Differences
This shows you the differences between two versions of the page.
apps:xfce4-screensaver:configuration [2019/11/21 21:09] – created kevinbowen | apps:xfce4-screensaver:configuration [2019/11/21 21:40] (current) – kevinbowen | ||
---|---|---|---|
Line 1: | Line 1: | ||
- | ** [[https:// | + | ===== xfce4-screensaver with SmartCard login ===== |
- | Issue: When using sssd with smartcard login, xfce4-screensaver (or lightdm, mate, etc...) don't ask for the PIN Code, while some services (sudo, su, gdm..) do ask. | + | **Issue:** When using sssd with smartcard login, xfce4-screensaver (or lightdm, mate, etc...) don't ask for the PIN Code, while some services (sudo, su, gdm..) do ask. |
- | Rootcause: Before sssd-2.0 or sssd-1.16.4, | + | ---- |
+ | |||
+ | **Rootcause:** Before sssd-2.0 or sssd-1.16.4, | ||
From these 2 releases, the configuration " | From these 2 releases, the configuration " | ||
- | Request: Specifcy in the documentation | + | ---- |
+ | |||
+ | **Resolution:** the user will need to update sssd.conf accordingly: | ||
# / | # / | ||
Line 12: | Line 16: | ||
pam_p11_allowed_services = +xfce4-screensaver | pam_p11_allowed_services = +xfce4-screensaver | ||
+ | ---- | ||
+ | |||
+ | **Scenario: | ||
+ | |||
+ | - xfce4-screensaver (or any other pam enabled application) wants to auth the user | ||
+ | - Calls pam_start (service xfce4-screensaver) | ||
+ | - in / | ||
+ | - pam_sss.so will talk to the sss daemon through / | ||
+ | - sss_pam will check if the service is allowed to use smartcard auth. If so, It'll spawn / | ||
+ | - " | ||
+ | - sss_pam will filter these certificates and if one matches, ask the user for the PIN Code (through pam_message) | ||
+ | - "echo -n 12345 | p11_child --auth --pin ..." will return 0 if referenced certificate is valid for sssd, 1 if any error occurs | ||
+ | - pam sequence continues according to configuration. | ||
- | Scenario | + | **Source:** |
- | 1) xfce4-screensaver (or any other pam enabled application) wants to auth the user | + | * [[https://bugzilla.xfce.org/show_bug.cgi? |
- | 2) Calls pam_start (service xfce4-screensaver) | + | |
- | 3) in /etc/pam.d/ | + | |
- | 4) pam_sss.so will talk to the sss daemon through | + | |
- | 6) sss_pam will check if the service is allowed to use smartcard auth. If so, It'll spawn / | + | |
- | 7) " | + | |
- | 8) sss_pam will filter these certificates and if one matches, ask the user for the PIN Code (through pam_message) | + | |
- | 9) "echo -n 12345 | p11_child --auth --pin ..." will return 0 if referenced certificate is valid for sssd, 1 if any error occurs | + | |
- | 10) pam sequence continues according to configuration. | + |