Description of problem: When a USB smartcard reader is removed from a system when a smartcard is inserted, the screen does not lock. Version-Release number of selected component (if applicable): gdm-40.0-23.el8.x86_64 How reproducible: 100% Steps to Reproduce: 1. Configure authselect with options "--with smartcard --with-mkhomedir - with-smartcard-lock-on-removal". 2. Enroll a user with a smartcard and log them in to GNOME. 3. Remove the smartcard reader with the user's smartcard inside it. Actual results: Screen fails to lock. Expected results: Screen doesn't lock. Additional info: - This was observed on a customer system using an SCR3310 USB smartcard reader, but is consistent across all USB smartcard readers.
We see this issue too. Any suggestions for a work-around would be appreciated. -- Steve Ross
Moving to OpenSC, as this is most likely an issue on our side. Marek checked the RHEL9 OpenSC works as expected (will check if the card works again after the reader removal again). For now, we do not have a workaround (except for the update to RHEL9), but we will consider if we will be able to backport the changes to RHEL8 or do the rebase to newer version.
Jakub Jelen wrote: > Moving to OpenSC, as this is most likely an issue on our side. I have reproduced this issue on both a RHEL8.6 EUS machine, which uses OpenSC, and another platform (based on RHEL8.6) which uses a different PKCS #11 module. So, I question whether this is an issue with OpenSC or with, for example, (just speculating) "gsd-smartcard". In the next couple of days, I can plan to try the other module on the stock RHEL8.6 machine. -- Steve Ross
Marek mentioned in the private comment that this works with RHEL9, which has newer OpenSC and I vaguely remember fixing some related bugs in the OpenSC upstream. Another data-point to verify would be trying the new OpenSC 0.23.0 (for example from the below copr) on RHEL8.6 if it will work or not: https://copr.fedorainfracloud.org/coprs/jjelen/opensc-latest/ If you could test it on stock RHEL 8.6 machine with the new OpenSC, it would be very appreciated.
I wrote: > In the next couple of days, I can plan to try the other module on the stock RHEL8.6 machine. I did try the other PKCS #11 module on the stock RHEL8 EUS machine. Like the stock "opensc-0.20.0-4.el8" package, the other module (correctly) locks the screen when I remove the smart card (used for authentication) from the reader, and (incorrectly) leaves the screen unlocked when I unplugged the reader+card together. So, this would lead me to believe that the issue is outside of the PKCS #11 module. Jakub wrote: > Marek mentioned in the private comment that this works with RHEL9, which has newer OpenSC > and I vaguely remember fixing some related bugs in the OpenSC upstream. > Another data-point to verify would be trying the new OpenSC 0.23.0 > (for example from the below copr) on RHEL8.6 if it will work or not: > > https://copr.fedorainfracloud.org/coprs/jjelen/opensc-latest/ > > If you could test it on stock RHEL 8.6 machine with the new OpenSC, it would be very appreciated. I installed "opensc-0.23.0-2.el8" from your site on the RHEL 8.6 machine. It (correctly) locks the screen when I remove the smart card, and (correctly!!) locks the screen when I unplugged the reader+card combination. I did *not* expect correct operation for reader+card; that points to some issue with both older the module(s).
Thank you for double-checking!
Jakub wrote: > Thank you for double-checking! You are welcome. And earlier wrote: > I vaguely remember fixing some related bugs in the OpenSC upstream. This is a low-priority request (so feel free to ignore it), but I am curious about which bugs these are. My searching skills for issues/Pull Requests on GitHub in OpenSC/OpenSC were not sufficient for me to find them.
There was a lot of changes regarding the token/card/reader removal and reinsertion over the last couple of years. I thought it was something I was fixing, but it looks like the first merge request for this particular issue was this one (but it looks like it should already have been in 0.20.0 which is in RHEL8): https://github.com/OpenSC/OpenSC/pull/1615 There were many changes how the pcscd events are handled since then: https://github.com/OpenSC/OpenSC/pull/1970 https://github.com/OpenSC/OpenSC/pull/1923 https://github.com/OpenSC/OpenSC/pull/2051 https://github.com/OpenSC/OpenSC/pull/2077 https://github.com/OpenSC/OpenSC/pull/2418 https://github.com/OpenSC/OpenSC/pull/2600 I might have missed some though.
Jakub wrote: > There was a lot of changes regarding the token/card/reader removal and reinsertion over the last couple of years. Thank you for the list!
The current patch for RHEL 8 contains the changes from upstream for this change: # changes related to the reader handling https://github.com/OpenSC/OpenSC/commit/31d8c2dfd14ed01b430def2f46cc718ef4b595fc https://github.com/OpenSC/OpenSC/commit/8f4a6c703b5ae7d4f44cf33c85330171afa917bf https://github.com/OpenSC/OpenSC/pull/1970 (without the first and last commits) https://github.com/OpenSC/OpenSC/pull/1923 https://github.com/OpenSC/OpenSC/pull/2051 https://github.com/OpenSC/OpenSC/pull/2077 https://github.com/OpenSC/OpenSC/pull/2418 https://github.com/OpenSC/OpenSC/pull/2600 https://github.com/OpenSC/OpenSC/commit/c2e00e9071952b30ed6d58d9b7670eb3d93ea6fb https://github.com/OpenSC/OpenSC/pull/2740 # OpenSC notify build issues https://github.com/OpenSC/OpenSC/commit/5e79a2a4abdd523cfff19824718bbb0d8ced7320 https://github.com/OpenSC/OpenSC/commit/843779fe6e0f345f483f9ce9c9739913502391eb https://github.com/OpenSC/OpenSC/commit/7936bdef15c71139a6a6159cabaf9e6101565add https://github.com/OpenSC/OpenSC/commit/1202eceeefd5ffab45648d41ed0a3076cac10920 we still have an upstream PR in progress to capture hopefully last corner case, but I will probably not wait for that one. They are available in the following PR (including a scratch build): https://gitlab.com/redhat/centos-stream/rpms/opensc/-/merge_requests/8 I will give it some more testing later this or next week.