! Please note that this is a snapshot of our old Bugzilla server, which is read only since May 29, 2020. Please go to gitlab.xfce.org for our new server !
[DOC] [PAM] Provide doc and configuration hints to get xfce4-screensaver & ot...


Description Adrien Mahieux 2019-11-05 15:12:54 CET
Issue: When using sssd with smartcard login, xfce4-screensaver (or lightdm, mate, etc...) don't ask for the PIN Code, while some services (sudo, su, gdm..) do ask.

Rootcause: Before sssd-2.0 or sssd-1.16.4, the list of pam services allowed to use Smartcard (aka P11 or pkcs11) was hardcoded and cannot be overriden with configuration (https://github.com/SSSD/sssd/blob/sssd-1_16_3/src/responder/pam/pamsrv_p11.c#L230-L232) 
From these 2 releases, the configuration "pam_p11_allowed_services" in section [pam] of /etc/sssd/sssd.conf allows to add more services, like XFCE elements:

Request: Specifcy in the documentation the need to update sssd.conf accordingly: 

  # /etc/sssd/sssd.conf
  pam_p11_allowed_services = +xfce4-screensaver

Scenario :
1) xfce4-screensaver (or any other pam enabled application) wants to auth the user
2) Calls pam_start (service xfce4-screensaver)
3) in /etc/pam.d/xfce4-screensaver (or included files) there must be a line with "auth pam_sss.so"
4) pam_sss.so will talk to the sss daemon through /var/lib/sss/pipes/pam socket. In this conversation, pam_sss will provide the name of the pam service being serviced
6) sss_pam will check if the service is allowed to use smartcard auth. If so, It'll spawn /usr/libexec/sssd/p11_child to work with the pkcs11 stack (/usr/share/p11-kit/modules)
7) "p11_child --pre" will communicate with pcscd through /var/run/pcscd/pcscd.comm to read a smartcard through the USB device and list available certificates.
8) sss_pam will filter these certificates and if one matches, ask the user for the PIN Code (through pam_message)
9) "echo -n 12345 | p11_child --auth --pin  ..." will return 0 if referenced certificate is valid for sssd, 1 if any error occurs
10) pam sequence continues according to configuration.
Comment 1 Git Bot editbugs 2020-05-25 22:27:25 CEST
-- GitLab Migration Automatic Message --

This bug has been migrated to xfce.org's GitLab instance and has been closed from further activity.

You can subscribe and participate further through the new bug through this link to our GitLab instance: https://gitlab.xfce.org/apps/xfce4-screensaver/-/issues/24.

Please create an account or use an existing account on one of our supported OAuth providers. 

If you want to fork to submit patches and merge requests please continue reading here: https://docs.xfce.org/contribute/dev/git/start#gitlab_forks_and_merge_requests

Also feel free to reach out to us on the mailing list https://mail.xfce.org/mailman/listinfo/xfce4-dev

Bug #16123

Reported by:
Adrien Mahieux
Reported on: 2019-11-05
Last modified on: 2020-05-25


Sean Davis
CC List:
0 users



Additional information