** Description changed: + [ Impact ] + the pam profile for gdm-smartcard is missing. gdm refuses to login with a smartcard. Looking at ubuntu/+source/gdm3, other pam files are pregenerated into debian/ and installed from there; gdm-smartcard is left out. - ProblemType: Bug - DistroRelease: Ubuntu 18.04 + [ Test case ] + + 1. When in GDM, insert a smartcard + 2. The GDM interface should require for an user + 3. The user should be set (or empty may be provided, + depending on sssd configuration) + 4. The smartcard PIN should be requested and once introduce the + user must login. + + Note that this requires configuring sssd before, a simple local + configuration could require having sssd.conf filled with: + + ```ini + [sssd] + enable_files_domain = True + services = pam + + [certmap/implicit_files/$USER] + matchrule = <SUBJECT>.*YOUR CARD IDENTIFIER* + + [pam] + pam_cert_auth = True + ``` + + The UI authentication can also be simulated via pamtester: + + # Must be ran as user + sudo apt install pamtester + pamtester -v gdm-smartcard $USER authenticate + + Expected output is + + pamtester -v gdm-smartcard ubuntu authenticate + pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...) + pamtester: performing operation - authenticate + PIN for Test Organization Sub Int Token: + pamtester: successfully authenticated + + [ Regression potential ] + + Smartcard authentication using custom methods using via a custom + configured system nss database may not work anymore. + + --- + + ProblemType: BugDistroRelease: Ubuntu 18.04 Package: gdm3 3.28.3-0ubuntu18.04.4 ProcVersionSignature: Ubuntu 5.3.0-24.26~18.04.2-generic 5.3.10 Uname: Linux 5.3.0-24-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia ApportVersion: 2.20.9-0ubuntu7.11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Feb 28 14:30:30 2020 InstallationDate: Installed on 2016-05-23 (1376 days ago) - InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) - SourcePackage: gdm3 + InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)SourcePackage: gdm3 UpgradeStatus: No upgrade log present (probably fresh install) mtime.conffile..etc.gdm3.Xsession: 2018-04-27T11:41:04.766901
** Description changed: [ Impact ] the pam profile for gdm-smartcard is missing. gdm refuses to login with a smartcard. Looking at ubuntu/+source/gdm3, other pam files are pregenerated into debian/ and installed from there; gdm-smartcard is left out. [ Test case ] 1. When in GDM, insert a smartcard 2. The GDM interface should require for an user 3. The user should be set (or empty may be provided, - depending on sssd configuration) + depending on sssd configuration) 4. The smartcard PIN should be requested and once introduce the - user must login. + user must login. Note that this requires configuring sssd before, a simple local configuration could require having sssd.conf filled with: ```ini [sssd] enable_files_domain = True services = pam [certmap/implicit_files/$USER] matchrule = <SUBJECT>.*YOUR CARD IDENTIFIER* [pam] pam_cert_auth = True ``` The UI authentication can also be simulated via pamtester: # Must be ran as user sudo apt install pamtester pamtester -v gdm-smartcard $USER authenticate Expected output is + pamtester -v gdm-smartcard ubuntu authenticate pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...) pamtester: performing operation - authenticate PIN for Test Organization Sub Int Token: pamtester: successfully authenticated + --- + + Alternatively, if no smartcard or hardware is available, this can be tested and simulated using these scripts (they will reset the system setup at each run, but it's suggested to run them in a VM, lxd container or in a test installation): + https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a + + - sudo apt install gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin && \ + sudo apt-mark auto gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin + - wget https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-gdm-smartcard-pam-auth-tester.sh + - sudo sssd-gdm-smartcard-pam-auth-tester.sh + + The script will generate some fake CA authority, issue some + certificates, will install them in some software-based smartcards (using + softhsm2) and test that they work properly to login with gdm-smartcard. + + Using `WAIT` environment variable set (to any value) will make it to + restart gdm at each iteration so that an user can try to