Bug 1983683 - pam rpm delivered smartcard-auth contains pam_pkcs11.so that is known to be removed in RHEL 8
Summary: pam rpm delivered smartcard-auth contains pam_pkcs11.so that is known to be r...
Keywords:
Status: VERIFIED
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: pam
Version: 8.3
Hardware: All
OS: Linux
low
medium
Target Milestone: beta
: ---
Assignee: Iker Pedrosa
QA Contact: Anuj Borah
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-07-19 13:43 UTC by Chetan Patil
Modified: 2023-07-12 14:01 UTC (History)
12 users (show)

Fixed In Version: pam-1.3.1-26.el8
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker SSSD-3694 0 None None None 2021-08-04 12:03:49 UTC

Description Chetan Patil 2021-07-19 13:43:16 UTC 
Description of problem:

pam_pkcs11.so is deprecated in RHEL 8.

But pam_pkcs11 can be still seen in configuration file.

Version-Release number of selected component (if applicable):

RHEL 8.4

How reproducible:


Steps to Reproduce:
1.# sudo rm -f /etc/pam.d/smartcard-auth

2.# sudo yum reinstall pam

3.

# cat /etc/pam.d/smartcard-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authselect is run.
auth        required      pam_env.so
auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card                                         <=== Module can be seen
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    optional      pam_pkcs11.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

Actual results:

auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card  can be seen in configuration file.

Expected results:
Below should not be seen in /etc/pam.d/smartcard-auth
auth        [success=done ignore=ignore default=die] pam_pkcs11.so wait_for_card 

Additional info:
Comment 1 Iker Pedrosa 2021-07-19 13:59:15 UTC 
Can I have a look at the announcement that pam_pkcs11 will be removed in RHEL8?
Comment 2 Chetan Patil 2021-07-19 15:36:12 UTC 
Following are the documents for same,

https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/upgrading_from_rhel_7_to_rhel_8/troubleshooting_upgrading-from-rhel-7-to-rhel-8#known-issues_troubleshooting

In above document there is an Important note that states pam_pkcs11 is deprecated,

~~~
During the in-place upgrade, the deprecated pam_krb5 or pam_pkcs11 pluggable authentication modules (PAM) are removed. Consequently, if the PAM configuration on your RHEL 7 system contains the pam_krb5 or pam_pkcs11 modules and if these modules have the required or requisite control values, performing the in-place upgrade might result in locking you out of the system. To work around this problem, reconfigure your RHEL 7 system to not use pam_krb5 or pam_pkcs11 before you start the upgrade process.
~~~



https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/considerations_in_adopting_rhel_8/index#package-replacements_changes-to-packages
Comment 3 Iker Pedrosa 2021-07-20 07:22:53 UTC 
Good catch! Thank you.

I guess it also affects Fedora and RHEL9.
Note You need to log in before you can comment on or make changes to this bug.