gksu not prompting when pam_musclecard in use

Bug #52018 reported by Tim Miller on 2006-07-05
6
Affects Status Importance Assigned to Milestone
gksu (Ubuntu)
Medium
Unassigned

Bug Description

pam_musclecard enables smartcard authentication in Linux. When configured, gksu does not prompt for the card PIN. When gksu is invoked from the command-line, the pam_musclecard prompt ("Please enter pin") is printed to stderr, but does not accept the PIN on stdin nor does it screen-grab or provide a dialog. Eventually the PAM modules time out and gksu exits.

Tim Miller (tmiller) wrote :

I should have added: As a result, a smartcard-enabled Ubuntu platform cannot use the smartcard to authenticate and run administrative functions from the GUI. These functions can only be run from the command line using sudo.

Em Qua, 2006-07-05 às 20:02 +0000, Tim Miller escreveu:
> I should have added: As a result, a smartcard-enabled Ubuntu platform
> cannot use the smartcard to authenticate and run administrative
> functions from the GUI. These functions can only be run from the
> command line using sudo.
>

How does pam_musclecard work when using sudo? You need to type in some
kind of code and then insert your card in a card reader?

I'm not familiar with smartcards, but I'd like to get this implemented
in gksu.

See you,

--
Gustavo Noronha Silva <email address hidden>
http://people.debian.org/~kov/

Tim Miller (tmiller) wrote :

With sudo and pam_musclecard, the user is prompted for the smartcard PIN which unlocks the private key for a nonce challenge. The actual prompt is "Please enter pin," as I noted above. sudo works fine in this environment.

I did note that when gksu is run from the command-line that the PIN prompt is dumped to stderr by gksu. Does this help?

I can help in testing if you need it.

Tim Miller (tmiller) wrote :

The behavior of gksu and gksudo with pam_musclecard is identical to Bug#15093. I get the same behavior with pam_pkcs11 as well. Both PAM modules present prompts that differ from the usual as pam_krb5 describes in Bug#15093. Here's what I see from the command-line:

For pam_musclecard:
cerebus@bes:~$ gksu xeyes
Please enter pin

For pam_pkcs11:
cerebus@bes:~$ gksu xeyes
PIN for token Co

Per the other bug, if I run sudo with -p GNOME_SUDO_PASS, I get:

For pam_musclecard:
cerebus@bes:~$ sudo -p GNOME_SUDO_PASS xeyes
Please enter pin:

For pam_pkcs11:
cerebus@bes:~/Desktop$ sudo -p GNOME_SUDO_PASS xeyes
PIN for token Common Access Card:

I note that an upstream bug was logged against sudo but there's been no motion on it as far as I can tell.

Do you still have this issue with the latest release of Ubuntu ?

Changed in gksu:
status: Unconfirmed → Needs Info
bubu (bbuades) wrote :

I've seen the same wrong behavior with pam_pkcs11 module.

Even changing the PIN prompt to say "Password:", gksu does not work correctly, due to timeout.

My smart card needs about 30 - 60 seconds to handshake, bug gksudo only waits a password prompt for about 5 seconds.
So, when pam_pkcs11 module prompts for a password, gksu wrongly thinks no password was needed and sudo did success.

I thing libgksu needs a major refactor to properly handle those password prompts, and not to relay on a sudo pipe.

This is the same problem as in bug #86843, isn't it ?

Tim Miller (tmiller) wrote :

Jérôme Guelfucci wrote:
> This is the same problem as in bug #86843, isn't it ?

Very likely closely related.

-- Tim

Ok I'm setting this as duplicate.

Tim Miller (tmiller) wrote :

On May 30, 2007, at 8:52 AM, Jérôme Guelfucci wrote:

> Ok I'm setting this as duplicate.

I'm uncomfortable with that until someone's looked at both in detail
and made a determination more in-depth than just me reading the
report and making a few assumptions.

-- Tim

No problem, I will just like the other bug here in comments.

"like" should be read as "link", sorry.

Changed in gksu:
importance: Undecided → Medium
Launchpad Janitor (janitor) wrote :

[Expired for gksu (Ubuntu) because there has been no activity for 60 days.]

Tim Miller (tmiller) wrote :

Reopen. Problem still extant in gutsy.

Tim Miller (tmiller) wrote :

Confirmed in Gutsy with pam_pkcs11 and libcoolkeypk11 as well as with pam_musclecard.

Changed in gksu:
status: Invalid → New
Tim Miller (tmiller) wrote :

Fixed in sudo_1.6.9p9-1ubuntu1. Backport from hardy required. Backport attached.

vnieto (vnieto) wrote :

Hi TIm Miller, Can you give me the sudo_1.6.9p9-1ubuntu1_i386.deb for amd64?
Thanks

Tim Miller (tmiller) wrote :

On May 5, 2008, at 11:32 PM, vnieto wrote:

> Hi TIm Miller, Can you give me the sudo_1.6.9p9-1ubuntu1_i386.deb
> for amd64?

Not having an AMD box to work on, no. But you can do it yourself
pretty easily:

https://wiki.ubuntu.com/Prevu

-- Tim

vnieto (vnieto) wrote :

Ok, But who name_of_source_package use on the command:
 prevu name_of_source_package
Thanks

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers