Bug 1672898
| Summary: | CKR_KEY_TYPE_INCONSISTENT while doing ssh using sssd smart card | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | amitkuma |
| Component: | opensc | Assignee: | Jakub Jelen <jjelen> |
| Status: | CLOSED ERRATA | QA Contact: | Asha Akkiangady <aakkiang> |
| Severity: | urgent | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.6 | CC: | aakkiang, akaiser, bthakur, evan, jjelen, msauton, spoore |
| Target Milestone: | rc | Keywords: | Reopened, Triaged |
| Target Release: | --- | ||
| Hardware: | x86_64 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | opensc-0.19.0-1 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-08-06 12:59:50 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Comment 3
Jakub Jelen
2019-02-06 09:56:14 UTC
Thanks for update jakub. We have already suggested customer to test RHEL8. Hey Jakub Thanks for update. We have already suggested RHEL8 to customer He's setting up the env. This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable. Not so fast ... this is something that will be probably fixed by the planned rebase and we would really like to keep track of this bug since it is pain point for several customers. we need this from https://github.com/OpenSC/OpenSC/pull/1141 into the next errata. it does solve GUI login, screen lock/unlock, sudo problems with the following card: ID-ONE PIV 2.4.0 ON COSMO V8 from Oberthur / Idemia the login error was: ERROR:pam_pkcs11.c:589: sign_value() failed and related to the signature feature into cert_policy Please, remove the coolkey pkcs11 module from the NSS DB that is used for the all other tests but SSH. It should give you better results. The p11_child log from last week says the coolkey is loaded. What NSS DB is used in the SSSD? (Wed Mar 20 17:01:33:332938 2019) [[sssd[p11_child[16756]]]] [do_card] (0x4000): common name: [Coolkey PKCS #11 Module]. (Wed Mar 20 17:01:33:332961 2019) [[sssd[p11_child[16756]]]] [do_card] (0x4000): dll name: [/usr/lib64/pkcs11/libcoolkeypk11.so]. Could it be caused by the coolkey being specified in the pkcs11_eventmgr.conf of the pam_pkcs11, or everything goes through the sssd now? Dear jakub,
This is customer's /etc/pam_pkcs11/pkcs11_eventmgr.conf
pkcs11_eventmgr {
# Run in background? Implies debug=false if true
daemon = true;
# show debug messages?
debug = false;
# polling time in seconds
polling_time = 1;
# expire time in seconds
# default = 0 ( no expire )
expire_time = 0;
# pkcs11 module to use
pkcs11_module = libcoolkeypk11.so;
#
# list of events and actions
# Card inserted
event "card_insert" {
# what to do if an action fail?
# ignore : continue to next action
# return : end action sequence
# quit : end program
on_error = ignore;
# You can enter several, comma-separated action entries
# they will be executed in turn
#action = "/usr/sbin/gdm-safe-restart",
# "/usr/X11R6/bin/xscreensaveer-command -deactivate";
action = "/usr/sbin/gdm-safe-restart";
}
# Card has been removed
event "card_remove" {
on_error = ignore;
#action = "/usr/sbin/gdm-safe-restart",
# "/usr/X11R6/bin/xscreensaveer-command -lock";
action = "/usr/sbin/gdm-safe-restart";
}
# Too much time card removed
event "expire_time" {
on_error = ignore;
action = /bin/false;
}
}
Asked customer to use "opensc-pkcs11.so" Dear jakub, Customer removed coolkey with yum and verified the NSSDB only used OpenSC. Still Same results. Jakub any updates here! Customer still finding issues I would probably have to see new logs and sosreport to be able to check what is going on there. Without that it is just guessing what could go wrong after the removal of the coolkey package. What about the following error in the messages. It shows in the previous archive, but not in the sosreport: Apr 17 12:41:50 warmachine pklogin_finder: Error parsing file /etc/pam_pkcs11/pam_pkcs11.conf Apr 17 12:41:50 warmachine pklogin_finder: Error setting configuration parameters But clearly, there is a mismatched brackets in the pam_pkcs11.conf in the sosreport. The sosreport from Apr 25 2019 has the brackets in the pam_pkcs11 configuration file even more mismatched. The guide you provided to customer was not very helpful. Just put back the closing bracket on line 48 and remove the bogus bracket on line 37. After fixing the above, please, check the debugging steps in [1] (already referenced). Namely getting some debug information from pam_pkcs11 by removing the nodebug option or running pkcs11_listcerts [1] https://access.redhat.com/articles/3034441 Customer have attached new sosreport as well. > Debug pam module: Change /etc/pam.d/smartcard-auth (add a debug option): auth [success=done ignore=ignore default=die] pam_pkcs11.so debug wait_for_card We are not using PAM_PKCS11.SO. We are using pam_sss. See attached sosreport to confirm PAM settings.
