Learn more about these different git repos.
Other Git URLs
During a CCID smartcard screen unlock SSSD performs two cryptographic operations.
Normally this goes unnoticed as SSSD caches the pin and submits it twice.
However, with a yubikey nano set to touch-policy always, then causes you to need to touch the device twice.
SSSD should only perform a single cryptograhpic challenge to the CCID device during authentication.
Can you attach SSSD logs with debug_level=9, especially the domain log and the sssd_pam.log file.
The only condition I can currently think of where SSSD might do two crypto operations on the card is when pkinit is used and the authentication including ticket validation does not finish in the expected time (default timeout is 6s). In this case SSSD would fall back to an offline authentication which involves another crypto operation. The second one is needed because the first one during pkinit happens in the pkinit plugin and SSSD itself does not have any information about the result.
I think looking at this more the issue is GDM is performing two operations, not SSSD. So it may not be a bug that will ever be solved :(
Metadata Update from @firstyear: - Issue close_status updated to: Invalid - Issue status updated to: Closed (was: Open)
GDM does not talk to the Smartcard/Yubikey directly but uses PAM. Do you, by chance, have pam_sss and pam_pkcs11 in /etc/pam.d/smartcard-auth?
SSSD is moving from Pagure to Github. This means that new issues and pull requests will be accepted only in SSSD's github repository.
This issue has been cloned to Github and is available here: - https://github.com/SSSD/sssd/issues/4661
If you want to receive further updates on the issue, please navigate to the github issue and click on subscribe button.
subscribe
Thank you for understanding. We apologize for all inconvenience.
Login to comment on this ticket.