It seems like one cannot unlock the screen with a different smart card then the one that was used to log into the session, or at least one with a different token id, even though they resolve to the same user (of course).
Is there any immediately obvious reason this might be? Is the token id cached somehow in the session? I would have thought that each authentication would have been independent.
Am Mon, Apr 08, 2024 at 09:45:08PM -0600 schrieb Orion Poplawski:
It seems like one cannot unlock the screen with a different smart card then the one that was used to log into the session, or at least one with a different token id, even though they resolve to the same user (of course).
Is there any immediately obvious reason this might be? Is the token id cached somehow in the session? I would have thought that each authentication would have been independent.
Hi,
yes, the token id is stored in the environment and this a feature of Gnome Smartcard authentication since ever i.e. pam_pkcs11 supported this as well.
This was added before my time so I'm not sure about the reason.
bye, Sumit
-- Orion Poplawski he/him/his - surely the least important thing about me IT Systems Manager 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane orion@nwra.com Boulder, CO 80301 https://www.nwra.com/
-- _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
On 4/9/24 05:33, Sumit Bose wrote:
Am Mon, Apr 08, 2024 at 09:45:08PM -0600 schrieb Orion Poplawski:
It seems like one cannot unlock the screen with a different smart card then the one that was used to log into the session, or at least one with a different token id, even though they resolve to the same user (of course).
Is there any immediately obvious reason this might be? Is the token id cached somehow in the session? I would have thought that each authentication would have been independent.
Hi,
yes, the token id is stored in the environment and this a feature of Gnome Smartcard authentication since ever i.e. pam_pkcs11 supported this as well.
This was added before my time so I'm not sure about the reason.
Thanks for that, and I see it now:
PKCS11_LOGIN_TOKEN_NAME=PIV_II
It normally isn't an issue - the token name has been cert subject name (which was the same for different smart cards for the user), but is now "PIV_II" that we are switching to certs without subject names. This led to my issue now that I have a mix.
It probably is helpful in general for the "insert smartcard labeled TOKEN" messages that appear, and possibly entering incorrect PINs for different smartcards.
sssd-users@lists.fedorahosted.org
-
Orion Poplawski -
Sumit Bose