Bug 1367919
| Summary: | pam_pkcs11 unable to detect cards when opensc and coolkey modules co-exist | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Roshni <rpattath> | ||||||
| Component: | pam_pkcs11 | Assignee: | Bob Relyea <rrelyea> | ||||||
| Status: | CLOSED WORKSFORME | QA Contact: | Asha Akkiangady <aakkiang> | ||||||
| Severity: | urgent | Docs Contact: | Marc Muehlfeld <mmuehlfe> | ||||||
| Priority: | urgent | ||||||||
| Version: | 7.3 | CC: | aakkiang, grajaiya, jhrozek, lslebodn, mkosek, mzidek, nmavrogi, pbrezina, pvrabec, rpattath, rrelyea, sbose, spoore, tscherf | ||||||
| Target Milestone: | rc | ||||||||
| Target Release: | 7.4 | ||||||||
| Hardware: | Unspecified | ||||||||
| OS: | Unspecified | ||||||||
| Whiteboard: | |||||||||
| Fixed In Version: | Doc Type: | Known Issue | |||||||
| Doc Text: |
"pam_pkcs11" only supports one token
The PKCS#11 modules in the _opensc_ and _coolkey_ packages provide support for various types of smart cards. However the "pam_pkcs11" module only supports one of them at a time. As a consequence, you cannot use PKCS#15 and CAC tokens using the same configuration. To work around the problem, install one of the following:
* the _opensc_ package for PKCS#15 and PIV support
* the _coolkey_ package for CAC, Coolkey, and PIV support
|
Story Points: | --- | ||||||
| Clone Of: | Environment: | ||||||||
| Last Closed: | 2017-03-13 22:48:17 UTC | Type: | Bug | ||||||
| Regression: | --- | Mount Type: | --- | ||||||
| Documentation: | --- | CRM: | |||||||
| Verified Versions: | Category: | --- | |||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||
| Embargoed: | |||||||||
| Bug Depends On: | 1373164 | ||||||||
| Bug Blocks: | |||||||||
| Attachments: |
|
||||||||
|
Description
Roshni
2016-08-17 19:37:44 UTC
Can you also provide SSSD config and logs, please? Jakub, I am not very sure if this is an sssd bug because I am seeing different behaviour when using different card. The changes I made to the default sssd.conf is in the bug description. I am not sure which sssd log you want to have a look at, the following is what I am seeing [root@dhcp129-72 sssd]# cat krb5_child.log [root@dhcp129-72 sssd]# cat ldap_child.log [root@dhcp129-72 sssd]# cat p11_child.log [root@dhcp129-72 sssd]# cat selinux_child.log [root@dhcp129-72 sssd]# cat sssd.log [root@dhcp129-72 sssd]# cat sssd_pac.log [root@dhcp129-72 sssd]# cat sssd_pam.log [root@dhcp129-72 sssd]# cat sssd_ssh.log [root@dhcp129-72 sssd]# cat sssd_sudo.log [root@dhcp129-72 sssd]# cat sssd_testrelm.test.log (Wed Aug 17 14:08:33 2016) [sssd[be[testrelm.test]]] [id_callback] (0x0010): The Monitor returned an error [org.freedesktop.DBus.Error.NoReply] I am attching the sssd_nss.log to the bug. One more thing I noticed is that, on RHEL 7.2 the IPA CA certificate was imported under /etc/pki/nssdb after ipa-client-install was done but with RHEL 7.3 latest nightly compose build I had to manually import it under /etc/pki/nssdb from /etc/ipa/nssdb. Created attachment 1191868 [details]
sssd_nss log
Created attachment 1191904 [details]
sssd logs
These are the logs after setting debug_level = 10 in sssd.conf.
I also see the following:
[root@dhcp129-72 nssdb]# certutil -L -d /etc/pki/nssdb/ -h all
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "OpenSC Card":
dod-ca-root CT,C,C
dod-ca-email-31 CT,C,C
TESTRELM.TEST IPA CA CT,C,C
dod-ca-31 CT,C,C
OpenSC Card:Certificate ,,
I do not see the username with the opensc certificate, I verified ipa user and smartcard has the same certificate.
Sumit, There are issues when coolkey and opensc co-exist. After opensc module was added using modutil, login using opensc smartcard was successful but CAC card login was failing. I had to remove opensc package for the CAC card login using su to work. Still seeing issues with gdm login using CAC cards (no prompt for pin) OK, I've look into this and there is already support for multiple modules in pam_pkcs11. They way it's configured is change the use_pkcs11_module line to:
use_pkcs11_module = nss;
Then add a module:
pkcs11_module nss {
module = "any module";
description = "Any NSS Ssmartcard in /etc/pki/nssdb";
slot_num = 0;
nss_dir = dbm:/etc/pki/nssdb;
cert_policy = ca, signature;
}
}
Load both tokens in /etc/pki/nssdb and pam_pkcs11 should pick the correct module.
Caveats:
1. Currently I have no tokens that are only supported by one of the modules (all my tokens are supported by both opensc and coolkey). I was able to verify that this configuration worked with both modules loaded, but I don't know if both are working properly.certutil -L -h all -d /etc/pki/nssdb will prompt for both modules and list both sets of cert under both names properly
2. When trying to turn off some of the builtin access for opensc, I found opensc would calls applications to hang if I try to use on of the now unrecognized cards (like certutil or modutil even).
3. This functionality for coolkey and opensc are less important since now they support mostly the same cards (with opensc providing better support for pkcs15 cards).
bob
|