Description of problem: I've got a CAC usb token that I use for some remote authentication. I've got Coolkey and pam_pkcs11 installed, but have not setup pam_pkcs11 to locally authenticate with my token yet. When I have the token in and I get prompted to authenticate as root in gnome, pup for example, instead of getting the root password prompt I get a smart card pin request. I can correctly provide my pin, but since this isn't setup to map to root I still never get the correct authorization. Version-Release number of selected component (if applicable): coolkey-1.1.0-5.fc8 pam_pkcs11-0.5.3-25 How reproducible: Whenever the token is installed, never when its not. Steps to Reproduce: 1. Boot up and login normally 2. Install the USB token in any regular USB slot 3. Attempt to gain privs in gnome Actual results: Authentication is requested, but not suitable authentication to allow the action. Expected results: Authentication to allow the action should be requested by the system. Additional info: I haven't setup pam_pkcs11, so any config files related to that should be the defaults from an `rpm -Uvh ...`
Which applications are failing, and how did you turn smart cards on? The auth-config application is supposed to set this up. It's supposed to require smartcard login for the login applications (gdm, login, etc), but not others (like su). It sounds like the app you are using is either looking at the wrong pam config file, or we are including pam_pkcs11 in the wrong config file. bob
I've mainly enabled smart cards by setting up Firefox and Thunderbird to use coolkey as a Security Device. I can't think of any other configuration I did on my system. I've never used authconfig on this system. /bin/su still works fine, as does sudo, which is generally how I administer my system, but when that token is installed the Gnome password dialog only ever asks questions about my pin. I get this dialog when pup finds new updates, and also when I try to launch anything under System -> Administration. pup and pirut both include config-util in /etc/pam.d config-util includes system-auth for auth system-auth has the line: auth sufficient pam_pkcs11.so debug config_file=/etc/pam_pkcs11/pam_pkcs11.conf I did an rpm -V pam_pkcs11 and noticed that I had modified /etc/pam_pkcs11/pam_pkcs11.conf and /etc/pam_pkcs11/pkcs11_eventmgr.conf but I just rpm -e pam_pkcs11 and yum installed it again (0.5.3-25) and now all the files are unmodified and I am still seeing the same behavior.
Ray, do you know how pup and pirut is doing their authentication and who we should talk to about fixing their pam service? It seems they are reusing gdm or something. bob
Matt, can you please attach the complete /etc/pam.d/system-auth here? Although I'm curious what added pam_pkcs11.so there when you say that you never run authconfig.
Created attachment 303778 [details] system-auth pam config file
I don't think the attached file reflects the original system-auth that I had at the time of reporting this bug. Since then I have definitely run the System -> Administration -> Authentication tool. Now I am not seeing the issue, so I must have generated a bad pam config before, and now that I have a corrected one the issue is gone.
Yes, the pam_succeed_if above the pam_pkcs11 causes PAM to skip it for the services which are not mentioned in the list.