Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

pam: only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never to 'false'. #7602

Closed
wants to merge 1 commit into from
Closed

pam: only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never to 'false'. #7602

wants to merge 1 commit into from

Conversation

sumit-bose
Copy link
Contributor

The krb5 backend will only returns that Smartcard authentication is
available if a Smartcard is present. That means if the user
authenticates with a different method and a Smartcard is not present at
this time 'sc_allow' will be 'false' and might overwrite a 'true' value
written during a previous authentication attempt where a Smartcard was
present. To avoid this we only write 'true' values. Since the default if
SYSDB_LOCAL_SMARTCARD_AUTH is missing is 'false' local Smartcard
authentication (offline) will still only be enabled if online Smartcard
authentication was detected.

Resolves: #7532

@sumit-bose
pam: only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never to 'false'.
af848ba 
The krb5 backend will only returns that Smartcard authentication is
available if a Smartcard is present. That means if the user
authenticates with a different method and a Smartcard is not present at
this time 'sc_allow' will be 'false' and might overwrite a 'true' value
written during a previous authentication attempt where a Smartcard was
present. To avoid this we only write 'true' values. Since the default if
SYSDB_LOCAL_SMARTCARD_AUTH is missing is 'false' local Smartcard
authentication (offline) will still only be enabled if online Smartcard
authentication was detected.

Resolves: SSSD#7532
@sumit-bose sumit-bose marked this pull request as draft September 18, 2024 13:21
@sumit-bose sumit-bose mentioned this pull request Sep 18, 2024
Closed
@sumit-bose sumit-bose marked this pull request as ready for review September 19, 2024 12:28
justin-stephenson
justin-stephenson approved these changes Sep 19, 2024
View reviewed changes
Copy link
Contributor

@justin-stephenson justin-stephenson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ack, good catch.

ikerexxe
ikerexxe approved these changes Sep 20, 2024
View reviewed changes
Copy link
Contributor

@ikerexxe ikerexxe left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Nice catch by the way

@alexey-tikhonov alexey-tikhonov added the Ready to push Ready to push label Sep 20, 2024
@alexey-tikhonov
Copy link
Member

Pushed PR: #7602

  • master
    • 67ba42c - pam: only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never to 'false'.
  • sssd-2-9
    • b4c4968 - pam: only set SYSDB_LOCAL_SMARTCARD_AUTH to 'true' but never to 'false'.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@justin-stephenson justin-stephenson justin-stephenson approved these changes

@ikerexxe ikerexxe ikerexxe approved these changes

Assignees

@ikerexxe ikerexxe

@justin-stephenson justin-stephenson

Labels
Pushed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

EL9/CentOS Stream 9 lost offline smart card authentication
4 participants
@sumit-bose @alexey-tikhonov @ikerexxe @justin-stephenson