Bug 210827 - gdm sometimes displays "Authentication Failed" when removing smart card
Summary: gdm sometimes displays "Authentication Failed" when removing smart card
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: gdm
Version: 5.0
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Ray Strode [halfline]
QA Contact:
Whiteboard: RHEL5.0NACK
Keywords: Reopened
: 215859 (view as bug list)
Depends On:
Blocks: 229988 439467
TreeView+ depends on / blocked
Reported: 2006-10-15 22:16 UTC by Ray Strode [halfline]
Modified: 2008-06-17 13:28 UTC (History)
2 users (show)

Clone Of:
Last Closed: 2008-05-21 16:00:53 UTC

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2008:0398 normal SHIPPED_LIVE gdm bug fix update 2008-05-19 23:09:06 UTC

Description Ray Strode [halfline] 2006-10-15 22:16:23 UTC
I just removed my smart card at the gdm login screen and an "Authentication
Failed" dialog popped up.  GDM under some circumstances must not realize that
the pam failure that results from doing a cancellation of the conversation isn't
really a failure.

Comment 1 Ray Strode [halfline] 2006-10-16 03:03:21 UTC
It looks like the slave is somehow getting out of sync with the greeter.

what's happening is, when I remove my smart card a cancel request is sent and
everything is cancelled.  The slave event loop iterates a begins a new pam
conversation.  pam_pkcs11 asks for a password, and the slave then asks the
greeter to ask the user for a password.  At this point, it looks like the
greeter is responding with some sort of empty string response that the slave
then passes on to pam_pkcs11 and things fail from there.  the reponse is either
just a newline '\n' or maybe a string of NUL chars.  I'm not sure yet.

Comment 2 RHEL Product and Program Management 2006-10-24 21:37:49 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux major release.  Product Management has requested further
review of this request by Red Hat Engineering, for potential inclusion in a Red
Hat Enterprise Linux Major release.  This request is not yet committed for

Comment 3 Benjamin Kahn 2006-11-17 19:54:10 UTC
*** Bug 215859 has been marked as a duplicate of this bug. ***

Comment 4 Chandrasekar Kannan 2006-11-21 18:18:16 UTC
per bug council on 11/17.

not a rhel5 blocker.
targeted for rhel5 rc's

Comment 5 Chandrasekar Kannan 2007-03-20 04:48:06 UTC
per the last bug meeting, we decided this would be fixed in the rhel 5.1 release. 

Comment 6 Bob Lord 2007-03-28 17:47:05 UTC
This bug was proposed for RHEL 5, but wasn't resolved in time.
    devel_ack+ for RHEL 5.1.

Comment 7 RHEL Product and Program Management 2007-06-05 20:51:49 UTC
This request was evaluated by Red Hat Product Management for
inclusion in a Red Hat Enterprise Linux release.  Since this
bugzilla is in a component that is not approved for the current
release, it has been closed with resolution deferred.  You may
reopen this bugzilla for consideration in the next release.

Comment 9 RHEL Product and Program Management 2007-10-22 18:24:56 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 13 Ray Strode [halfline] 2008-01-17 20:55:31 UTC
i can reproduce this.  devack.

Comment 14 Ray Strode [halfline] 2008-01-18 23:06:11 UTC
should be fixed in gdm-2.16.0-40.el5

Happens if you pull the card out while the pam_pkcs11 is initially connecting to
it (before it puts up the Password prompt).

marking MODIFIED for QA

Comment 16 Chandrasekar Kannan 2008-03-13 22:18:46 UTC
Ok. This is what I did to reproduce the problem. 

(1) rhel 5.2 beta - x86 build.
(2) at the gdm login screen. Insert/remove an enrolled card. 
Tried atleast 15 times. 

Never saw the "Authentication Failed" message. 

Ray, Is this good enough verification ?. You didn't mention how to managed
to reproduce the problem. Any tips/hints ?

