Lew Wolfgang wrote:
Hi Folks,
We need to enforce console logins with Smartcards. It's been working with 13.1 and 13.2, but Leap introduced a problem where the Smartcard couldn't be used to unlock the screen from the screen saver. It would prompt for the /etc/shadow password, but ignore the Smartcard.
So one of our guys took a look at it with strace and came up with a fix. From Dan:
"Unlocking screensaver with CAC in Leap 42.1 got broken when default permissions of kcheckpass got changed from root.shadow 4755 to root.root 755 (e.g. lost setuid permission). This prevented the program from reading the nssdb database whose files have permission 600. Fix is to either change permissions of the files in /etc/pam_pkcs11/nssdb to 644 or to change the permissions of kcheckpass. I chose the later by adding this line to /etc/permissions.local."
# Added to make screen locker work with CAC /usr/lib64/libexec/kcheckpass root:shadow 4755
and running
chkstat --system --set
All is now well! Leap is about ready for our users.
Hi Lew you ought to report this in bugzilla, whatever you publish here is quickly forgotten. -- Per Jessen, Zürich (22.8°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org