gdm-smartcard pam config denies legitimate users, prompts for username
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| gdm3 (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
Bug Description
I'm encountering three issues when using a smartcard to login into gdm3. The root of the issues is gdm-smartcard-
1. The gdm-smartcard denies access to legitimate users as no success control value is configured.
2. Because pam_succeed_if is first in the authentication stack, it will invoke the pam_get_user when the user is NULL. As gdm3 doesn't supply a user when invoking pam_start, pam_get_user invokes a conversation, causing gdm3 to collect a username.
3. If a Username of '' (empty string) is inputed, pam_succeed_if will succeed, assuming a success=ok control value. If configured with allow-missing-name, pam_sss will use the certificate on a smartcard to identify the user. If so configured, this may map to root, which defeats the pam_succeed_if.so check.
I'm attaching a pam config that seems to addresses these issues by reordering the pam stack for authentication. By performing pam_sss before pam_succeed_if, pam_sss uses the certificate when the supplied user is NULL or the empty string. GDM3 only prompts for the smartcard PIN.
ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: gdm3 42.0-1ubuntu7
ProcVersionSign
Uname: Linux 5.15.0-46-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckR
CurrentDesktop: ubuntu:GNOME
Date: Tue Aug 16 20:39:44 2022
InstallationDate: Installed on 2022-08-12 (5 days ago)
InstallationMedia: Ubuntu 22.04.1 LTS "Jammy Jellyfish" - Release amd64 (20220809.1)
ProcEnviron:
TERM=xterm-
PATH=(custom, no user)
XDG_RUNTIME_
LANG=en_US.UTF-8
SHELL=/bin/bash
SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install)
| Tom Carroll (h-thomas-carroll) wrote | #1 |
