From ddfc7e99e96ee732586c07342900d287d2378802 Mon Sep 17 00:00:00 2001
From: Sumit Bose <sbose@redhat.com>
Date: Mon, 30 May 2022 11:56:24 +0200
Subject: [PATCH 88/88] pam_sss: fix for old GDM screen lock
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In contrast to the login screen the lock screen of older GDM versions
does not restart PAM if a new Smartcard is inserted. So the user must
press the enter key explicitly restart PAM. This patch uses a dedicated
prompt in this case and overwrites any other error message shown in
between.

Resolves: https://github.com/SSSD/sssd/issues/6022

Reviewed-by: Alexey Tikhonov <atikhono@redhat.com>
Reviewed-by: Pavel Březina <pbrezina@redhat.com>
---
 src/sss_client/pam_sss.c | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c
index feb4837fb..db41fdb67 100644
--- a/src/sss_client/pam_sss.c
+++ b/src/sss_client/pam_sss.c
@@ -1788,6 +1788,7 @@ static int prompt_multi_cert(pam_handle_t *pamh, struct pam_items *pi)
 }
 
 #define SC_INSERT_PROMPT _("Please (re)insert (different) Smartcard")
+#define SC_INSERT_PROMPT_ENTER _("Please (re)insert (different) Smartcard and press enter")
 
 static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
 {
@@ -1802,7 +1803,16 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
     struct cert_auth_info *cai = pi->selected_cert;
 
     if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) {
-        ret = asprintf(&prompt, SC_INSERT_PROMPT);
+        /* Older versions of the GDM screen lock do not restart PAM if a
+         * Smartcard is removed and inserted again in contrast to the login
+         * screen. The PKCS11_LOGIN_TOKEN_NAME enviroment variable is used to
+         * detect the screen lock mode and the user is prompted to press the
+         * enter key. */
+        if (getenv("PKCS11_LOGIN_TOKEN_NAME") == NULL) {
+            ret = asprintf(&prompt, SC_INSERT_PROMPT);
+        } else {
+            ret = asprintf(&prompt, SC_INSERT_PROMPT_ENTER);
+        }
     } else if (cai == NULL || cai->token_name == NULL
                     || *cai->token_name == '\0') {
         return PAM_SYSTEM_ERR;
@@ -1820,6 +1830,12 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi)
         if (ret != PAM_SUCCESS) {
             D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret)));
         }
+    } else {
+        /* clear previous messages, if any */
+        ret = do_pam_conversation(pamh, PAM_TEXT_INFO, "", NULL, NULL);
+        if (ret != PAM_SUCCESS) {
+            D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret)));
+        }
     }
 
     if (pi->user_name_hint) {
-- 
2.35.3