Issue: When using sssd with smartcard login, xfce4-screensaver (or lightdm, mate, etc…) don't ask for the PIN Code, while some services (sudo, su, gdm..) do ask.
Rootcause: Before sssd-2.0 or sssd-1.16.4, the list of pam services allowed to use Smartcard (aka P11 or pkcs11) was hardcoded and cannot be overriden with configuration (https://github.com/SSSD/sssd/blob/sssd-1_16_3/src/responder/pam/pamsrv_p11.c#L230-L232)
From these 2 releases, the configuration “pam_p11_allowed_services” in section [pam] of /etc/sssd/sssd.conf allows to add more services, like XFCE elements:
Resolution: the user will need to update sssd.conf accordingly:
# /etc/sssd/sssd.conf
[pam]
pam_p11_allowed_services = +xfce4-screensaver
Scenario:
xfce4-screensaver (or any other pam enabled application) wants to auth the user
Calls pam_start (service xfce4-screensaver)
in /etc/pam.d/xfce4-screensaver (or included files) there must be a line with “auth pam_sss.so”
pam_sss.so will talk to the sss daemon through /var/lib/sss/pipes/pam socket. In this conversation, pam_sss will provide the name of the pam service being serviced
sss_pam will check if the service is allowed to use smartcard auth. If so, It'll spawn /usr/libexec/sssd/p11_child to work with the pkcs11 stack (/usr/share/p11-kit/modules)
“p11_child –pre” will communicate with pcscd through /var/run/pcscd/pcscd.comm to read a smartcard through the USB device and list available certificates.
sss_pam will filter these certificates and if one matches, ask the user for the PIN Code (through pam_message)
“echo -n 12345 | p11_child –auth –pin …” will return 0 if referenced certificate is valid for sssd, 1 if any error occurs
pam sequence continues according to configuration.
Source: