From c7f20a9d79ef8e9a681994b27554dcd5df1d36c7 Mon Sep 17 00:00:00 2001

From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>

Date: Mon, 4 Feb 2019 12:38:39 +0100

Subject: [PATCH 2/3] sssd: require smartcard only for specific services

Otherwise even services like su or sudo can not perform password authentication

which is not desired.

Resolves:

https://github.com/pbrezina/authselect/issues/134

---

 profiles/sssd/system-auth | 1 +

 1 file changed, 1 insertion(+)

diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth

index 22dba5b2d3db23855724ddb05528e5013c63c5af..c21d18ec855978d4f10abc3f1f95ac1cfb563d58 100644

--- a/profiles/sssd/system-auth

+++ b/profiles/sssd/system-auth

@@ -1,6 +1,7 @@

 auth        required                                     pam_env.so

 auth        required                                     pam_faildelay.so delay=2000000

 auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}

+auth        [success=1 default=ignore]                   pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}

 auth        [success=done ignore=ignore default=die]     pam_sss.so require_cert_auth ignore_authinfo_unavail   {include if "with-smartcard-required"}

 auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}

 auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet

-- 

2.17.2