RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 2097048 - Screen does not lock when smartcard reader is removed with smartcard inserted
Summary: Screen does not lock when smartcard reader is removed with smartcard inserted
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 8
Classification: Red Hat
Component: opensc
Version: 8.6
Hardware: x86_64
OS: Linux
medium
medium
Target Milestone: rc
: 8.9
Assignee: Jakub Jelen
QA Contact: Marek Havrila
Mirek Jahoda
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2022-06-14 19:21 UTC by Andrew Mike
Modified: 2023-11-14 18:12 UTC (History)
13 users (show)

Fixed In Version: opensc-0.20.0-5.el8
Doc Type: Bug Fix
Doc Text:
.The automatic screen lock now works correctly even when a USB smart-card reader is removed Before RHEL 8.9, the `opensc` packages incorrectly handled removing USB smart-card readers. Consequently, the system remained unlocked even if the GNOME Display Manager (GDM) was configured to lock the screen when a smart card was removed. Furthermore, after reconnecting the USB reader, the screen also did not lock after removing the smart card. In this release, the code for handling removals of USB smart-card readers has been fixed. As a result, the screen is correctly locked even when a smart card or a USB smart-card reader is removed.
Clone Of:
Environment:
Last Closed: 2023-11-14 15:51:11 UTC
Type: Bug
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker CRYPTO-9631 0 None None None 2023-02-28 14:07:24 UTC
Red Hat Issue Tracker RHELPLAN-125284 0 None None None 2022-06-14 19:57:25 UTC
Red Hat Product Errata RHSA-2023:7160 0 None None None 2023-11-14 15:51:16 UTC

Description Andrew Mike 2022-06-14 19:21:18 UTC 
Description of problem: When a USB smartcard reader is removed from a system when a smartcard is inserted, the screen does not lock.

Version-Release number of selected component (if applicable):
gdm-40.0-23.el8.x86_64

How reproducible: 100%

Steps to Reproduce:
1. Configure authselect with options "--with smartcard --with-mkhomedir - with-smartcard-lock-on-removal".
2. Enroll a user with a smartcard and log them in to GNOME.
3. Remove the smartcard reader with the user's smartcard inside it.

Actual results: Screen fails to lock.

Expected results: Screen doesn't lock.

Additional info:
- This was observed on a customer system using an SCR3310 USB smartcard reader, but is consistent across all USB smartcard readers.
Comment 4 Steve Ross 2023-02-22 23:19:12 UTC 
We see this issue too.  Any suggestions for a work-around would be appreciated. -- Steve Ross
Comment 7 Jakub Jelen 2023-02-28 12:25:46 UTC 
Moving to OpenSC, as this is most likely an issue on our side.

Marek checked the RHEL9 OpenSC works as expected (will check if the card works again after the reader removal again). For now, we do not have a workaround (except for the update to RHEL9), but we will consider if we will be able to backport the changes to RHEL8 or do the rebase to newer version.
Comment 8 Steve Ross 2023-02-28 16:20:45 UTC 
Jakub Jelen wrote:
> Moving to OpenSC, as this is most likely an issue on our side.

I have reproduced this issue on both a RHEL8.6 EUS machine, which uses OpenSC, and another platform (based on RHEL8.6) which uses a different PKCS #11 module.  So, I question whether this is an issue with OpenSC or with, for example, (just speculating) "gsd-smartcard".

In the next couple of days, I can plan to try the other module on the stock RHEL8.6 machine.

-- Steve Ross
Comment 9 Jakub Jelen 2023-03-01 15:52:20 UTC 
Marek mentioned in the private comment that this works with RHEL9, which has newer OpenSC and I vaguely remember fixing some related bugs in the OpenSC upstream. Another data-point to verify would be trying the new OpenSC 0.23.0 (for example from the below copr) on RHEL8.6 if it will work or not:

https://copr.fedorainfracloud.org/coprs/jjelen/opensc-latest/

If you could test it on stock RHEL 8.6 machine with the new OpenSC, it would be very appreciated.
Comment 10 Steve Ross 2023-03-03 22:59:28 UTC 
I wrote:
> In the next couple of days, I can plan to try the other module on the stock RHEL8.6 machine.

I did try the other PKCS #11 module on the stock RHEL8 EUS machine.  Like the stock "opensc-0.20.0-4.el8" package, the other module (correctly) locks the screen when I remove the smart card (used for authentication) from the reader, and (incorrectly) leaves the screen unlocked when I unplugged the reader+card together.  So, this would lead me to believe that the issue is outside of the PKCS #11 module.

