gdm-smartcard pam config needs to be updated for Ubuntu and installed

Bug #1865226 reported by pi-rho
22
This bug affects 2 people
Affects Status Importance Assigned to Milestone
GNOME Settings Daemon
Unknown
Unknown
gdm3 (Debian)
Fix Released
Unknown
gdm3 (Ubuntu)
High
Marco Trevisan (Treviño)
Focal
High
Marco Trevisan (Treviño)
gnome-settings-daemon (Ubuntu)
Medium
Marco Trevisan (Treviño)
Focal
Medium
Marco Trevisan (Treviño)

Bug Description

the pam profile for gdm-smartcard is missing. gdm refuses to login with a smartcard. Looking at ubuntu/+source/gdm3, other pam files are pregenerated into debian/ and installed from there; gdm-smartcard is left out.

ProblemType: Bug
DistroRelease: Ubuntu 18.04
Package: gdm3 3.28.3-0ubuntu18.04.4
ProcVersionSignature: Ubuntu 5.3.0-24.26~18.04.2-generic 5.3.10
Uname: Linux 5.3.0-24-generic x86_64
NonfreeKernelModules: zfs zunicode zavl icp zcommon znvpair nvidia_modeset nvidia
ApportVersion: 2.20.9-0ubuntu7.11
Architecture: amd64
CurrentDesktop: ubuntu:GNOME
Date: Fri Feb 28 14:30:30 2020
InstallationDate: Installed on 2016-05-23 (1376 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
SourcePackage: gdm3
UpgradeStatus: No upgrade log present (probably fresh install)
mtime.conffile..etc.gdm3.Xsession: 2018-04-27T11:41:04.766901

Related branches

CVE References

Revision history for this message
pi-rho (pi-rho) wrote :
Revision history for this message
Sebastien Bacher (seb128) wrote :

Thanks, confirmed, unsure why Debian does that instead of using the upstream ones, it would be useful to report to Debian

Changed in gdm3 (Ubuntu):
importance: Undecided → Low
status: New → Confirmed
Revision history for this message
pi-rho (pi-rho) wrote :

reported to debian BTS, added link

Changed in gdm:
status: Unknown → New
tags: added: rls-gg-incoming
Revision history for this message
Sebastien Bacher (seb128) wrote :

comment from one of the Debian pkg-gnome maintainer

'the upstream gdm pam rules are not working out of the box due to nss not installing the NSSDB in /etc/pki/nssdb/ (which I think is a Fedoraism)'

summary: - gdm3 fails to install /etc/pam.d/gdm-smartcard
+ gdm-smartcard pam config needs to be updated for Ubuntu and installed
Revision history for this message
Steve Langasek (vorlon) wrote :

Dimitri, why is a bug task opened on pam? The description doesn't point to this being a pam bug.

Changed in pam (Ubuntu):
status: New → Invalid
Changed in gdm3 (Ubuntu):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
tags: removed: rls-gg-incoming
Revision history for this message
Eric Desrochers (slashd) wrote :

It has been brought to my attention by a UA customer that they are suffering from which seems a similar situation:

"
Our only currently working SmartCard access from Linux, over SSSD, to AD, is on RHEL7.
I was able to get SSH access on Ubuntu 20.04LTS, after adding "ad_gpo_access_control = permissive" in sssd.conf.

Logging in locally fails (prompting for password, rather than PIN). It is also still prompting for the Password twice on all local login attempts.

RHEL7 -> Ubuntu 20.04LTS (SSH) - Success
Ubuntu 20.04LTS -> RHEL7 (SSH) - Success
Ubuntu Desktop login (GDM or CLI) - Fail
Ubuntu Desktop login via local username/pw - Success, but with 2 pw prompts.
"

Eric Desrochers (slashd)
Changed in gdm3 (Ubuntu Groovy):
importance: Low → Medium
Eric Desrochers (slashd)
Changed in gdm3 (Ubuntu Groovy):
importance: Medium → High
Changed in gdm3 (Ubuntu Focal):
status: New → Confirmed
importance: Undecided → High
Changed in gdm3 (Ubuntu Bionic):
importance: Undecided → High
Steve Langasek (vorlon)
Changed in pam (Ubuntu Bionic):
status: New → Invalid
Changed in pam (Ubuntu Focal):
status: New → Invalid
Revision history for this message
Eric Desrochers (slashd) wrote :