Comment 17 Chandrasekar Kannan 2008-03-13 22:21:36 UTC
ok. Saw these notes in the errata. 
bug 210827:

1) configure system for smart card/username-password login
2) go to login screen
3) insert smart card
4) while the text entry field is grayed out and you see 3 dots (this is when
pam_pkcs11 is connecting to the card), remove the smart card

If the timing is right, you'll get an "Authentication Failed" message with the
old packages, but not with the new ones

Comment 18 Chandrasekar Kannan 2008-03-13 22:23:47 UTC
So I tried the steps mentioned in comment #17. Exactly when I see the ...(3dots), 
I pulled out the smart card. After that the gdm login screen is unable to
recognize insertion/removal events. 

re-assigning back to Ray to see why ...

Comment 19 Chandrasekar Kannan 2008-03-13 22:27:57 UTC
says "should be fixed in gdm-2.16.0-40.el5". I have exactly that version.

Comment 23 Chandrasekar Kannan 2008-03-26 20:44:54 UTC
same as comment #18. back to ray...

Comment 24 Chandrasekar Kannan 2008-03-26 22:05:32 UTC
ray enabled gdm debug logging and I wasn't able to reproduce this problem. 
Feels like this is very much related to timing. Ray will continue to investigate

Comment 25 Ray Strode [halfline] 2008-03-28 18:49:55 UTC
So, I spent some time banging on this yesterday, while talking to Chandra, Jack
and Bob on irc.

I couldn't reproduce the problem Chandra is seeing exactly (not surprising since
it's apparently timing related), but there is another similiar issue we ran into.

If you remove and insert the card 32 times (that is 16 removes and 16 inserts)
then PK11_IsPresent() from that point on will always return false which means
neither gdm nor pam_pkcs11 will see the card inserted anymore.

At any rate, that problem and Chandra's problem in comment 18 are independent of
the original issue, so we should file them as separate bugs (tentatively against
pcsc-lite i guess until we figure out where in the stack the problem is).

Those issues aren't likely to get resolved for 5.2 since they're problems with
components not on the approved component list and it's so late in the
development cycle.

Comment 26 Ray Strode [halfline] 2008-03-28 18:54:34 UTC
I've filed bug 439467 to cover the lost card status issues.

Comment 27 Chandrasekar Kannan 2008-03-29 00:30:38 UTC
Ray - over IRC u asked ...
<halfline> chandra, for bug 210827 can you reproduce Authentication Failed with
GA gdm and not get it anymore with the new packages?

(1) I installed rhel 5.1 GA. I'm not able to reproduce the "auth failed"
dialog box pop-up. I tried the hell out of it. 

(2) Did the same with rhel 5.2 beta (0326.0), i'm unable to try to reproduce
this problem, because if I try to pull the card out when the 3dots display, gdm
stop recognizing the card afterwards. 

So, I'm kinda stuck here...

Comment 28 Ray Strode [halfline] 2008-03-29 04:23:32 UTC
if you can't reproduce the original problem with the old packages then I don't
know what else we can do.

Can you try on a different hardware configuration?  I reproduced the problem in
qemu initially, so maybe try on slower hardware or through vmware?

Comment 29 Chandrasekar Kannan 2008-03-31 17:31:36 UTC
trying vmware now

Comment 30 Chandrasekar Kannan 2008-03-31 18:29:15 UTC
Ok. I tried this too.

rhel5 u1 64bit vm ( under vmware ). 
removed the card as soon as I saw the 3dots upon card insertion. 
tried about 15 times. 
unable to reproduce the original problem.

Comment 31 Ray Strode [halfline] 2008-03-31 18:57:41 UTC
Okay, it's unfortunate that I'm the only one who's seen this problem.  I can
confirm the patch fixes the issue for me, however.

Since there is no customer reports of this problem and the issue is something
that rarely shows up, we shouldn't spend too much more time on this bug.

Since the original reporter (ah hem, me) has confirmed the problem is addressed
with the latest packages we should probably mark it VERIFIED by reporter.

It's a bit unfortunate we can't reproduce, but this is probably the best we can
do I guess.

Okay with you Chandra?

Comment 32 Chandrasekar Kannan 2008-03-31 19:01:50 UTC
Ray, I'm fine with this.

Comment 34 errata-xmlrpc 2008-05-21 16:00:53 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.