Jakub wrote:
> Marek mentioned in the private comment that this works with RHEL9, which has newer OpenSC
> and I vaguely remember fixing some related bugs in the OpenSC upstream. 
> Another data-point to verify would be trying the new OpenSC 0.23.0 
> (for example from the below copr) on RHEL8.6 if it will work or not:
>
> https://copr.fedorainfracloud.org/coprs/jjelen/opensc-latest/
>
> If you could test it on stock RHEL 8.6 machine with the new OpenSC, it would be very appreciated.

I installed "opensc-0.23.0-2.el8" from your site on the RHEL 8.6 machine.  It (correctly) locks the screen when I remove the smart card, and (correctly!!) locks the screen when I unplugged the reader+card combination.  I did *not* expect correct operation for reader+card; that points to some issue with both older the module(s).
Comment 11 Jakub Jelen 2023-03-06 07:02:24 UTC 
Thank you for double-checking!
Comment 12 Steve Ross 2023-03-06 17:34:37 UTC 
Jakub wrote:
> Thank you for double-checking!
You are welcome.

And earlier wrote:
> I vaguely remember fixing some related bugs in the OpenSC upstream.
This is a low-priority request (so feel free to ignore it), but I am curious about which bugs these are.  My searching skills for issues/Pull Requests on GitHub in OpenSC/OpenSC were not sufficient for me to find them.
Comment 13 Jakub Jelen 2023-03-07 10:16:32 UTC 
There was a lot of changes regarding the token/card/reader removal and reinsertion over the last couple of years. I thought it was something I was fixing, but it looks like the first merge request for this particular issue was this one (but it looks like it should already have been in 0.20.0 which is in RHEL8):

https://github.com/OpenSC/OpenSC/pull/1615

There were many changes how the pcscd events are handled since then:

https://github.com/OpenSC/OpenSC/pull/1970
https://github.com/OpenSC/OpenSC/pull/1923
https://github.com/OpenSC/OpenSC/pull/2051
https://github.com/OpenSC/OpenSC/pull/2077
https://github.com/OpenSC/OpenSC/pull/2418
https://github.com/OpenSC/OpenSC/pull/2600

I might have missed some though.
Comment 14 Steve Ross 2023-03-07 14:37:42 UTC 
Jakub wrote:
> There was a lot of changes regarding the token/card/reader removal and reinsertion over the last couple of years.
Thank you for the list!
Comment 18 Jakub Jelen 2023-06-15 14:56:40 UTC 
The current patch for RHEL 8 contains the changes from upstream for this change:

# changes related to the reader handling
https://github.com/OpenSC/OpenSC/commit/31d8c2dfd14ed01b430def2f46cc718ef4b595fc
https://github.com/OpenSC/OpenSC/commit/8f4a6c703b5ae7d4f44cf33c85330171afa917bf
https://github.com/OpenSC/OpenSC/pull/1970 (without the first and last commits)
https://github.com/OpenSC/OpenSC/pull/1923
https://github.com/OpenSC/OpenSC/pull/2051
https://github.com/OpenSC/OpenSC/pull/2077
https://github.com/OpenSC/OpenSC/pull/2418
https://github.com/OpenSC/OpenSC/pull/2600
https://github.com/OpenSC/OpenSC/commit/c2e00e9071952b30ed6d58d9b7670eb3d93ea6fb
https://github.com/OpenSC/OpenSC/pull/2740

# OpenSC notify build issues
https://github.com/OpenSC/OpenSC/commit/5e79a2a4abdd523cfff19824718bbb0d8ced7320
https://github.com/OpenSC/OpenSC/commit/843779fe6e0f345f483f9ce9c9739913502391eb
https://github.com/OpenSC/OpenSC/commit/7936bdef15c71139a6a6159cabaf9e6101565add
https://github.com/OpenSC/OpenSC/commit/1202eceeefd5ffab45648d41ed0a3076cac10920

we still have an upstream PR in progress to capture hopefully last corner case, but I will probably not wait for that one.

They are available in the following PR (including a scratch build):

https://gitlab.com/redhat/centos-stream/rpms/opensc/-/merge_requests/8

I will give it some more testing later this or next week.
Comment 24 errata-xmlrpc 2023-11-14 15:51:11 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Low: opensc security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:7160
Note You need to log in before you can comment on or make changes to this bug.