Bug 996271 - Screen Lock when Smart Card is removed fails
Summary: Screen Lock when Smart Card is removed fails
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: gnome-screensaver
Version: 5.10
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: rc
: ---
Assignee: Ray Strode [halfline]
QA Contact: Desktop QE
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-12 19:46 UTC by Roshni
Modified: 2014-07-30 13:12 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-07-30 13:12:27 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)
Fix the backup coolkey load code to actually load coolkey (695 bytes, patch)
2013-08-26 22:52 UTC, Bob Relyea
no flags Details | Diff

Description Roshni 2013-08-12 19:46:58 UTC
Description of problem:
Authentication configuration has screen lock set for smart card authentication. The Screen is not locked when the Gemalto 64K smart card is removed.

Version-Release number of selected component (if applicable):
gnome-screensaver-2.16.1-8.el5_7.5
coolkey-1.1.0-16.1.el5
ccid-1.3.8-2.el5
RHEL 5.10

How reproducible:
always

Steps to Reproduce:
1. Smart Card authentication configuration should have setting Lock screen
2. Restart the machine and relogin using the smart card
3. Remove the Smart Card

Actual results:
Screen does not lock when card is removed.

Expected results:
Screen should be locked and prompt for Smart Card pin.

Additional info:

Comment 2 Ray Strode [halfline] 2013-08-19 16:16:12 UTC
why is this filed against gnome-desktop?  That's clearly the wrong component.  It looks like coolkey was updated for 5.10, so that's the most likely candidate. reassigning.

Comment 3 Bob Relyea 2013-08-19 22:17:10 UTC
You have a machine that actually exhibits this problem. I have not been able to reproduce this...

I'd like to be able to poke at the machine... Thanks,

bob

Comment 4 Bob Relyea 2013-08-19 23:04:37 UTC
https://bugzilla.redhat.com/show_bug.cgi?id=950716

may be related.

Comment 5 Ondrej Vasik 2013-08-20 13:05:58 UTC
Is that regression or something what was present even in RHEL-5.9? We are now in RC blocker phase.

Comment 6 Jenny Severance 2013-08-20 19:02:23 UTC
This is a regression.  It was not in RHEL 5.9.

Comment 8 Bob Relyea 2013-08-21 00:05:01 UTC
I actually think it's not a regression, it's a very difficult to reproduce issue. There are customer reports on RHEL 5.9 that report similiar issues.

I bring that up primarily because the issue may not have been caused by a changed component, but may exist in some component that wasn't changed in the RHEL 5.10 timeframe.

The fact that we have a reproducer is big!

bob

Comment 12 Bob Relyea 2013-08-26 22:49:24 UTC
This turns out to be an environmental issue. It appears that somehow the dynamic load library path is messed up in gnome screen saver, so coolkey isn't getting loaded from opening /etc/pki/nssdb like it does in other apps.

gnome screen-saver has a backup, where it explicitly loads libcoolkey, but that is failing because of a bug. I'll attached a patch that resolves the previous but, and restores unlock behavior in gnome screensaver.

PS this doesn't appear to have anything to do with the potential related bug I listed in comment 4.

bob

Comment 13 Bob Relyea 2013-08-26 22:52:42 UTC
Created attachment 790712 [details]
Fix the backup coolkey load code to actually load coolkey

Here's a patch for gnome-screensaver that fixed the problem.

Comment 14 Ray Strode [halfline] 2013-08-27 01:51:52 UTC
a bummer that it's not the related bug. thank you for investigating.  Roshni, did you change LD_LIBRARY_PATH in your ~/.bashrc or ~/.bash_profile?

Comment 15 Roshni 2013-08-27 16:50:24 UTC
Ray,

I did not change anything in the files specified in comment 14.

Comment 16 Ray Strode [halfline] 2013-08-27 16:53:15 UTC
Do you mind pasting the output of

strings /proc/$(/sbin/pidof gnome-screensaver)/environ

?

Comment 17 Roshni 2013-09-04 19:18:08 UTC
Also noticed, if the "Lock Screen when card is removed" is set, after logging in with the smart the screen locks even when the card is still inserted and have to log in again.

Comment 18 Ray Strode [halfline] 2013-09-09 21:51:08 UTC
roshni, do you mind pasting the output of

strings /proc/$(/sbin/pidof gnome-screensaver)/environ

?

Comment 19 Asha Akkiangady 2013-09-12 13:52:02 UTC
Ray,
This issue should be release noted, could you add the details to RHEL 5.10 release note?

thanks,
Asha

Comment 20 Roshni 2014-05-13 16:58:53 UTC
sh-3.2$ strings /proc/$(/sbin/pidof gnome-screensaver)/environ
SSH_AGENT_PID=4313
HOSTNAME=dhcp129-114.rdu.redhat.com
TERM=dumb
SHELL=/bin/sh
HISTSIZE=1000
USER=kdcuser2
LS_COLORS=
PKCS11_LOGIN_CERT_ISSUER=CN=Certificate Authority,OU=pki-ca,O=IdmLabEngRduRedhat Domain
SSH_AUTH_SOCK=/tmp/ssh-Tywfbc4277/agent.4277
USERNAME=kdcuser2
PKCS11_LOGIN_CERT_SERIAL=2B
MAIL=/var/spool/mail/kdcuser2
PATH=/usr/kerberos/bin:/usr/local/bin:/usr/bin:/bin:/usr/X11R6/bin
DESKTOP_SESSION=default
GDM_XSERVER_LOCATION=local
INPUTRC=/etc/inputrc
PWD=/home/kdcuser2
XMODIFIERS=@im=none
LANG=en_US.UTF-8
GDMSESSION=default
SSH_ASKPASS=/usr/libexec/openssh/gnome-ssh-askpass
SHLVL=1
HOME=/home/kdcuser2
PKCS11_LOGIN_TOKEN_NAME=kdcuser2
LOGNAME=kdcuser2
LESSOPEN=|/usr/bin/lesspipe.sh %s
DISPLAY=:0
G_BROKEN_FILENAMES=1
XAUTHORITY=/tmp/.gdm5CPAGX
_=/usr/bin/dbus-launch
DBUS_STARTER_ADDRESS=unix:abstract=/tmp/dbus-ZzFtG4sAFv,guid=8a569c636f32102dea997f00537242a6
DBUS_STARTER_BUS_TYPE=session
DBUS_SESSION_BUS_ADDRESS=unix:abstract=/tmp/dbus-ZzFtG4sAFv,guid=8a569c636f32102dea997f00537242a6


Note You need to log in before you can comment on or make changes to this bug.