SSSD Performs two CCID operations for PIV auth

[sssd-bot]

Cloned from Pagure issue: https://pagure.io/SSSD/sssd/issue/3640

• Created at 2018-02-17 23:29:41 by firstyear
• Closed at 2018-03-05 00:17:06 as Invalid
• Assigned to nobody

---

During a CCID smartcard screen unlock SSSD performs two cryptographic operations.

Normally this goes unnoticed as SSSD caches the pin and submits it twice.

However, with a yubikey nano set to touch-policy always, then causes you to need to touch the device twice.

SSSD should only perform a single cryptograhpic challenge to the CCID device during authentication.

Comments

---

Comment from sbose at 2018-02-19 09:12:35

Can you attach SSSD logs with debug_level=9, especially the domain log and the sssd_pam.log file.

The only condition I can currently think of where SSSD might do two crypto operations on the card is when pkinit is used and the authentication including ticket validation does not finish in the expected time (default timeout is 6s). In this case SSSD would fall back to an offline authentication which involves another crypto operation. The second one is needed because the first one during pkinit happens in the pkinit plugin and SSSD itself does not have any information about the result.

---

Comment from firstyear at 2018-03-05 00:17:08

I think looking at this more the issue is GDM is performing two operations, not SSSD. So it may not be a bug that will ever be solved :(

---

Comment from firstyear at 2018-03-05 00:17:09

Metadata Update from @Firstyear:

• Issue close_status updated to: Invalid
• Issue status updated to: Closed (was: Open)

---

Comment from sbose at 2018-03-05 08:43:09

GDM does not talk to the Smartcard/Yubikey directly but uses PAM. Do you, by chance, have pam_sss and pam_pkcs11 in /etc/pam.d/smartcard-auth?