10:45 p.m.
It seems like one cannot unlock the screen with a different smart card
then the one that was used to log into the session, or at least one with
a different token id, even though they resolve to the same user (of course).
Is there any immediately obvious reason this might be? Is the token id
cached somehow in the session? I would have thought that each
authentication would have been independent.
--
Orion Poplawski
he/him/his - surely the least important thing about me
IT Systems Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
6:33 a.m.
Am Mon, Apr 08, 2024 at 09:45:08PM -0600 schrieb Orion Poplawski:
It seems like one cannot unlock the screen with a different smart
card then
the one that was used to log into the session, or at least one with a
different token id, even though they resolve to the same user (of course).
Is there any immediately obvious reason this might be? Is the token id
cached somehow in the session? I would have thought that each
authentication would have been independent.
Hi,
yes, the token id is stored in the environment and this a feature of
Gnome Smartcard authentication since ever i.e. pam_pkcs11 supported this
as well.
This was added before my time so I'm not sure about the reason.
bye,
Sumit
--
Orion Poplawski
he/him/his - surely the least important thing about me
IT Systems Manager 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
--
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahoste...
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
4:12 p.m.
On 4/9/24 05:33, Sumit Bose wrote:
Am Mon, Apr 08, 2024 at 09:45:08PM -0600 schrieb Orion Poplawski:
> It seems like one cannot unlock the screen with a different smart card then
> the one that was used to log into the session, or at least one with a
> different token id, even though they resolve to the same user (of course).
>
> Is there any immediately obvious reason this might be? Is the token id
> cached somehow in the session? I would have thought that each
> authentication would have been independent.
Hi,
yes, the token id is stored in the environment and this a feature of
Gnome Smartcard authentication since ever i.e. pam_pkcs11 supported this
as well.
This was added before my time so I'm not sure about the reason.
Thanks for that, and I see it now:
PKCS11_LOGIN_TOKEN_NAME=PIV_II
It normally isn't an issue - the token name has been cert subject name (which
was the same for different smart cards for the user), but is now "PIV_II" that
we are switching to certs without subject names. This led to my issue now
that I have a mix.
It probably is helpful in general for the "insert smartcard labeled TOKEN"
messages that appear, and possibly entering incorrect PINs for different
smartcards.
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301 https://www.nwra.com/
25
days inactive
25
days old
sssd-users@lists.fedorahosted.org
2 comments
2 participants
participants (2)
-
Orion Poplawski -
Sumit Bose