From 088a2b92742cab5e1d8f71452c2ae0c0f183a6fd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 8 Oct 2018 12:34:09 +0200
Subject: [PATCH 1/2] sssd: add support for local users authentication via
 smart card

Resolves:
https://github.com/pbrezina/authselect/issues/23
---
 profiles/sssd/system-auth | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 02922b16903372598052e36f3713ca5c3f4c8418..a3d351cd5c37fb065892a0b71ec5323fd13a957d 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -3,7 +3,9 @@ auth        required                                     pam_faildelay.so delay=
 auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
 auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}
 auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
-auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
+auth        [default=1 ignore=ignore success=ok]         pam_localuser.so                                       {exclude if "with-smartcard"}
+auth        [default=2 ignore=ignore success=ok]         pam_localuser.so                                       {include if "with-smartcard"}
+auth        [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_sss.so try_cert_auth           {include if "with-smartcard"}
 auth        sufficient                                   pam_unix.so {if not "without-nullok":nullok} try_first_pass
 auth        requisite                                    pam_succeed_if.so uid >= 1000 quiet_success
 auth        sufficient                                   pam_sss.so forward_pass
-- 
2.17.1