On 4/9/24 05:33, Sumit Bose wrote: > Am Mon, Apr 08, 2024 at 09:45:08PM -0600 schrieb Orion Poplawski: >> It seems like one cannot unlock the screen with a different smart card then >> the one that was used to log into the session, or at least one with a >> different token id, even though they resolve to the same user (of course). >> >> Is there any immediately obvious reason this might be? Is the token id >> cached somehow in the session? I would have thought that each >> authentication would have been independent. > > Hi, > > yes, the token id is stored in the environment and this a feature of > Gnome Smartcard authentication since ever i.e. pam_pkcs11 supported this > as well. > > This was added before my time so I'm not sure about the reason.
Thanks for that, and I see it now: PKCS11_LOGIN_TOKEN_NAME=PIV_II It normally isn't an issue - the token name has been cert subject name (which was the same for different smart cards for the user), but is now "PIV_II" that we are switching to certs without subject names. This led to my issue now that I have a mix. It probably is helpful in general for the "insert smartcard labeled TOKEN" messages that appear, and possibly entering incorrect PINs for different smartcards. -- Orion Poplawski he/him/his - surely the least important thing about me Manager of IT Systems 720-772-5637 NWRA, Boulder/CoRA Office FAX: 303-415-9702 3380 Mitchell Lane [email protected] Boulder, CO 80301 https://www.nwra.com/
smime.p7s
Description: S/MIME Cryptographic Signature
-- _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
