Bug 444040 - Can't gain privilidges in gnome when smart card is inserted
Can't gain privilidges in gnome when smart card is inserted
Product: Fedora
Classification: Fedora
Component: pam_pkcs11 (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: Bob Relyea
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-04-24 14:30 EDT by Matt Anderson
Modified: 2008-04-25 09:22 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-04-25 09:22:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
system-auth pam config file (1.14 KB, text/plain)
2008-04-25 08:57 EDT, Matt Anderson
no flags Details

  None (edit)
Description Matt Anderson 2008-04-24 14:30:27 EDT
Description of problem:
I've got a CAC usb token that I use for some remote authentication.  I've got
Coolkey and pam_pkcs11 installed, but have not setup pam_pkcs11 to locally
authenticate with my token yet.  When I have the token in and I get prompted to
authenticate as root in gnome, pup for example, instead of getting the root
password prompt I get a smart card pin request.  I can correctly provide my pin,
but since this isn't setup to map to root I still never get the correct

Version-Release number of selected component (if applicable):

How reproducible:
Whenever the token is installed, never when its not.

Steps to Reproduce:
1. Boot up and login normally
2. Install the USB token in any regular USB slot
3. Attempt to gain privs in gnome
Actual results:
Authentication is requested, but not suitable authentication to allow the action.

Expected results:
Authentication to allow the action should be requested by the system.

Additional info:
I haven't setup pam_pkcs11, so any config files related to that should be the
defaults from an `rpm -Uvh ...`
Comment 1 Bob Relyea 2008-04-24 16:58:04 EDT
Which applications are failing, and how did you turn smart cards on?

The auth-config application is supposed to set this up. It's supposed to require
smartcard login for the login applications (gdm, login, etc), but not others
(like su). It sounds like the app you are using is either looking at the wrong
pam config file, or we are including pam_pkcs11 in the wrong config file.


Comment 2 Matt Anderson 2008-04-24 17:16:33 EDT
I've mainly enabled smart cards by setting up Firefox and Thunderbird to use
coolkey as a Security Device.  I can't think of any other configuration I did on
my system.

I've never used authconfig on this system.

/bin/su still works fine, as does sudo, which is generally how I administer my
system, but when that token is installed the Gnome password dialog only ever
asks questions about my pin.  I get this dialog when pup finds new updates, and
also when I try to launch anything under System -> Administration.

pup and pirut both include config-util in /etc/pam.d
config-util includes system-auth for auth
system-auth has the line:
auth        sufficient    pam_pkcs11.so debug

I did an rpm -V pam_pkcs11 and noticed that I had modified
/etc/pam_pkcs11/pam_pkcs11.conf and /etc/pam_pkcs11/pkcs11_eventmgr.conf but I
just rpm -e pam_pkcs11 and yum installed it again (0.5.3-25) and now all the
files are unmodified and I am still seeing the same behavior.
Comment 3 Bob Relyea 2008-04-24 17:53:35 EDT
Ray, do you know how pup and pirut is doing their authentication and who we
should talk to about fixing their pam service? It seems they are reusing gdm or

Comment 4 Tomas Mraz 2008-04-25 03:01:27 EDT
Matt, can you please attach the complete /etc/pam.d/system-auth here?

Although I'm curious what added pam_pkcs11.so there when you say that you never
run authconfig.
Comment 5 Matt Anderson 2008-04-25 08:57:48 EDT
Created attachment 303778 [details]
system-auth pam config file
Comment 6 Matt Anderson 2008-04-25 09:20:01 EDT
I don't think the attached file reflects the original system-auth that I had at
the time of reporting this bug.  Since then I have definitely run the System ->
Administration -> Authentication tool.  Now I am not seeing the issue, so I must
have generated a bad pam config before, and now that I have a corrected one the
issue is gone.

Comment 7 Tomas Mraz 2008-04-25 09:22:45 EDT
Yes, the pam_succeed_if above the pam_pkcs11 causes PAM to skip it for the
services which are not mentioned in the list.

Note You need to log in before you can comment on or make changes to this bug.