82 lines
4.6 KiB
Diff
82 lines
4.6 KiB
Diff
From 396089c2acc76bef59040d22c4170673ac4009bf Mon Sep 17 00:00:00 2001
|
|
From: =?UTF-8?q?Pavel=20B=C5=99ezina?= <pbrezina@redhat.com>
|
|
Date: Mon, 8 Oct 2018 12:58:41 +0200
|
|
Subject: [PATCH 2/2] sssd: add with-smartcard-required feature
|
|
|
|
Resolves:
|
|
https://github.com/pbrezina/authselect/issues/104
|
|
---
|
|
profiles/sssd/README | 6 ++++++
|
|
profiles/sssd/dconf-db | 1 +
|
|
profiles/sssd/fingerprint-auth | 1 +
|
|
profiles/sssd/password-auth | 1 +
|
|
profiles/sssd/system-auth | 1 +
|
|
5 files changed, 10 insertions(+)
|
|
|
|
diff --git a/profiles/sssd/README b/profiles/sssd/README
|
|
index c597afecff112e8af7905de9b6a8db77d5c3227c..acbb635729c2b4a69a91cafe4bec76b030967967 100644
|
|
--- a/profiles/sssd/README
|
|
+++ b/profiles/sssd/README
|
|
@@ -53,6 +53,12 @@ with-smartcard::
|
|
|
|
with-smartcard-lock-on-removal::
|
|
Lock screen when a smartcard is removed.
|
|
+ Note: "with-smartcard" must be set as well.
|
|
+
|
|
+with-smartcard-required::
|
|
+ Smartcard authentication is required. No other means of authentication
|
|
+ (including password) will be enabled.
|
|
+ Note: "with-smartcard" must be set as well.
|
|
|
|
with-fingerprint::
|
|
Enable authentication with fingerprint reader through *pam_fprintd*.
|
|
diff --git a/profiles/sssd/dconf-db b/profiles/sssd/dconf-db
|
|
index cf22698fcc8a292c1bf68466f943595ca54c7b27..b24f783eb700713386d66857de2532482d15ce7c 100644
|
|
--- a/profiles/sssd/dconf-db
|
|
+++ b/profiles/sssd/dconf-db
|
|
@@ -1,6 +1,7 @@
|
|
[org/gnome/login-screen]
|
|
enable-smartcard-authentication={if "with-smartcard":true|false}
|
|
enable-fingerprint-authentication={if "with-fingerprint":true|false}
|
|
+enable-password-authentication={if "with-smartcard-required":false|true}
|
|
|
|
[org/gnome/settings-daemon/peripherals/smartcard] {include if "with-smartcard-lock-on-removal"}
|
|
removal-action='lock-screen' {include if "with-smartcard-lock-on-removal"}
|
|
diff --git a/profiles/sssd/fingerprint-auth b/profiles/sssd/fingerprint-auth
|
|
index 01a5d21748f8e84acde23a0926782cf817fefc79..01b70f3533149d00700859f3e0a1c3f2abb33a8a 100644
|
|
--- a/profiles/sssd/fingerprint-auth
|
|
+++ b/profiles/sssd/fingerprint-auth
|
|
@@ -1,5 +1,6 @@
|
|
{continue if "with-fingerprint"}
|
|
auth required pam_env.so
|
|
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
|
|
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
|
|
auth sufficient pam_fprintd.so
|
|
auth required pam_faillock.so authfail deny=4 unlock_time=1200 {include if "with-faillock"}
|
|
diff --git a/profiles/sssd/password-auth b/profiles/sssd/password-auth
|
|
index e35c8d6943b8289d8b65d7a47b2dad8143b6132b..3205f261dd8c898baf292c252ebdb346fcb779bb 100644
|
|
--- a/profiles/sssd/password-auth
|
|
+++ b/profiles/sssd/password-auth
|
|
@@ -1,5 +1,6 @@
|
|
auth required pam_env.so
|
|
auth required pam_faildelay.so delay=2000000
|
|
+auth required pam_deny.so # Smartcard authentication is required {include if "with-smartcard-required"}
|
|
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
|
|
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
|
auth [default=1 ignore=ignore success=ok] pam_localuser.so
|
|
diff --git a/profiles/sssd/system-auth b/profiles/sssd/system-auth
|
|
index a3d351cd5c37fb065892a0b71ec5323fd13a957d..982cada1f774e6d53dd75c9f5dbc0603337cd70b 100644
|
|
--- a/profiles/sssd/system-auth
|
|
+++ b/profiles/sssd/system-auth
|
|
@@ -1,6 +1,7 @@
|
|
auth required pam_env.so
|
|
auth required pam_faildelay.so delay=2000000
|
|
auth required pam_faillock.so preauth silent deny=4 unlock_time=1200 {include if "with-faillock"}
|
|
+auth [success=done ignore=ignore default=die] pam_sss.so require_cert_auth ignore_authinfo_unavail {include if "with-smartcard-required"}
|
|
auth sufficient pam_fprintd.so {include if "with-fingerprint"}
|
|
auth [default=1 ignore=ignore success=ok] pam_succeed_if.so uid >= 1000 quiet
|
|
auth [default=1 ignore=ignore success=ok] pam_localuser.so {exclude if "with-smartcard"}
|
|
--
|
|
2.17.1
|
|
|