From 396089c2acc76bef59040d22c4170673ac4009bf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pavel=20B=C5=99ezina?= Date: Mon, 8 Oct 2018 12:58:41 +0200 Subject: [PATCH 2/2] sssd: add with-smartcard-required feature Resolves: https://github.com/pbrezina/authselect/issues/104 --- profiles/sssd/README | 6 ++++++ profiles/sssd/dconf-db | 1 + profiles/sssd/fingerprint-auth | 1 + profiles/sssd/password-auth | 1 + profiles/sssd/system-auth | 1 + 5 files changed, 10 insertions(+) diff --git a/profiles/sssd/README b/profiles/sssd/README index c597afecff112e8af7905de9b6a8db77d5c3227c..acbb635729c2b4a69a91cafe4bec76b030967967 100644 --- a/profiles/sssd/README +++ b/profiles/sssd/README @@ -53,6 +53,12 @@ with-smartcard:: with-smartcard-lock-on-removal:: Lock screen when a smartcard is removed. + Note: "with-smartcard" must be set as well. + +with-smartcard-required:: + Smartcard authentication is required. No other means of authentication + (including password) will be enabled. + Note: "with-smartcard" must be set as well. with-fingerprint:: Enable authentication with fingerprint reader through *pam_fprintd*. diff --git a/profiles/sssd/dconf-db b/profiles/sssd/dconf-db index cf22698fcc8a292c1bf68466f943595ca54c7b27..b24f783eb700713386d66857de2532482d15ce7c 100644 --- a/profiles/sssd/dconf-db +++ b/profiles/sssd/dconf-db @@ -1,6 +1,7 @@ [org/gnome/login-screen] enable-smartcard-authentication={if "with-smartcard":true|false} enable-fingerprint-authentication={if "with-fingerprint":true|false} +enable-password-authentication={if "with-smartcard-required":false|true} [org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"} removal-action='lock-screen' {include if "with-smartcard-lock-on-removal"} diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth index 01a5d21748f8e84acde23a0926782cf817fefc79..01b70f3533149d00700859f3e0a1c3f2abb33a8a 100644 --- a/profiles/sssd/fingerprint-auth +++ b/profiles/sssd/fingerprint-auth @@ -1,5 +1,6 @@ {continue if "with-fingerprint"} auth required pam_env.so +auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} auth sufficient pam_fprintd.so auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"} diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth index e35c8d6943b8289d8b65d7a47b2dad8143b6132b..3205f261dd8c898baf292c252ebdb346fcb779bb 100644 --- a/profiles/sssd/password-auth +++ b/profiles/sssd/password-auth @@ -1,5 +1,6 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 +auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"} auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth index a3d351cd5c37fb065892a0b71ec5323fd13a957d..982cada1f774e6d53dd75c9f5dbc0603337cd70b 100644 --- a/profiles/sssd/system-auth +++ b/profiles/sssd/system-auth @@ -1,6 +1,7 @@ auth required pam_env.so auth required pam_faildelay.so delay=2000000 auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"} +auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"} auth sufficient pam_fprintd.so {include if "with-fingerprint"} auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"} -- 2.17.1