Hide Forgot
Description of problem: Smart card login: Locked screen gets unlocked with an enrolled smart card when logged in with kerberos password. Version-Release number of selected component (if applicable): Rhel 5.7: authconfig-5.3.21-7.el5, pam_pkcs11-0.5.3-23, krb5-libs-1.6.1-61.el5, krb5-auth-dialog-0.7-1 How reproducible: Steps to Reproduce: 1. This desktop is configured with kerberos support enabled, the KDC information is provided in /etc/krb5.conf, smart card support enabled with setting, Use smart card: ON, Enforce smart card: OFF and Log out behavior configured to: Ignore smart card removal. 2. A smart card is enrolled for that user. 3. Login to desktop with kerberos password. 4. User is logged in and the kerberos credential issued successfully. 5. Manually lock the screen by selecting System -> Lock Screen. 6. Enter the enrolled smart card. Enter a random string in place of kerberos password. Actual results: Smart card pin is requested. Enter the correct pin, screen gets unlocked. The screen gets unlocked only with the smart card enrolled for the same user. Tested with smart card enrolled for another user, screen does not get unlocked. Expected results: Smart card should not be detected. User should be able to unlock the screen only with the correct kerberos password. Additional info: /var/log/secure has these messages: Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_unix(gnome-screensaver:auth): authentication failure; logname= uid=533 euid=533 tty=:0.0 ruser= rhost= user=testkdcuser Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: configured realm 'EXAMPLE.COM' Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flags: forwardable Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no ignore_afs Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: user_check Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no krb4_convert Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: krb4_convert_524 Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: krb4_use_as_req Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: will try previously set password first Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: will let libkrb5 ask questions Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no use_shmem Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no external Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no multiple_ccaches Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: validate Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: warn Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: ticket lifetime: 600 Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: renewable lifetime: 86400 Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: banner: Kerberos 5 Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: ccache dir: /tmp Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: keytab: FILE:/etc/krb5.keytab Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: called to authenticate 'testkdcuser', realm 'EXAMPLE.COM' Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: authenticating 'testkdcuser' Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: trying previously-entered password for 'testkdcuser', allowing libkrb5 to prompt for more Jun 17 10:36:10 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: authenticating 'testkdcuser' to 'krbtgt/EXAMPLE.COM' Jun 17 10:36:19 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: saving newly-entered password for use by other modules Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: krb5_get_init_creds_password(krbtgt/EXAMPLE.COM) returned 0 (Success) Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: validating credentials Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: error reading keytab 'FILE:/etc/krb5.keytab' Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: TGT verified Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: got result 0 (Success) Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: authentication succeeds for 'testkdcuser' (testkdcuser) Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: pam_authenticate returning 0 (Success) Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: configured realm 'EXAMPLE.COM' Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flags: forwardable Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no ignore_afs Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: user_check Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no krb4_convert Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: krb4_convert_524 Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: krb4_use_as_req Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: will try previously set password first Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: will ask for a password if that fails Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: will let libkrb5 ask questions Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no use_shmem Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no external Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no multiple_ccaches Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: validate Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: warn Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: ticket lifetime: 600 Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: renewable lifetime: 86400 Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: banner: Kerberos 5 Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: ccache dir: /tmp Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: keytab: FILE:/etc/krb5.keytab Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: account management succeeds for 'testkdcuser' Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: pam_acct_mgmt returning 0 (Success) Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: configured realm 'EXAMPLE.COM' Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flags: forwardable Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no ignore_afs Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: user_check Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no krb4_convert Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: krb4_convert_524 Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: krb4_use_as_req Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: will try previously set password first Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: will let libkrb5 ask questions Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no use_shmem Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no external Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: no multiple_ccaches Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: validate Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: flag: warn Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: ticket lifetime: 600 Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: renewable lifetime: 86400 Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: banner: Kerberos 5 Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: ccache dir: /tmp Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: keytab: FILE:/etc/krb5.keytab Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: called to update credentials for 'testkdcuser' Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: obtaining afs tokens Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: afs not running Jun 17 10:36:20 dhcp231-57 gnome-screensaver-dialog: pam_krb5[15727]: _pam_krb5_sly_refresh returning 0 (Success) [root@dhcp231-57 ~]# cat /etc/pam.d/passwd #%PAM-1.0 auth include system-auth account include system-auth password include system-auth [root@dhcp231-57 ~]# cat /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth required pam_env.so auth [success=3 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid auth [success=ok authinfo_unavail=2 ignore=2 default=die] pam_pkcs11.so auth optional pam_krb5.so use_first_pass no_subsequent_prompt auth sufficient pam_permit.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_krb5.so use_first_pass auth sufficient pam_ldap.so use_first_pass auth required pam_deny.so account required pam_unix.so broken_shadow account sufficient pam_succeed_if.so uid < 500 quiet account [default=bad success=ok user_unknown=ignore] pam_ldap.so account [default=bad success=ok auth_err=ignore user_unknown=ignore ignore=ignore] pam_krb5.so account required pam_permit.so password optional pam_pkcs11.so password requisite pam_cracklib.so try_first_pass retry=3 password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok password sufficient pam_krb5.so use_authtok password sufficient pam_ldap.so use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so session optional pam_mkhomedir.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so session optional pam_ldap.so [root@dhcp231-57 ~]# cat /etc/pam.d/gnome-screensaver #%PAM-1.0 # Fedora Core auth include system-auth account include system-auth password include system-auth session include system-auth # SuSE/Novell #auth include common-auth #account include common-account #password include common-password #session include common-session
I do not think the pam system-auth configuration is incorrect. This must be solved in pam_pkcs11 (or perhaps pam_krb5).
Asha, does the same thing happen in RHEL 6. Also is this a regression from RHEL 5.x? bob
Tested thin in Rhel 6.1, can't unlock the screen with a smart card and correct pin when logged in with kerberos password. I get message "Incorrect password". Yes, this seems to be a Rhel 5 regression.
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.
Okay to close the bug automatically.