The remove the pam_pkcs11 from /etc/pam.d/system-auth-ac or regenerate the authconfig files. Having both sss and pam_pkcs11 in the pam stack is very likely to cause problems with login.
If it does not help, lets try if it will work isolated to opensc:
OPENCS_DEBUG=9 pkcs11-tool --test --login --pin YOUR_CARD_PIN 2> /tmp/opensc_test_debug.log
I am already getting lost here. Is this the same issue as in the description or something else? If it is something else, please, try to summarize it in a new bug and lets get this closed. jakub, this bugzilla was opened for this case only (02292639). https://bugzilla.redhat.com/show_bug.cgi?id=1672898#c0 Customer has same issue as in the description. Verified (Sanity Only) Version :: opensc-0.19.0-3.el7.x86_64 Results :: Ran a battery of IPA Smart Card Authentication tests with pkcs15 and PIV_II cards with no failures seen. Tests included su, ssh, ipa-webui and gdm login. Here's a sample with a PIV_II card: [root@ipaclient1 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --export 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=SERIAL;token=TOKEN;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert' --outfile /tmp/piv_1.crt [root@ipaclient1 ~]# ipa certmap-match /tmp/piv_1.crt --------------- 4 users matched --------------- Domain: ad.test User logins: adcacuser1, newuser Domain: SMARTCARD.TEST User logins: pivuser1, ipauser1 ---------------------------- Number of entries returned 2 ---------------------------- [root@ipaclient1 ~]# su - ipauser1 -c "su - ipauser1 -c whoami" PIN for TOKEN ipauser1 [root@ipaclient1 ~]# su - adcacuser1 -c "su - adcacuser1 -c whoami" PIN for TOKEN adcacuser1 [root@ipaclient1 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --export 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=SERIAL;token=TOKEN;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert' --outfile /tmp/piv_1.crt [root@ipaclient1 ~]# ipa certmap-match /tmp/piv_1.crt --------------- 4 users matched --------------- Domain: ad.test User logins: adcacuser1, newuser Domain: SMARTCARD.TEST User logins: pivuser1, ipauser1 ---------------------------- Number of entries returned 2 ---------------------------- [root@ipaclient1 ~]# ssh -I /usr/lib64/opensc-pkcs11.so -l ipauser1 $(hostname) "hostname" Enter PIN for 'TOKEN': ipaclient1.smartcard.test [root@ipaclient1 ~]# ssh -I /usr/lib64/opensc-pkcs11.so -l adcacuser1 $(hostname) "hostname" Enter PIN for 'TOKEN': ipaclient1.smartcard.test [root@ipaclient1 ~]# ipa user-show ipauser1 User login: ipauser1 First name: ipauser1 Last name: lastname Home directory: /home/ipauser1 Login shell: /bin/sh Principal name: ipauser1 Principal alias: ipauser1 Email address: ipauser1 UID: 1203000065 GID: 1203000065 Certificate: MII....cert truncated.... Account disabled: False Password: True Member of groups: ipausers Kerberos keys available: True Also logged into GDM with the whole cert and mapping with both IPA and AD users. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2019:2154 |