From c7f20a9d79ef8e9a681994b27554dcd5df1d36c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 4 Feb 2019 12:38:39 +0100
Subject: [PATCH 2/3] sssd: require smartcard only for specific services
Otherwise even services like su or sudo can not perform password authentication
which is not desired.
Resolves:
https://github.com/pbrezina/authselect/issues/134
---
profiles/sssd/system-auth | 1 +
1 file changed, 1 insertion(+)
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 22dba5b2d3db23855724ddb05528e5013c63c5af..c21d18ec855978d4f10abc3f1f95ac1cfb563d58 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -1,6 +1,7 @@
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
+auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
--
2.17.2