcard with-root-excepted`

Please file a new RFE bug against authselect


1. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/configuring_authentication_and_authorization_in_rhel/configuring-user-authentication-using-authselect_configuring-authentication-and-authorization-in-rhel#creating-and-deploying-your-own-authselect-profile_configuring-user-authentication-using-authselect

Note You need to log in before you can comment on or make changes to this bug.