[Freeipa-users] Lock screen when Smart Card is removed.

Sumit Bose sbose at redhat.com
Tue Mar 22 12:25:15 UTC 2016 

On Fri, Mar 18, 2016 at 10:53:08AM -0500, Michael Rainey (Contractor) wrote:
> Hi Sumit,
> 
> It has been a week and I am following up with you on the lock screen issue.
> Have you had any progress?  If so, I am hoping implementing the fix will be
> quick and easy.

Thank you for your patience. Please find a test build for RHEL/CentOS
7.2 at https://koji.fedoraproject.org/koji/taskinfo?taskID=13412048 .

Besides the updated version of SSSD you should replace
/etc/pam.d/smartcard-auth with

======== /etc/pam.d/smartcard-auth =========
auth        required      pam_env.so
auth        sufficient    pam_sss.so allow_missing_name
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required      pam_permit.so


session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
session     optional      pam_sss.so
===========================================

and /etc/dconf/db/distro.d/10-authconfig

===== /etc/dconf/db/distro.d/10-authconfig =====
[org/gnome/login-screen]
enable-fingerprint-authentication=false

[org/gnome/settings-daemon/peripherals/smartcard]
removal-action='lock-screen'
===============================================

and /etc/dconf/db/distro.d/locks/10-authconfig-locks

====== /etc/dconf/db/distro.d/locks/10-authconfig-locks ===
/org/gnome/login-screen/enable-fingerprint-authentication
/org/gnome/settings-daemon/peripherals/smartcard
===========================================================

and call 'dconf update' to get the new setting loaded. Finally it might
be a good idea to restart gdm to make sure the new setting and PAM
configuration is really active although I would expect that gdm is able
to pick up the changes at run-time.

Any feedback, good or bad, is welcome.

bye,
Sumit

> 
> Thanks,
> 
> *Michael Rainey*
> 
> On 03/11/2016 02:32 AM, Sumit Bose wrote:
> >On Thu, Mar 10, 2016 at 01:36:15PM -0600, Michael Rainey (Contractor) wrote:
> >>Greetings,
> >>
> >>I have been adding systems to my new domain and utilizing the smart card
> >>login feature.  To date the smart card login feature is working very well.
> >>However, my group has been trying to implement locking the screen when the
> >>smart card is removed, but have not been successful at making it work.  Does
> >>anyone have any suggestions as to what it would take to enable locking the
> >>screen when the smart card is removed.
> >This requires a better integration with gdm which is currently WIP
> >(https://fedorahosted.org/sssd/ticket/2941). If you don't mind please
> >ping me in about a week about this again, then I might have done some
> >more testing.
> >
> >bye,
> >Sumit
> >
> >>Thank you in advance.
> >>-- 
> >>*Michael Rainey*
> >>-- 
> >>Manage your subscription for the Freeipa-users mailing list:
> >>https://www.redhat.com/mailman/listinfo/freeipa-users
> >>Go to http://freeipa.org for more info on the project
> 

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list