** Description changed: + [ Impact ] + the pam profile for gdm-smartcard is missing. gdm refuses to login with a smartcard. Looking at ubuntu/+source/gdm3, other pam files are pregenerated into debian/ and installed from there; gdm-smartcard is left out. - ProblemType: Bug - DistroRelease: Ubuntu 18.04 + [ Test case ] + + 1. When in GDM, insert a smartcard + 2. The GDM interface should require for an user + 3. The user should be set (or empty may be provided, + depending on sssd configuration) + 4. The smartcard PIN should be requested and once introduce the + user must login. + + Note that this requires configuring sssd before, a simple local + configuration could require having sssd.conf filled with: + + ```ini + [sssd] + enable_files_domain = True + services = pam + + [certmap/implicit_files/$USER] + matchrule = <SUBJECT>.*YOUR CARD IDENTIFIER* + + [pam] + pam_cert_auth = True + ``` + + The UI authentication can also be simulated via pamtester: + + # Must be ran as user + sudo apt install pamtester + pamtester -v gdm-smartcard $USER authenticate + + Expected output is + + pamtester -v gdm-smartcard ubuntu authenticate + pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...) + pamtester: performing operation - authenticate + PIN for Test Organization Sub Int Token: + pamtester: successfully authenticated + + [ Regression potential ] + + Smartcard authentication using custom methods using via a custom + configured system nss database may not work anymore. + + --- + + ProblemType: BugDistroRelease: Ubuntu 18.04 Package: gdm3 3.28.3-0ubuntu18.04.4 ProcVersionSignature: Ubuntu 5.3.0-24.26~18.04.2-generic 5.3.10 Uname: Linux 5.3.0-24-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia ApportVersion: 2.20.9-0ubuntu7.11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Feb 28 14:30:30 2020 InstallationDate: Installed on 2016-05-23 (1376 days ago) - InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1) - SourcePackage: gdm3 + InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)SourcePackage: gdm3 UpgradeStatus: No upgrade log present (probably fresh install) mtime.conffile..etc.gdm3.Xsession: 2018-04-27T11:41:04.766901
** Description changed: [ Impact ] the pam profile for gdm-smartcard is missing. gdm refuses to login with a smartcard. Looking at ubuntu/+source/gdm3, other pam files are pregenerated into debian/ and installed from there; gdm-smartcard is left out. [ Test case ] 1. When in GDM, insert a smartcard 2. The GDM interface should require for an user 3. The user should be set (or empty may be provided, - depending on sssd configuration) + depending on sssd configuration) 4. The smartcard PIN should be requested and once introduce the - user must login. + user must login. Note that this requires configuring sssd before, a simple local configuration could require having sssd.conf filled with: ```ini [sssd] enable_files_domain = True services = pam [certmap/implicit_files/$USER] matchrule = <SUBJECT>.*YOUR CARD IDENTIFIER* [pam] pam_cert_auth = True ``` The UI authentication can also be simulated via pamtester: # Must be ran as user sudo apt install pamtester pamtester -v gdm-smartcard $USER authenticate Expected output is + pamtester -v gdm-smartcard ubuntu authenticate pamtester: invoking pam_start(gdm-smartcard, ubuntu, ...) pamtester: performing operation - authenticate PIN for Test Organization Sub Int Token: pamtester: successfully authenticated + --- + + Alternatively, if no smartcard or hardware is available, this can be tested and simulated using these scripts (they will reset the system setup at each run, but it's suggested to run them in a VM, lxd container or in a test installation): + https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a + + - sudo apt install gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin && \ + sudo apt-mark auto gdm3 pamtester softhsm2 openssl wget sssd gnutls-bin + - wget https://gist.github.com/3v1n0/287d02ca8e03936f1c7bba992173d47a/raw/sssd-gdm-smartcard-pam-auth-tester.sh + - sudo sssd-gdm-smartcard-pam-auth-tester.sh + + The script will generate some fake CA authority, issue some + certificates, will install them in some software-based smartcards (using + softhsm2) and test that they work properly to login with gdm-smartcard. + + Using `WAIT` environment variable set (to any value) will make it to + restart gdm at each iteration so that an user can try to access, using + the username that launched the script and the pin of 123456. + [ Regression potential ] Smartcard authentication using custom methods using via a custom configured system nss database may not work anymore. --- ProblemType: BugDistroRelease: Ubuntu 18.04 Package: gdm3 3.28.3-0ubuntu18.04.4 ProcVersionSignature: Ubuntu 5.3.0-24.26~18.04.2-generic 5.3.10 Uname: Linux 5.3.0-24-generic x86_64 NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia ApportVersion: 2.20.9-0ubuntu7.11 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Fri Feb 28 14:30:30 2020 InstallationDate: Installed on 2016-05-23 (1376 days ago) InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)SourcePackage: gdm3 UpgradeStatus: No upgrade log present (probably fresh install) mtime.conffile..etc.gdm3.Xsession: 2018-04-27T11:41:04.766901 -- You received this bug notification because you are a member of Ubuntu Desktop Bugs, which is subscribed to gdm3 in Ubuntu. https://bugs.launchpad.net/bugs/1865226 Title: gdm-smartcard pam config needs to be updated for Ubuntu and installed To manage notifications about this bug go to: https://bugs.launchpad.net/gnome-settings-daemon/+bug/1865226/+subscriptions -- desktop-bugs mailing list desktop-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/desktop-bugs
