On 4/9/24 05:33, Sumit Bose wrote:
Am Mon, Apr 08, 2024 at 09:45:08PM -0600 schrieb Orion Poplawski:
> It seems like one cannot unlock the screen with a different smart card then
> the one that was used to log into the session, or at least one with a
> different token id, even though they resolve to the same user (of course).
>
> Is there any immediately obvious reason this might be? Is the token id
> cached somehow in the session? I would have thought that each
> authentication would have been independent.
Hi,
yes, the token id is stored in the environment and this a feature of
Gnome Smartcard authentication since ever i.e. pam_pkcs11 supported this
as well.
This was added before my time so I'm not sure about the reason.
Thanks for that, and I see it now:
PKCS11_LOGIN_TOKEN_NAME=PIV_II
It normally isn't an issue - the token name has been cert subject name (which
was the same for different smart cards for the user), but is now "PIV_II" that
we are switching to certs without subject names. This led to my issue now
that I have a mix.
It probably is helpful in general for the "insert smartcard labeled TOKEN"
messages that appear, and possibly entering incorrect PINs for different
smartcards.
--
Orion Poplawski
he/him/his - surely the least important thing about me
Manager of IT Systems 720-772-5637
NWRA, Boulder/CoRA Office FAX: 303-415-9702
3380 Mitchell Lane orion(a)nwra.com
Boulder, CO 80301
https://www.nwra.com/