# git clone https://gitlab.gnome.org/GNOME/gdm.git

# find . -name "gdm-smartcard*"
./data/pam-arch/gdm-smartcard.pam
./data/pam-redhat/gdm-smartcard.pam
./data/pam-exherbo/gdm-smartcard.pam
./data/pam-lfs/gdm-smartcard.pam

It seems like Ubuntu/Debian will have to start by having a 'compatible' PAM stack config.

So far looking upstream, it seems to only be defined for 4 specific distros:
- Archlinux
- Redhat
- Exherbo
- Linux From Scratch (LFS)

Revision history for this message
Sebastien Bacher (seb128) wrote :

Right, as pointed out in previous comments the configuration as it is today isn't workin on Debian/Ubuntu systems, the first step would be to have someone understand those pam details working out those parts

Revision history for this message
Eric Desrochers (slashd) wrote :

I unfortunately don't have a smartcard device handy to test/debug/.... but if I compare with RHEL which is known to be working...

Redhat has the following configuration "gdm-smarcard" which includes "smartcard-auth", a symlink pointing to "smartcard-auth-local"

I think we should 'mimic' this (at least as a starting point) without the selinux and other RHEL specific bits.

- Eric

Changed in gdm3 (Ubuntu Focal):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :
Changed in gnome-settings-daemon (Ubuntu):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
importance: Undecided → Medium
status: New → In Progress
no longer affects: gnome-settings-daemon (Ubuntu Bionic)
Changed in gdm3 (Ubuntu Bionic):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Revision history for this message
Sebastien Bacher (seb128) wrote :

The solution is going to require sssd which started being used in focal, we are not going to do official updates to bionic

Changed in gdm3 (Ubuntu Bionic):
status: New → Won't Fix
Changed in gnome-settings-daemon (Ubuntu Focal):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Changed in gnome-settings-daemon (Ubuntu Groovy):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

While Bionic could be maybe supported, that would likely require newer SSSD.

Maybe in such case a pam_pkcs11 based solution could be provided, but it's quite a lot of backporting work which would need SRU team to agree with.

Revision history for this message
Eric Desrochers (slashd) wrote :

Lukasz (sil2100) can we have your SRU team input on this bug with regard to Bionic/18.04lTS ?

Revision history for this message
Eric Desrochers (slashd) wrote :

(I have ping sil2100 internally for him to provide his 2 cents on this bug.)

Revision history for this message
Łukasz Zemczak (sil2100) wrote :

Though I do understand it is a bit annoying that smartcard login on bionic doesn't work, it worries me that fixing this would involve a lot of backporting. This isn't a regression and bionic has been like this from day 0, right? Do we have an understanding on how wanted this is on bionic?

I'm not saying no, but right now I wouldn't be comfortable in such a big set of changes without a rationale. I would rather recommend them to switch to focal and fixing it there. But I'd have to know more.

Mathew Hodson (mhodson)
no longer affects: pam (Ubuntu)
no longer affects: pam (Ubuntu Bionic)
no longer affects: pam (Ubuntu Focal)
no longer affects: pam (Ubuntu Groovy)
affects: gdm → ubuntu-translations
Changed in ubuntu-translations:
importance: Unknown → Undecided
no longer affects: ubuntu-translations
Changed in gdm3 (Debian):
status: Unknown → New
Changed in gdm3 (Ubuntu Groovy):
status: Confirmed → In Progress
no longer affects: gdm3 (Ubuntu Groovy)
no longer affects: gnome-settings-daemon (Ubuntu Groovy)
Changed in gdm3 (Ubuntu):
status: Confirmed → In Progress
Changed in gnome-settings-daemon (Ubuntu):
status: In Progress → Fix Committed
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package gnome-settings-daemon - 3.38.1-3ubuntu3

---------------
gnome-settings-daemon (3.38.1-3ubuntu3) hirsute; urgency=medium

  * debian/patches: Support smartcard reders via p11kit API (LP: #1865226)
  * debian/control: Build depend on libgck-1-dev and remove nss dependency
    (LP: #1865226)

