#4115 Smart Card authentication in polkit
Closed: Fixed a year ago by pbrezina. Opened a year ago by jjelen.

Some of the administrative applications allow elevate privileges for administrative tasks using polkit (for example systemctl). This makes it convenient when one forgots to write sudo in front of the command. Even though all of the other prompts (sudo, gdm login), are configured to allow smart card authentication, this path does not.

I am not sure whether all the changes needed will be just a configuration, some new authselect rules or there would be actually more changes needed in sssd, polkit, pam configuration or elsewhere.


Hi Jakub,

thanks for raising the issue. It looks like I just forgot about polkit as a local application. Can you try if adding

pam_p11_allowed_services = +polkit-1

to the [pam] section of sssd.conf will make polkit ask for a PIN as well?

bye,
Sumit

I just tried that and without any success. I also added the polkit-1 to the services in [sssd] section, but I am not sure if it is right:

services = nss, pam, sudo, polkit-1

in /var/log/sssd/sssd_pam.log I can see the following:

(Mon Nov 11 18:00:21 2019) [sssd[pam]] [pam_initgr_cache_set] (0x2000): [jjelen] added to PAM initgroup cache
(Mon Nov 11 18:00:21 2019) [sssd[pam]] [may_do_cert_auth] (0x0020): Smartcard authentication for service [polkit-1] not supported.
(Mon Nov 11 18:00:21 2019) [sssd[pam]] [pam_dp_send_req] (0x0100): Sending request with the following data:

Not sure what more might need to be done.

I am on Fedora 31 (where update from Fedora 30 broke the gdm login btw -- not sure if rerunning the authselect fixed things, but if not, I guess that will be for different issue). Sudo works fine.

Hi,

the services option is not the right one, pam_p11_allowed_services = +polkit-1 works for me, are you sure you've added it to the [pam] section?

Can you attache sssd.conf and sssd_pam.log with debug_level = 9 in the [pam] section of sssd.conf?

bye,
Sumit

You are right. Yesterday, I probably forgot to restart sssd before trying (or the services option was conflicting?). Now it works as a charm. Thank you for the help.

Is there something else I can do, or are you going to update defaults in sssd to accept also this one?

You are right. Yesterday, I probably forgot to restart sssd before trying (or the services option was conflicting?). Now it works as a charm. Thank you for the help.

Thanks for the feedback.

Is there something else I can do, or are you going to update defaults in sssd to accept also this one?

Yes, polkit-1 should be added default_sc_services in get_sc_services. I'll keep this ticket open to track this. Please let me know if you would like to send a PR to https://github.com/SSSD/sssd/.

bye,
Sumit

FYI, the issues with gdm login I was describing earlier got resolved by itself with reboot and now work just fine.

Great, thank for the feedback and the patch. So this ticket will be closed when the patch is commited.

bye,
Sumit

  • master
    • cea159ef838239109b9cf5e646b57cb90aef8d3e - Allow smart card authentication in polkit

Metadata Update from @pbrezina:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a year ago

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/5076

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.

Metadata