From c7f20a9d79ef8e9a681994b27554dcd5df1d36c7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
Date: Mon, 4 Feb 2019 12:38:39 +0100
Subject: [PATCH 2/3] sssd: require smartcard only for specific services

Otherwise even services like su or sudo can not perform password authentication
which is not desired.

Resolves:
https://github.com/pbrezina/authselect/issues/134
---
 profiles/sssd/system-auth | 1 +
 1 file changed, 1 insertion(+)

diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
index 22dba5b2d3db23855724ddb05528e5013c63c5af..c21d18ec855978d4f10abc3f1f95ac1cfb563d58 100644
--- a/profiles/sssd/system-auth
+++ b/profiles/sssd/system-auth
@@ -1,6 +1,7 @@
 auth        required                                     pam_env.so
 auth        required                                     pam_faildelay.so delay=2000000
 auth        required                                     pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
+auth        [success=1 default=ignore]                   pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid {include if "with-smartcard-required"}
 auth        [success=done ignore=ignore default=die]     pam_sss.so require_cert_auth ignore_authinfo_unavail   {include if "with-smartcard-required"}
 auth        sufficient                                   pam_fprintd.so                                         {include if "with-fingerprint"}
 auth        [default=1 ignore=ignore success=ok]         pam_succeed_if.so uid >= 1000 quiet
-- 
2.17.2