Red Hat Bugzilla – Bug 444040
Can't gain privilidges in gnome when smart card is inserted
Last modified: 2008-04-25 09:22:45 EDT
Description of problem:
I've got a CAC usb token that I use for some remote authentication. I've got
Coolkey and pam_pkcs11 installed, but have not setup pam_pkcs11 to locally
authenticate with my token yet. When I have the token in and I get prompted to
authenticate as root in gnome, pup for example, instead of getting the root
password prompt I get a smart card pin request. I can correctly provide my pin,
but since this isn't setup to map to root I still never get the correct
Version-Release number of selected component (if applicable):
Whenever the token is installed, never when its not.
Steps to Reproduce:
1. Boot up and login normally
2. Install the USB token in any regular USB slot
3. Attempt to gain privs in gnome
Authentication is requested, but not suitable authentication to allow the action.
Authentication to allow the action should be requested by the system.
I haven't setup pam_pkcs11, so any config files related to that should be the
defaults from an `rpm -Uvh ...`
Which applications are failing, and how did you turn smart cards on?
The auth-config application is supposed to set this up. It's supposed to require
smartcard login for the login applications (gdm, login, etc), but not others
(like su). It sounds like the app you are using is either looking at the wrong
pam config file, or we are including pam_pkcs11 in the wrong config file.
I've mainly enabled smart cards by setting up Firefox and Thunderbird to use
coolkey as a Security Device. I can't think of any other configuration I did on
I've never used authconfig on this system.
/bin/su still works fine, as does sudo, which is generally how I administer my
system, but when that token is installed the Gnome password dialog only ever
asks questions about my pin. I get this dialog when pup finds new updates, and
also when I try to launch anything under System -> Administration.
pup and pirut both include config-util in /etc/pam.d
config-util includes system-auth for auth
system-auth has the line:
auth sufficient pam_pkcs11.so debug
I did an rpm -V pam_pkcs11 and noticed that I had modified
/etc/pam_pkcs11/pam_pkcs11.conf and /etc/pam_pkcs11/pkcs11_eventmgr.conf but I
just rpm -e pam_pkcs11 and yum installed it again (0.5.3-25) and now all the
files are unmodified and I am still seeing the same behavior.
Ray, do you know how pup and pirut is doing their authentication and who we
should talk to about fixing their pam service? It seems they are reusing gdm or
Matt, can you please attach the complete /etc/pam.d/system-auth here?
Although I'm curious what added pam_pkcs11.so there when you say that you never
Created attachment 303778 [details]
system-auth pam config file
I don't think the attached file reflects the original system-auth that I had at
the time of reporting this bug. Since then I have definitely run the System ->
Administration -> Authentication tool. Now I am not seeing the issue, so I must
have generated a bad pam config before, and now that I have a corrected one the
issue is gone.
Yes, the pam_succeed_if above the pam_pkcs11 causes PAM to skip it for the
services which are not mentioned in the list.