Bug 1002222
| Summary: | Screen Lock when Smart Card is removed fails | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Roshni <rpattath> |
| Component: | coolkey | Assignee: | Bob Relyea <rrelyea> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.5 | CC: | jgalipea, msvoboda, rrelyea, rstrode, tlavigne |
| Target Milestone: | rc | Keywords: | Regression |
| Target Release: | 6.5 | Flags: | msvoboda:
needinfo-
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2013-11-21 23:06:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 990631, 1087926 | ||
| Bug Blocks: | |||
|
Description
Roshni
2013-08-28 16:22:02 UTC
1) did you log in with the smartcard? 2) if you open a terminal what is the output of: echo $PKCS11_LOGIN_TOKEN_NAME and gconftool-2 -R /desktop/gnome/peripherals/smartcard (as the logged in user not root) 3) can you attach /etc/sysconfig/authconfig ? 4) what version of authconfig do you have installed? Ray, The following are the answers to your questions. 1) did you log in with the smartcard? - Yes 2) if you open a terminal what is the output of: echo $PKCS11_LOGIN_TOKEN_NAME - kdcuser1 (the KDC user associated with the card) and gconftool-2 -R /desktop/gnome/peripherals/smartcard - removal action = lock_screen (as the logged in user not root) 3) can you attach /etc/sysconfig/authconfig ? IPADOMAINJOINED=no USEMKHOMEDIR=yes USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=no USESHADOW=yes USEWINBIND=no USESSSD=no PASSWDALGORITHM=sha512 FORCELEGACY=no USEFPRINTD=yes FORCESMARTCARD=no USELDAPAUTH=no USEPASSWDQC=no IPAV2NONTP=no USELOCAUTHORIZE=yes USECRACKLIB=yes USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=yes USELDAP=yes USENIS=no USEKERBEROS=yes USESYSNETAUTH=no USEDB=no USEHESIOD=no 4) what version of authconfig do you have installed? authconfig-6.1.12-13.el6.x86_64 What does: ls -l /etc/pki/nssdb show? Bob, All files have root ownership and rw-r--r-- permission Also noticed, if the "Lock Screen when card is removed" is set, after logging in with the smart the screen locks even when the card is still inserted and have to log in again. roshni, what do you get if you run: modutil -rawlist -dbdir sql:/etc/pki/nssdb and modutil -rawlist -dbdir dbm:/etc/pki/nssdb ? [root@localhost ~]# modutil -rawlist -dbdir sql:/etc/pki/nssdb/
library="libnsssysinit.so" name="NSS Internal PKCS #11 Module" NSS="Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})" parameters="configdir=sql:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly "
name="CoolKey PKCS #11 Module" library="libcoolkeypk11.so"
[root@localhost ~]# modutil -rawlist -dbdir dbm:/etc/pki/nssdb/
name="NSS Internal PKCS #11 Module" parameters="configdir=dbm:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical"
library=libcoolkeypk11.so name="CoolKey PKCS #11 Module"
Roshni, can you run those commands as the user you logged in as with your smartcard.
Also what do you get if you run:
modutil -list -dbdir sql:/etc/pki/nssdb
> Also noticed, if the "Lock Screen when card is removed" is set, after
> logging in with the smart the screen locks even when the card is still
> inserted and have to log in again.
I saw this on RHEL-5. It happens when gnome-screensaver can't find libcoolkeypk11.so. I was able to replicate it on RHEL-6 if /etc/pki/nssdb/pkcs.txt was rw--------.
I have a RHEL-5 patch that allows the fallback code to work, but I'm very curious why we are now running into this on your RHEL-6 system, I'm working correctly with:
gnome-screensaver-2.28.3-24.el6.x86_64
coolkey-1.1.0-29.1.el6_bob.x86_64
ccid-1.3.9-6.el6.x86_64
(coolkey-1.1.0-29.1 is my own build of coolkey-1.1.0-30, which fixes the issue that coolkey wasn't getting properly added to /etc/pki/nssdb in -29).
Bob,
sh-4.1$ modutil -rawlist -dbdir sql:/etc/pki/nssdb/
library= name="NSS Internal PKCS #11 Module" parameters="configdir=sql:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})"
sh-4.1$ modutil -rawlist -dbdir dbm:/etc/pki/nssdb/
name="NSS Internal PKCS #11 Module" parameters="configdir=dbm:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical"
library=libcoolkeypk11.so name="CoolKey PKCS #11 Module"
sh-4.1$ modutil -list -dbdir sql:/etc/pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
-----------------------------------------------------------
As root user:
[root@localhost ~]# modutil -list -dbdir sql:/etc/pki/nssdb/
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal Crypto Services
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. CoolKey PKCS #11 Module
library name: libcoolkeypk11.so
slots: 1 slot attached
status: loaded
slot: OmniKey CardMan 3121 00 00
token: kdcuser1
-----------------------------------------------------------
I am using the following rpm's:
gnome-screensaver-2.28.3-28.el6.i686
coolkey-1.1.0-30.el6.i686
ccid-1.3.9-6.el6.i686
I updated to the latest coolkey errata build today to test the other bug, but now issue described in this bug (screensaver locking) does not seem to be showing up. I tried with both "Ignore" and "Lock" set. The difference I noticed is that when this build of coolkey was install the PKCS#11 Coolkey Module was automatically added to /etc/pki/nssdb
> sh-4.1$ modutil -rawlist -dbdir sql:/etc/pki/nssdb/ > library= name="NSS Internal PKCS #11 Module" parameters=" > configdir=sql:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db > flags=readOnly " > NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 > slotParams=(1={slotFlags[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL, >TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})" This is why. We aren't seeing coolkey from the sql database. > I updated to the latest coolkey errata build today to test the other bug, > but now issue described in this bug (screensaver locking) does not seem to be > showing up. I tried with both "Ignore" and "Lock" set. The difference I noticed > is that when this build of coolkey was install the PKCS#11 Coolkey Module was > automatically added to /etc/pki/nssdb yes, I thought your problem may be in this realm somewhere. What you are seeing is gnome-screensaver is failing to load coolkey in the case where you have logged in using the card. The screen saver immediately locks the screen and then when you unlock it it can no longer get screen events. In RHEL-5 this looks like some sort of environmental problem where you can't load coolkey from the load path (even though pam_pkcs11 could). There is backup code in gnome-screensaver which will attempt to hand load coolkey if it fails to load, but this backup code is broken in the RHEL-5 bug I've attached a patch to fix this. In RHEL-6, I was only able to reproduce this in the case where I've set the NSS_DEFAULT_DB_TYPE environment variable to sql in my profile, and set pkcs11.txt to r----- (well it got set to the by installing coolkey because of bug 990631, which has caused roshni other problems). Once I got pkcs11.txt to be r--r--r-- then my 6.5 beta started working find. This is just another flavor of the RHEL-5 issue, which we can clean up a bit by fixing the fallback code in gnome-screensaver. In any case coolkey is functioning properly. esc is properly getting insertion/removal events, so the basic problem is why gnome-screensaver isn't able to load libcoolkey (which probably isn't a gnome-screensaver issue either). bob marking modified so the bug can be added to the erratta and verified. Works fine with coolkey-1.1.0-31.el6 Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1699.html |