You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Can you attach SSSD logs with debug_level=9, especially the domain log and the sssd_pam.log file.
The only condition I can currently think of where SSSD might do two crypto operations on the card is when pkinit is used and the authentication including ticket validation does not finish in the expected time (default timeout is 6s). In this case SSSD would fall back to an offline authentication which involves another crypto operation. The second one is needed because the first one during pkinit happens in the pkinit plugin and SSSD itself does not have any information about the result.
Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3640
During a CCID smartcard screen unlock SSSD performs two cryptographic operations.
Normally this goes unnoticed as SSSD caches the pin and submits it twice.
However, with a yubikey nano set to touch-policy always, then causes you to need to touch the device twice.
SSSD should only perform a single cryptograhpic challenge to the CCID device during authentication.
Comments
Comment from sbose at 2018-02-19 09:12:35
Can you attach SSSD logs with debug_level=9, especially the domain log and the sssd_pam.log file.
The only condition I can currently think of where SSSD might do two crypto operations on the card is when pkinit is used and the authentication including ticket validation does not finish in the expected time (default timeout is 6s). In this case SSSD would fall back to an offline authentication which involves another crypto operation. The second one is needed because the first one during pkinit happens in the pkinit plugin and SSSD itself does not have any information about the result.
Comment from firstyear at 2018-03-05 00:17:08
I think looking at this more the issue is GDM is performing two operations, not SSSD. So it may not be a bug that will ever be solved :(
Comment from firstyear at 2018-03-05 00:17:09
Metadata Update from @Firstyear:
Comment from sbose at 2018-03-05 08:43:09
GDM does not talk to the Smartcard/Yubikey directly but uses PAM. Do you, by chance, have pam_sss and pam_pkcs11 in /etc/pam.d/smartcard-auth?
The text was updated successfully, but these errors were encountered: