Issue: When using sssd with smartcard login, xfce4-screensaver (or lightdm, mate, etc...) don't ask for the PIN Code, while some services (sudo, su, gdm..) do ask.
Rootcause: Before sssd-2.0 or sssd-1.16.4, the list of pam services allowed to use Smartcard (aka P11 or pkcs11) was hardcoded and cannot be overriden with configuration (https://github.com/SSSD/sssd/blob/sssd-1_16_3/src/responder/pam/pamsrv_p11.c#L230-L232)
From these 2 releases, the configuration "pam_p11_allowed_services" in section [pam] of /etc/sssd/sssd.conf allows to add more services, like XFCE elements:
Request: Specifcy in the documentation the need to update sssd.conf accordingly:
pam_p11_allowed_services = +xfce4-screensaver
1) xfce4-screensaver (or any other pam enabled application) wants to auth the user
2) Calls pam_start (service xfce4-screensaver)
3) in /etc/pam.d/xfce4-screensaver (or included files) there must be a line with "auth pam_sss.so"
4) pam_sss.so will talk to the sss daemon through /var/lib/sss/pipes/pam socket. In this conversation, pam_sss will provide the name of the pam service being serviced
6) sss_pam will check if the service is allowed to use smartcard auth. If so, It'll spawn /usr/libexec/sssd/p11_child to work with the pkcs11 stack (/usr/share/p11-kit/modules)
7) "p11_child --pre" will communicate with pcscd through /var/run/pcscd/pcscd.comm to read a smartcard through the USB device and list available certificates.
8) sss_pam will filter these certificates and if one matches, ask the user for the PIN Code (through pam_message)
9) "echo -n 12345 | p11_child --auth --pin ..." will return 0 if referenced certificate is valid for sssd, 1 if any error occurs
10) pam sequence continues according to configuration.
-- GitLab Migration Automatic Message --
This bug has been migrated to xfce.org's GitLab instance and has been closed from further activity.
You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.xfce.org/apps/xfce4-screensaver/-/issues/24.
Please create an account or use an existing account on one of our supported OAuth providers.
If you want to fork to submit patches and merge requests please continue reading here: https://docs.xfce.org/contribute/dev/git/start#gitlab_forks_and_merge_requests
Also feel free to reach out to us on the mailing list https://mail.xfce.org/mailman/listinfo/xfce4-dev