Bug ID | 978957 |
---|---|
Summary | Unable to unlock screen with smartcard credentials |
Classification | openSUSE |
Product | openSUSE Distribution |
Version | Leap 42.1 |
Hardware | x86-64 |
OS | openSUSE 42.1 |
Status | NEW |
Severity | Major |
Priority | P5 - None |
Component | KDE Workspace (Plasma) |
Assignee | opensuse-kde-bugs@opensuse.org |
Reporter | lewis.e.wolfgang@ausgar.com |
QA Contact | qa-bugs@suse.de |
Found By | --- |
Blocker | --- |
On a fresh install of 42.1, smartcard logins work as expected using pcsc, libcoolkey, pam_pkcs11, and xdm. But smartcard credentials are ignored when subsequently unlocking the screensaver. Problem was traced to kcheckpass loosing setuid permission. Pam apparently requires root creds to process authentication requests, and kcheckpass is unable to read /etc/pam_pkcs11/nssdb without its setuid bit being set. Workaround adds kcheckpass to /etc/permissions.local: /usr/lib64/libexec/kcheckpass root:shadow 4755 This issue was introduced in 42.1. Is there a more secure way to fix?