access, using + the username that launched the script and the pin of 123456. + [ Regression potential ] Smartcard authentication using custom methods using via a custom configured system nss database may not work anymore. --- ProblemType: BugDistroRelease: Ubuntu 18.04 Package: gdm3 3.28.3-0ubuntu18.04.4 ProcVersionSignature: Ubuntu 5.3.0-24.26~18.04.2-generic 5.3.10 Uname: Linux 5.3.0-24-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia ApportVersion: 2.20.9-0ubuntu7.11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Feb 28 14:30:30 2020 InstallationDate: Installed on 2016-05-23 (1376 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)SourcePackage: gdm3 UpgradeStatus: No upgrade log present (probably fresh install) mtime.conffile..etc.gdm3.Xsession: 2018-04-27T11:41:04.766901 -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to gnome-settings-daemon in Ubuntu. https://bugs.launchpad.net/bugs/1865226 Title: gdm-smartcard pam config needs to be updated for Ubuntu and installed Status in GNOME Settings Daemon: Fix Released Status in gdm3 package in Ubuntu: Fix Released Status in gnome-settings-daemon package in Ubuntu: Fix Released Status in gdm3 source package in Focal: In Progress Status in gnome-settings-daemon source package in Focal: In Progress Status in gdm3 package in Debian: Fix Released Bug description: [ Impact ] the pam profile for gdm-smartcard is missing. gdm refuses to login with a smartcard. Looking at ubuntu/+source/gdm3, other pam files are pregenerated into debian/ and installed from there; gdm-smartcard is left out. [ Test case ] 1. When in GDM, insert a smartcard 2. The GDM interface should require for an user 3. The user should be set (or empty may be provided, depending on sssd configuration) 4. The smartcard PIN should be requested and once introduce the user must login. Note that this requires configuring sssd before, a simple local configuration could require having sssd.conf filled with: ```ini [sssd] enable_files_domain = True services = pam [certmap/implicit_files/$USER] matchrule = <SUBJECT>.*YOUR CARD IDENTIFIER* [pam] pam_cert_auth = True ``` The UI authentication can also be simulated via pamtester: # Must be ran as user sudo apt install pamtester pamtester -v gdm-smartcard $USER authenticate Expected output is + pamtester -v gdm-smartcard ubuntu authenticate pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...) pamtester: performing operation - authenticate PIN for Test Organization Sub Int Token: pamtester: successfully authenticated --- Alternatively, if no smartcard or hardware is available, this can be tested and simulated using these scripts (they will reset the system setup at each run, but it's suggested to run them in a VM, lxd container or in a test installation): https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a - sudo apt install gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin && \ sudo apt-mark auto gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin - wget https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-gdm-smartcard-pam-auth-tester.sh - sudo sssd-gdm-smartcard-pam-auth-tester.sh The script will generate some fake CA authority, issue some certificates, will install them in some software-based smartcards (using softhsm2) and test that they work properly to login with gdm- smartcard. Using `WAIT` environment variable set (to any value) will make it to restart gdm at each iteration so that an user can try to access, using the username that launched the script and the pin of 123456. [ Regression potential ] Smartcard authentication using custom methods using via a custom configured system nss database may not work anymore. --- ProblemType: BugDistroRelease: Ubuntu 18.04 Package: gdm3 3.28.3-0ubuntu18.04.4 ProcVersionSignature: Ubuntu 5.3.0-24.26~18.04.2-generic 5.3.10 Uname: Linux 5.3.0-24-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia ApportVersion: 2.20.9-0ubuntu7.11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Feb 28 14:30:30 2020 InstallationDate: Installed on 2016-05-23 (1376 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)SourcePackage: gdm3 UpgradeStatus: No upgrade log present (probably fresh install) mtime.conffile..etc.gdm3.Xsession: 2018-04-27T11:41:04.766901 To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-settings-daemon/+bug/1865226/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
