On 4/9/24 05:33, Sumit Bose wrote:
Am Mon, Apr 08, 2024 at 09:45:08PM -0600 schrieb Orion Poplawski:
It seems like one cannot unlock the screen with a different smart card then the one that was used to log into the session, or at least one with a different token id, even though they resolve to the same user (of course).
Is there any immediately obvious reason this might be? Is the token id cached somehow in the session? I would have thought that each authentication would have been independent.
Hi,
yes, the token id is stored in the environment and this a feature of Gnome Smartcard authentication since ever i.e. pam_pkcs11 supported this as well.
This was added before my time so I'm not sure about the reason.
Thanks for that, and I see it now:
PKCS11_LOGIN_TOKEN_NAME=PIV_II
It normally isn't an issue - the token name has been cert subject name (which was the same for different smart cards for the user), but is now "PIV_II" that we are switching to certs without subject names. This led to my issue now that I have a mix.
It probably is helpful in general for the "insert smartcard labeled TOKEN" messages that appear, and possibly entering incorrect PINs for different smartcards.