Public bug reported:
I'm encountering three issues when using a smartcard to login into gdm3.
The root of the issues is gdm-smartcard-sssd-exclusive PAM configuration
for authentication:
1. The gdm-smartcard denies access to legitimate users as no success
control value is configured.
2. Because pam_succeed_if is first in the authentication stack, it will
invoke the pam_get_user when the user is NULL. As gdm3 doesn't supply a
user when invoking pam_start, pam_get_user invokes a conversation,
causing gdm3 to collect a username.
3. If a Username of '' (empty string) is inputed, pam_succeed_if will
succeed, assuming a success=ok control value. If configured with allow-
missing-name, pam_sss will use the certificate on a smartcard to
identify the user. If so configured, this may map to root, which defeats
the pam_succeed_if.so check.
I'm attaching a pam config that seems to addresses these issues by
reordering the pam stack for authentication. By performing pam_sss
before pam_succeed_if, pam_sss uses the certificate when the supplied
user is NULL or the empty string. GDM3 only prompts for the smartcard
PIN.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: gdm3 42.0-1ubuntu7
ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39
Uname: Linux 5.15.0-46-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Tue Aug 16 20:39:44 2022
InstallationDate: Installed on 2022-08-12 (5 days ago)
InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64
(20220809.1)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install)
** Affects: gdm3 (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug jammy wayland-session
** Attachment added: "gdm-smartcard pam config"
https://bugs.launchpad.net/bugs/1986750/+attachment/5609220/+files/gdm3.gdm-smartcard-sssd-exclusive.pam
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to gdm3 in Ubuntu.
https://bugs.launchpad.net/bugs/1986750
Title:
gdm-smartcard pam config denies legitimate users, prompts for username
Status in gdm3 package in Ubuntu:
New
Bug description:
I'm encountering three issues when using a smartcard to login into
gdm3. The root of the issues is gdm-smartcard-sssd-exclusive PAM
configuration for authentication:
1. The gdm-smartcard denies access to legitimate users as no success
control value is configured.
2. Because pam_succeed_if is first in the authentication stack, it
will invoke the pam_get_user when the user is NULL. As gdm3 doesn't
supply a user when invoking pam_start, pam_get_user invokes a
conversation, causing gdm3 to collect a username.
3. If a Username of '' (empty string) is inputed, pam_succeed_if will
succeed, assuming a success=ok control value. If configured with
allow-missing-name, pam_sss will use the certificate on a smartcard to
identify the user. If so configured, this may map to root, which
defeats the pam_succeed_if.so check.
I'm attaching a pam config that seems to addresses these issues by
reordering the pam stack for authentication. By performing pam_sss
before pam_succeed_if, pam_sss uses the certificate when the supplied
user is NULL or the empty string. GDM3 only prompts for the smartcard
PIN.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: gdm3 42.0-1ubuntu7
ProcVersionSignature: Ubuntu 5.15.0-46.49-generic 5.15.39
Uname: Linux 5.15.0-46-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: pass
CurrentDesktop: ubuntu:GNOME
Date: Tue Aug 16 20:39:44 2022
InstallationDate: Installed on 2022-08-12 (5 days ago)
InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64
(20220809.1)
ProcEnviron:
TERM=xterm-256color
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/1986750/+subscriptions
--
Mailing list: https://launchpad.net/~desktop-packages
Post to : desktop-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~desktop-packages
More help : https://help.launchpad.net/ListHelp
