Hi Andreas,
Thank you for the assistance with this SRU.
I've verified that the package available in -proposed indeed addresses
the issue as expected.
Before upgrading it, I was running SSSD 2.6.3-1ubuntu3.3
fa...@fabiomirmar.net@jammy-desktop:~$ apt-cache policy sssd | grep Installed
Installed: 2.6.3-1ubuntu3.3
And when I removed the smartcard and tried to run sudo commands, it
would fallbabck to password based authentication:
fa...@fabiomirmar.net@jammy-desktop:~$ sudo -i
Please insert smart card
[sudo] password for fa...@fabiomirmar.net:
root@jammy-desktop:~#
After enabling -proposed and upgrading, I'm now running
2.6.3-1ubuntu3.4:
fa...@fabiomirmar.net@jammy-desktop:~$ apt-cache policy sssd
sssd:
Installed: 2.6.3-1ubuntu3.4
Candidate: 2.6.3-1ubuntu3.4
Version table:
*** 2.6.3-1ubuntu3.4 500
500 http://archive.ubuntu.com/ubuntu jammy-proposed/main amd64 Packages
100 /var/lib/dpkg/status
2.6.3-1ubuntu3.3+sf395104v20240916b1 500
500 https://ppa.launchpadcontent.net/mruffell/sf395104-test/ubuntu
jammy/main amd64 Packages
2.6.3-1ubuntu3.3 500
500 http://br.archive.ubuntu.com/ubuntu jammy-updates/main amd64
Packages
500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages
2.6.3-1ubuntu3 500
500 http://br.archive.ubuntu.com/ubuntu jammy/main amd64 Packages
fa...@fabiomirmar.net@jammy-desktop:~$ apt-cache policy sssd | grep Installed
Installed: 2.6.3-1ubuntu3.4
And now it no longer fallback to password based authentication, and wait for
the user to insert the smartcard to proceed with the authentication:
fa...@fabiomirmar.net@jammy-desktop:~$ sudo -i
Please insert smart card
Please (re)insert (different) Smartcard
Please (re)insert (different) Smartcard
Besides this specific tests, I also did some basic tests to make sure it
continues to work as expected. I've tested sudo scenario + switch user
through gnome + locking and unlocking the screen + rebooting and
authenticating with GDM + login in the serial console. In all these
scenarios it works as expected (authentication succeeds when the
smartcard is connected, and it fails prompting for a smartcard when it
is disconnected, and doesn't fallback to password-based).
I'm not marking as verification-done as I don't know if we need to
address second dep8 test before doing so.
Regards,
Fabio Martins
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2081129
Title:
libpam-sss: require_cert_auth is not absolute, will fall back to
password auth on smartcard removal
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/2081129/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
