#3775 RFE: Support smartcard authentication for kde
Closed: duplicate 4 months ago by orion. Opened 5 months ago by orion.

It looks like sssd does not support KDE (or vice-versa ?) for smartcard authentication:

(Thu Jul 19 15:28:20 2018) [sssd[pam]] [may_do_cert_auth] (0x0020): Smartcard authentication for service [kde] not supported.

What needs to be done to get this to work?


This happens when trying to unlock the screen in KDE.

Also, looks like plasma (Fedora28) uses "kde" above. In EL7, KDE4, it uses the kscreensaver service.

The list of services is currently hard-coded:

bool may_do_cert_auth(struct pam_ctx *pctx, struct pam_data *pd)
{
    size_t c;
    const char *sc_services[] = { "login", "su", "su-l", "gdm-smartcard",
                                  "gdm-password", "kdm", "sudo", "sudo-i",
                                  "gnome-screensaver", NULL };
...
    /* TODO: make services configurable */
    if (pd->service == NULL || *pd->service == '\0') {
        return false;
    }
    for (c = 0; sc_services[c] != NULL; c++) {
        if (strcmp(pd->service, sc_services[c]) == 0) {
            break;
        }
    }
    if  (sc_services[c] == NULL) {
        DEBUG(SSSDBG_CRIT_FAILURE,
              "Smartcard authentication for service [%s] not supported.\n",
              pd->service);
        return false;
    }

Pull request https://github.com/SSSD/sssd/pull/620 is supposed to provide a configurable way to set the list of the PAM services allowed to authenticate with smartcards.

I built a custom version with kde and kscreensaver added to the list. This allows F28 kscreenlocker to unlock via the PIN (although not with the password). I guess it will need to grow support to distinguish between the two (filed https://bugs.kde.org/show_bug.cgi?id=396703), but at least the basic functionality works.

This issue was fixed with #2926 by commit 93caaf2.

Closing this ticket as duplicate.

Metadata Update from @sbose:
- Issue close_status updated to: duplicate
- Issue status updated to: Closed (was: Open)

4 months ago

I only have one question - since the new option was added to 2.0 only and it might take some time until 2.0 makes its way into the distributions, would it be a good idea to backport the patch to 1.16.x so it can be more easily applied to e.g. supported fedora releases?

I only have one question - since the new option was added to 2.0 only and it might take some time until 2.0 makes its way into the distributions, would it be a good idea to backport the patch to 1.16.x so it can be more easily applied to e.g. supported fedora releases?

It was pushed before we branched the 2.0, so it's already part of the sssd-1-16 branch (IOW, no need to backport).
The build done Today by @mzidek already included this fix for f27 and f28 (which are using 1.16.3 + patches).

Login to comment on this ticket.

Metadata