Xfce Wiki

Sub domains
 

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

apps:xfce4-screensaver:configuration [2019/11/21 21:09] – created kevinbowenapps:xfce4-screensaver:configuration [2019/11/21 21:40] (current) kevinbowen
Line 1: Line 1:
-    ** [[https://bugzilla.xfce.org/show_bug.cgi?id=16123|]]+===== xfce4-screensaver with SmartCard login =====
  
-Issue: When using sssd with smartcard login, xfce4-screensaver (or lightdm, mate, etc...) don't ask for the PIN Code, while some services (sudo, su, gdm..) do ask.+**Issue:** When using sssd with smartcard login, xfce4-screensaver (or lightdm, mate, etc...) don't ask for the PIN Code, while some services (sudo, su, gdm..) do ask.
  
-Rootcause: Before sssd-2.0 or sssd-1.16.4, the list of pam services allowed to use Smartcard (aka P11 or pkcs11) was hardcoded and cannot be overriden with configuration (https://github.com/SSSD/sssd/blob/sssd-1_16_3/src/responder/pam/pamsrv_p11.c#L230-L232) +---- 
 + 
 +**Rootcause:** Before sssd-2.0 or sssd-1.16.4, the list of pam services allowed to use Smartcard (aka P11 or pkcs11) was hardcoded and cannot be overriden with configuration (https://github.com/SSSD/sssd/blob/sssd-1_16_3/src/responder/pam/pamsrv_p11.c#L230-L232) 
 From these 2 releases, the configuration "pam_p11_allowed_services" in section [pam] of /etc/sssd/sssd.conf allows to add more services, like XFCE elements: From these 2 releases, the configuration "pam_p11_allowed_services" in section [pam] of /etc/sssd/sssd.conf allows to add more services, like XFCE elements:
  
-RequestSpecifcy in the documentation the need to update sssd.conf accordingly: +---- 
 + 
 +**Resolution:** the user will need to update sssd.conf accordingly: 
  
   # /etc/sssd/sssd.conf   # /etc/sssd/sssd.conf
Line 12: Line 16:
   pam_p11_allowed_services = +xfce4-screensaver   pam_p11_allowed_services = +xfce4-screensaver
  
 +----
 +
 +**Scenario:**
 +
 +  - xfce4-screensaver (or any other pam enabled application) wants to auth the user
 +  - Calls pam_start (service xfce4-screensaver)
 +  - in /etc/pam.d/xfce4-screensaver (or included files) there must be a line with "auth pam_sss.so"
 +  - pam_sss.so will talk to the sss daemon through /var/lib/sss/pipes/pam socket. In this conversation, pam_sss will provide the name of the pam service being serviced
 +  - sss_pam will check if the service is allowed to use smartcard auth. If so, It'll spawn /usr/libexec/sssd/p11_child to work with the pkcs11 stack (/usr/share/p11-kit/modules)
 +  - "p11_child --pre" will communicate with pcscd through /var/run/pcscd/pcscd.comm to read a smartcard through the USB device and list available certificates.
 +  - sss_pam will filter these certificates and if one matches, ask the user for the PIN Code (through pam_message)
 +  - "echo -n 12345 | p11_child --auth --pin  ..." will return 0 if referenced certificate is valid for sssd, 1 if any error occurs
 +  - pam sequence continues according to configuration.
  
-Scenario +**Source:** 
-1) xfce4-screensaver (or any other pam enabled application) wants to auth the user +    * [[https://bugzilla.xfce.org/show_bug.cgi?id=16123|]]
-2) Calls pam_start (service xfce4-screensaver) +
-3) in /etc/pam.d/xfce4-screensaver (or included files) there must be a line with "auth pam_sss.so" +
-4) pam_sss.so will talk to the sss daemon through /var/lib/sss/pipes/pam socketIn this conversation, pam_sss will provide the name of the pam service being serviced +
-6) sss_pam will check if the service is allowed to use smartcard auth. If so, It'll spawn /usr/libexec/sssd/p11_child to work with the pkcs11 stack (/usr/share/p11-kit/modules) +
-7) "p11_child --pre" will communicate with pcscd through /var/run/pcscd/pcscd.comm to read a smartcard through the USB device and list available certificates. +
-8) sss_pam will filter these certificates and if one matches, ask the user for the PIN Code (through pam_message) +
-9) "echo -n 12345 p11_child --auth --pin  ..." will return 0 if referenced certificate is valid for sssd, 1 if any error occurs +
-10) pam sequence continues according to configuration.+