 -- Marco Trevisan (Treviño) <email address hidden> Thu, 25 Feb 2021 04:53:56 +0100

Changed in gnome-settings-daemon (Ubuntu):
status: Fix Committed → Fix Released
Changed in gdm3 (Debian):
status: New → Fix Released
Revision history for this message
Launchpad Janitor (janitor) wrote :
Download full text (4.6 KiB)

This bug was fixed in the package gdm3 - 3.38.2.1-2ubuntu1

---------------
gdm3 (3.38.2.1-2ubuntu1) hirsute; urgency=medium

  * Merge with debian, containing new upstream version
  * debian/control: Don't Recommend pam fprintd module, as we seed it
  * debian/patches: Refresh
  * debian/gdm3.prerm: Resync with debian
  * debian/gdm3.gdm-smartcard-*: Add user_readenv=1 in pam_env.so
  * Remaining changes with debian:
    + readme.debian: update for correct paths in ubuntu
    + control.in:
      - don't recommend desktop-base
      - build depend on libgudev-1.0-dev
      - depend on bash for config_error_dialog.patch
      - update vcs field
    + rules:
      - don't override default user/group
      - -dgdm-xsession=true to install upstream xsession script
      - override dh_installinit with --no-start to avoid session being killed
    + rules, readme.debian, gdm3.8.pod:
      use upstream custom.conf instead of daemon.conf
    + gdm3.{postinst,postrm}: rename user and group back to gdm
    + gdm3.*.pam: make pam_env read ~/.pam_environment, as we use in g-c-c
      settings
    + gdm3.install:
      - stop installing default.desktop. it adds unnecessary clutter
        ("system default") to the session chooser.
      - don't install debian/xsession
    + add run_xsession.d.patch
    + add xresources_is_a_dir.patch
      - fix loading from /etc/x11/xresources/*
    + add nvidia_prime.patch:
      - add hook to run prime-offload (as root) and prime-switch if
        nvidia-prime is installed
    + add revert_override_lang_with_accountservices.patch:
      - on ubuntu accountservices only stores the language and not the
        full locale as needed by lang.
    + add dont_set_language_env.patch:
      - don't run the set_up_session_language() function, since it
        overrides variable values set by ~/.pam_environment
    + add config_error_dialog.patch:
      - show warning dialog in case of error in ~/.profile etc. and
        don't let a syntax error make the login fail
    + add debian/patches/revert_nvidia_wayland_blacklist.patch:
      - don't blacklist nvidia for wayland
    + add gdm3.service-wait-for-drm-device-before-trying-to-start-i.patch:
      - wait for the first valid gdm device on pre-start
    + add debian/default.pa
      - disable bluetooth audio devices in pulseaudio from gdm3.
    + debian/gdm3.install
      - added details of the default.pa file
    + debian/gdm3.postinst
      - added installation of default.pa and creation of dir if it doesn't
        exist.
    + debian/greeter.dconf-defaults: don't set debian settings in the
      greeter's dconf db

gdm3 (3.38.2.1-2) experimental; urgency=medium

  * debian: Add gdm-smartcard PAM module implemented with libpam_sss.
    The implementation uses update-alternatives to provide a generic
    gdm-smartcard PAM module that can be changed using the tool.
    Potentially other systems could be used or supported (such as pam_pkcs11
    or pam_p11) by adding other modules implementing the gdm-smartcard auth
    service. (LP: #1865226, Closes: #953557)
  * debian: Add gdm-smartcard implementation using pkcs11
  * debian/gdm3.gdm-smartcard-sssd-exclusive.pam:
    - PAM co...

Read more...

Changed in gdm3 (Ubuntu):
status: In Progress → Fix Released
Mathew Hodson (mhodson)
no longer affects: gdm3 (Ubuntu Bionic)
Changed in gnome-settings-daemon (Ubuntu Focal):
importance: Undecided → Medium
Revision history for this message
Eric Desrochers (slashd) wrote :

Any idea when Focal will be completed ?

Regards,
Eric

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.