RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1936551 - [Improvement] Provide user feedback when login fails due to blocked PIN
Summary: [Improvement] Provide user feedback when login fails due to blocked PIN
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 9
Classification: Red Hat
Component: sssd
Version: 9.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: Alexey Tikhonov
QA Contact: Scott Poore
URL:
Whiteboard: sync-to-jira
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-03-08 17:52 UTC by Orion Poplawski
Modified: 2022-11-15 13:08 UTC (History)
13 users (show)

Fixed In Version: sssd-2.7.3-1.el9
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 2106867 (view as bug list)
Environment:
Last Closed: 2022-11-15 11:17:20 UTC
Type: Bug
Target Upstream Version:
Embargoed:
pm-rhel: mirror+

Attachments (Terms of Use)
PIN locked console message (1.75 KB, image/png)
2022-07-18 14:56 UTC, Scott Poore 		no flags Details
PIN locked GDM message with sleep in pam (7.56 KB, image/png)
2022-07-18 14:57 UTC, Scott Poore 		no flags Details
View All


Links
System ID Private Priority Status Summary Last Updated
Github SSSD sssd issues 6153 0 None open Provide user feedback when login fails due to blocked PIN 2022-05-10 14:41:53 UTC
Red Hat Product Errata RHBA-2022:8325 0 None None None 2022-11-15 11:17:49 UTC

Description Orion Poplawski 2021-03-08 17:52:18 UTC 
Description of problem:

When attempting to login via gdm or tty with a YubiKey smartcard with a blocked PIN, you simply get an authentication failure message.  On Windows you get a helpful message indicating that the PIN is blocked.  We should do the same.

Version-Release number of selected component (if applicable):
sssd-2.3.0-9.el8.x86_64
Comment 2 Sumit Bose 2021-03-09 09:25:04 UTC 
Hi,

thanks for the request. So far I was a bit reluctant about implementing this because it might disclose some information to an attacker. On the other hand any reasonable attacker should be able to check the wrong PIN counter and this information would help the legit user. Do you think it would be ok to show this information only with 'pam_verbosity = 2' (default is 1) or should it be shown by default? ('pam_verbosity' is explained in man sssd.conf).

bye,
Sumit
Comment 6 Orion Poplawski 2021-03-12 18:27:27 UTC 
I'm not sure about pam_verbosity - I'll try running with 'pam_verbosity = 2' and see if that display too much other information.  Thanks for taking this up - it's a real pain dealing with smart card failures and being able to quickly diagnose a blocked PIN is very helpful.
Comment 7 Alexey Tikhonov 2021-08-31 18:38:31 UTC 
At this stage this RFE should target RHEL9. Once/if implemented, backport to RHEL8 might be considered.
Comment 11 Alexey Tikhonov 2022-05-16 18:07:25 UTC 
Upstream PR: https://github.com/SSSD/sssd/pull/6162
Comment 13 Alexey Tikhonov 2022-06-21 11:41:28 UTC 
Pushed PR: https://github.com/SSSD/sssd/pull/6162

* `master`
    * 5433961b932010c6cdbdc7ffe5be0d119aeac2ad - PAM: user feedback when login fails due to blocked PIN
    * f1195229e016e2a3e1a7358ff87954d573b1dcac - PAM P11: fixed minor mem-leak
    * 1ed59fb6e6a1f244b6954e689be10c213ffebed3 - PAM P11: fixed mistype in a log message
* `sssd-2-7`
    * f0609d82cfa70c388d11546bf336058cf385db25 - PAM: user feedback when login fails due to blocked PIN
    * aec973314d0483f8497c3c4bdcd6745bf6b80ede - PAM P11: fixed minor mem-leak
    * abc2ae569de04d30943b7965f174b84eb94cae97 - PAM P11: fixed mistype in a log message
Comment 23 Alexey Tikhonov 2022-07-11 11:24:14 UTC 
So, state of the art.
sssd-2.7.3+ based package will ship a "partial" fix for this ticket:
 - there will be new `PAM_TEXT_INFO` message "PIN locked"
 - this already helps in case of console login
 - but in case of GDM this message is immediately replaced by a next auth failure message

We didn't figure out a trivial way to fix this issue completely from SSSD side. Perhaps it should be handled within gnome-shell (CC @rstrode).
Comment 35 Scott Poore 2022-07-18 14:55:09 UTC 
Verified.

Version ::

sssd-2.7.3-1.el9.x86_64

Results ::

Normal smart card authentication for local config setup and used to manually test.

PIN locked using "pkcs11-tool -T --login" with bad pin a few times in a row.

Manually checking locked with nested su test:

# su - localuser1 -c 'su - localuser1 -c whoami'
PIN for MyEID (sctest): 
PIN locked

Can see log message as well from journalctl:

Jul 18 09:41:30 rhel9-0.example.test su[5041]: pam_sss(su-l:auth): User info message: PIN locked

Console login shows:

rhel9-0 login: localuser1
PIN for MyEID (sctest):
PIN locked
Login incorrect

rhel9-0 login:

Will attach screen shot here as well since I had to type that manually.

Due to message timing and log level for the message, to see the message in GDM, we have to use a sleep workaround in /etc/pam.d/smartcard-auth:

auth        required                                     pam_env.so
auth        sufficient                                   pam_sss.so allow_missing_name
auth        optional                                     pam_exec.so /usr/bin/sleep 2
auth        required                                     pam_deny.so

Add the sleep after pam_sss.so like above.

Then in GDM, you can see the PIN locked message.  There is other work in gnome-shell that may address this in the future.

Note, in order to get the screenshot, I needed to extend the sleep to 10 seconds.  Will attach screen shots after saving this comment.

Log message from journalctl:

Jul 18 09:54:07 rhel9-0.example.test gdm-smartcard][6367]: pam_sss(gdm-smartcard:auth): User info message: PIN locked
Jul 18 09:54:07 rhel9-0.example.test gdm-smartcard][6367]: pam_sss(gdm-smartcard:auth): authentication failure; logname= uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=localuser1@shadowutils
Jul 18 09:54:07 rhel9-0.example.test gdm-smartcard][6367]: pam_sss(gdm-smartcard:auth): received for user localuser1@shadowutils: 7 (Authentication failure)
Comment 36 Scott Poore 2022-07-18 14:56:21 UTC 
Created attachment 1897944 [details]
PIN locked console message
Comment 37 Scott Poore 2022-07-18 14:57:10 UTC 
Created attachment 1897945 [details]
PIN locked GDM message with sleep in pam
Comment 40 errata-xmlrpc 2022-11-15 11:17:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (sssd bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:8325
Note You need to log in before you can comment on or make changes to this bug.