gksu not prompting when pam_musclecard in use

I should have added: As a result, a smartcard-enabled Ubuntu platform cannot use the smartcard to authenticate and run administrative functions from the GUI. These functions can only be run from the command line using sudo.

Em Qua, 2006-07-05 às 20:02 +0000, Tim Miller escreveu:
> I should have added: As a result, a smartcard-enabled Ubuntu platform
> cannot use the smartcard to authenticate and run administrative
> functions from the GUI. These functions can only be run from the
> command line using sudo.
>

How does pam_musclecard work when using sudo? You need to type in some
kind of code and then insert your card in a card reader?

I'm not familiar with smartcards, but I'd like to get this implemented
in gksu.

See you,

--
Gustavo Noronha Silva <email address hidden>
http://people.debian.org/~kov/

With sudo and pam_musclecard, the user is prompted for the smartcard PIN which unlocks the private key for a nonce challenge. The actual prompt is "Please enter pin," as I noted above. sudo works fine in this environment.

I did note that when gksu is run from the command-line that the PIN prompt is dumped to stderr by gksu. Does this help?

I can help in testing if you need it.

The behavior of gksu and gksudo with pam_musclecard is identical to Bug#15093. I get the same behavior with pam_pkcs11 as well. Both PAM modules present prompts that differ from the usual as pam_krb5 describes in Bug#15093. Here's what I see from the command-line:

For pam_musclecard:
cerebus@bes:~$ gksu xeyes
Please enter pin

For pam_pkcs11:
cerebus@bes:~$ gksu xeyes
PIN for token Co

Per the other bug, if I run sudo with -p GNOME_SUDO_PASS, I get:

For pam_musclecard:
cerebus@bes:~$ sudo -p GNOME_SUDO_PASS xeyes
Please enter pin:

For pam_pkcs11:
cerebus@bes:~/Desktop$ sudo -p GNOME_SUDO_PASS xeyes
PIN for token Common Access Card:

I note that an upstream bug was logged against sudo but there's been no motion on it as far as I can tell.

Do you still have this issue with the latest release of Ubuntu ?

I've seen the same wrong behavior with pam_pkcs11 module.

Even changing the PIN prompt to say "Password:", gksu does not work correctly, due to timeout.

My smart card needs about 30 - 60 seconds to handshake, bug gksudo only waits a password prompt for about 5 seconds.
So, when pam_pkcs11 module prompts for a password, gksu wrongly thinks no password was needed and sudo did success.

I thing libgksu needs a major refactor to properly handle those password prompts, and not to relay on a sudo pipe.

This is the same problem as in bug #86843, isn't it ?

Jérôme Guelfucci wrote:
> This is the same problem as in bug #86843, isn't it ?

Very likely closely related.

-- Tim

Ok I'm setting this as duplicate.

On May 30, 2007, at 8:52 AM, Jérôme Guelfucci wrote:

> Ok I'm setting this as duplicate.

I'm uncomfortable with that until someone's looked at both in detail
and made a determination more in-depth than just me reading the
report and making a few assumptions.

-- Tim

No problem, I will just like the other bug here in comments.

"like" should be read as "link", sorry.

[Expired for gksu (Ubuntu) because there has been no activity for 60 days.]

Reopen. Problem still extant in gutsy.

Confirmed in Gutsy with pam_pkcs11 and libcoolkeypk11 as well as with pam_musclecard.

Fixed in sudo_1.6.9p9-1ubuntu1. Backport from hardy required. Backport attached.

Hi TIm Miller, Can you give me the sudo_1.6.9p9-1ubuntu1_i386.deb for amd64?
Thanks

On May 5, 2008, at 11:32 PM, vnieto wrote:

> Hi TIm Miller, Can you give me the sudo_1.6.9p9-1ubuntu1_i386.deb
> for amd64?

Not having an AMD box to work on, no. But you can do it yourself
pretty easily:

https://wiki.ubuntu.com/Prevu

-- Tim

Ok, But who name_of_source_package use on the command:
 prevu name_of_source_package
Thanks