From ddfc7e99e96ee732586c07342900d287d2378802 Mon Sep 17 00:00:00 2001 From: Sumit Bose Date: Mon, 30 May 2022 11:56:24 +0200 Subject: [PATCH 88/88] pam_sss: fix for old GDM screen lock MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit In contrast to the login screen the lock screen of older GDM versions does not restart PAM if a new Smartcard is inserted. So the user must press the enter key explicitly restart PAM. This patch uses a dedicated prompt in this case and overwrites any other error message shown in between. Resolves: https://github.com/SSSD/sssd/issues/6022 Reviewed-by: Alexey Tikhonov Reviewed-by: Pavel Březina --- src/sss_client/pam_sss.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/src/sss_client/pam_sss.c b/src/sss_client/pam_sss.c index feb4837fb..db41fdb67 100644 --- a/src/sss_client/pam_sss.c +++ b/src/sss_client/pam_sss.c @@ -1788,6 +1788,7 @@ static int prompt_multi_cert(pam_handle_t *pamh, struct pam_items *pi) } #define SC_INSERT_PROMPT _("Please (re)insert (different) Smartcard") +#define SC_INSERT_PROMPT_ENTER _("Please (re)insert (different) Smartcard and press enter") static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) { @@ -1802,7 +1803,16 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) struct cert_auth_info *cai = pi->selected_cert; if (cai == NULL && SERVICE_IS_GDM_SMARTCARD(pi)) { - ret = asprintf(&prompt, SC_INSERT_PROMPT); + /* Older versions of the GDM screen lock do not restart PAM if a + * Smartcard is removed and inserted again in contrast to the login + * screen. The PKCS11_LOGIN_TOKEN_NAME enviroment variable is used to + * detect the screen lock mode and the user is prompted to press the + * enter key. */ + if (getenv("PKCS11_LOGIN_TOKEN_NAME") == NULL) { + ret = asprintf(&prompt, SC_INSERT_PROMPT); + } else { + ret = asprintf(&prompt, SC_INSERT_PROMPT_ENTER); + } } else if (cai == NULL || cai->token_name == NULL || *cai->token_name == '\0') { return PAM_SYSTEM_ERR; @@ -1820,6 +1830,12 @@ static int prompt_sc_pin(pam_handle_t *pamh, struct pam_items *pi) if (ret != PAM_SUCCESS) { D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret))); } + } else { + /* clear previous messages, if any */ + ret = do_pam_conversation(pamh, PAM_TEXT_INFO, "", NULL, NULL); + if (ret != PAM_SUCCESS) { + D(("Conversation failure: %s, ignored", pam_strerror(pamh, ret))); + } } if (pi->user_name_hint) { -- 2.35.3