From 396089c2acc76bef59040d22c4170673ac4009bf Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 8 Oct 2018 12:58:41 +0200
Subject: [PATCH 2/2] sssd: add with-smartcard-required feature
Resolves:
https://github.com/pbrezina/authselect/issues/104
---
profiles/sssd/README | 6 ++++++
profiles/sssd/dconf-db | 1 +
profiles/sssd/fingerprint-auth | 1 +
profiles/sssd/password-auth | 1 +
profiles/sssd/system-auth | 1 +
5 files changed, 10 insertions(+)
diff --git a/profiles/sssd/README b/profiles/sssd/README
index c597afecff112e8af7905de9b6a8db77d5c3227c..acbb635729c2b4a69a91cafe4bec76b030967967 100644
--- a/profiles/sssd/README
+++ b/profiles/sssd/README
@@ -53,6 +53,12 @@ with-smartcard::
with-smartcard-lock-on-removal::
Lock screen when a smartcard is removed.
+ Note: "with-smartcard" must be set as well.
+
+with-smartcard-required::
+ Smartcard authentication is required. No other means of authentication
+ (including password) will be enabled.
+ Note: "with-smartcard" must be set as well.
with-fingerprint::
Enable authentication with fingerprint reader through *pam_fprintd*.
diff --git a/profiles/sssd/dconf-db b/profiles/sssd/dconf-db
index cf22698fcc8a292c1bf68466f943595ca54c7b27..b24f783eb700713386d66857de2532482d15ce7c 100644
--- a/profiles/sssd/dconf-db
+++ b/profiles/sssd/dconf-db
@@ -1,6 +1,7 @@
[org/gnome/login-screen]
enable-smartcard-authentication={if "with-smartcard":true|false}
enable-fingerprint-authentication={if "with-fingerprint":true|false}
+enable-password-authentication={if "with-smartcard-required":false|true}
[org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"}
removal-action='lock-screen' {include if "with-smartcard-lock-on-removal"}
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
index 01a5d21748f8e84acde23a0926782cf817fefc79..01b70f3533149d00700859f3e0a1c3f2abb33a8a 100644
--- a/profiles/sssd/fingerprint-auth
+++ b/profiles/sssd/fingerprint-auth
@@ -1,5 +1,6 @@
{continue if "with-fingerprint"}
auth required pam_env.so
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth sufficient pam_fprintd.so
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
index e35c8d6943b8289d8b65d7a47b2dad8143b6132b..3205f261dd8c898baf292c252ebdb346fcb779bb 100644
--- a/profiles/sssd/password-auth
+++ b/profiles/sssd/password-auth
@@ -1,5 +1,6 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index a3d351cd5c37fb065892a0b71ec5323fd13a957d..982cada1f774e6d53dd75c9f5dbc0603337cd70b 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -1,6 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
+auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
--
2.17.1