Bug 1742881
| Summary: | Sat 6.5.2 keeps popping up "Please enter the master password for the PIV_II." dialog | ||
|---|---|---|---|
| Product: | Red Hat Satellite | Reporter: | Patrick C. F. Ernzer <pcfe> |
| Component: | Authentication | Assignee: | satellite6-bugs <satellite6-bugs> |
| Status: | CLOSED WONTFIX | QA Contact: | Omkar Khatavkar <okhatavk> |
| Severity: | medium | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 6.5.0 | CC: | aarrichi, admiller, alexandermurashkin, aromito, asharvit, bkearney, cdonnell, dhill, dopey, ekohlvan, etsmith, fhirtz, Frederick888, jbuchert, ldelouw, link, mhulan, nonamedotc, ogajduse, plarsen, regarrett, satellite6-bugs, sethgoldin, tadej.j, tasander, vijsingh, yann.lopez |
| Target Milestone: | Unspecified | Keywords: | Triaged |
| Target Release: | Unused | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-01-19 21:34:45 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Patrick C. F. Ernzer
2019-08-17 08:50:11 UTC
[root@karhu tmp]# update-crypto-policies --show DEFAULT pcfe@karhu ~ $ ll /etc/crypto-policies/local.d/nss-p11-kit.config -rw-r--r--. 1 root root 46 Jul 3 16:57 /etc/crypto-policies/local.d/nss-p11-kit.config pcfe@karhu ~ $ rpm -qf /etc/crypto-policies/local.d/nss-p11-kit.config nss-3.44.1-1.fc30.x86_64 nss-3.44.1-1.fc30.i686 pcfe@karhu ~ $ cat /etc/crypto-policies/local.d/nss-p11-kit.config name=p11-kit-proxy library=p11-kit-proxy.so pcfe@karhu ~ $ pcfe@karhu ~ $ p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
library-description: PKCS#11 Kit Trust Module
library-manufacturer: PKCS#11 Kit
library-version: 0.23
token: System Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.23
flags:
write-protected
token-initialized
token: Default Trust
manufacturer: PKCS#11 Kit
model: p11-kit-trust
serial-number: 1
hardware-version: 0.23
flags:
write-protected
token-initialized
opensc: opensc-pkcs11.so
library-description: OpenSC smartcard framework
library-manufacturer: OpenSC Project
library-version: 0.19
pcfe@karhu ~ $ ssh-keygen -D pkcs11:
pkcs11_initialize_provider: provider /usr/lib64/p11-kit-proxy.so returned no slots
cannot read public key from pkcs11
pcfe@karhu ~ $ systemctl status pcscd.socket
● pcscd.socket - PC/SC Smart Card Daemon Activation Socket
Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled; vendor preset: enabled)
Active: active (running) since Fri 2019-08-16 09:03:35 CEST; 1 day 2h ago
Listen: /var/run/pcscd/pcscd.comm (Stream)
Tasks: 0 (limit: 4915)
Memory: 0B
CGroup: /system.slice/pcscd.socket
Aug 16 09:03:35 karhu.internal.pcfe.net systemd[1]: Listening on PC/SC Smart Card Daemon Activation Socket.
Confirmed - seeing the same thing. Once the jubikey has been "seen" opening sites like Satellite prompts for the PIV pin even though it hasn't been assigned/enabled for the site/function. Confirmed. This might be an issue with Patternfly as I saw this have behavior when logging into an OpenShift 3.11 instance. *** Bug 1795225 has been marked as a duplicate of this bug. *** This issue isn't just for Satellite. Thunderbird and random pages in the Firefox browser on Fedora results in the same popup unless you unload the pki module. Need to find a way to remove an unused key so the SSL client doesn't see it as a key to validate when validating a standard SSL/TLS connection. I may have found a fix/reason for this issue. I use Yubi keys for authentication and had added an auth certificate to this key for a "proof of concept" test. Since I use the yubikey for other types of authentication too, it presented itself with two slots of which one had the demo cert that no longer was in use. This was the key that Satellite and other tools kept prompting for a password for. The solution was to remove the key from the yubikey: yubico-piv-tool -a delete-certificate --slot 9a -P 999999 -k CCFFA07D2E76856067FAACF94830C6B0C559A079546A2331 I'm no longer getting prompts for passwords for the key. @plarsen, my I ask you how you find that it was that specific certificate on that specific slot ? I've my yubikey configured to access the RH VPN as OATH Token for the 2FA. I never added an additional certificate. Can you please help me to fix this problem? Just as additional note... after I reset my YubiKey to factory settings, with no configuration, and I get same result with Satellite popping up "Please enter the master password for the PIV_II." (In reply to Antonio Romito from comment #18) > @plarsen, my I ask you how you find that it was that specific certificate on > that specific slot ? > > I've my yubikey configured to access the RH VPN as OATH Token for the 2FA. I > never added an additional certificate. Can you please help me to fix this > problem? $ yubico-piv-tool -a list-readers Different yubikeys have different cabilities and slots. When you installed the cert you would have specified the slot, but if you do not remember you would use commands like yubico-piv-tool (in Fedora) to list the content. Do note you'll need the private key (and pin) to delete the certificate. It's important to note that your yubikey has more than one slot and can be used for more than one type of authentication. The 2FA slot is not the same slot as then one I removed. PIV credentials are more complex than a preditive pin that 2FA generates. If you do manage to reset and delete your 2FA key, you simply have to use your corporate gateway to generate a new 2FA key/cert. (In reply to Antonio Romito from comment #19) > Just as additional note... after I reset my YubiKey to factory settings, > with no configuration, and I get same result with Satellite popping up > "Please enter the master password for the PIV_II." By definition, your YubiKey api should _not_ allow you to delete a certificate without the private key at the very least for that key. It's part of the security model. I had false reports of deleting the cert with the wrong key, and only when I reloaded/redid the query to the key, did I see the cert had not been deleted as the tool falsely indicated. For this reason I switched to the commnad line version as I indicated in the previous comment. After that I reset to factory settings yesterday my Yubikey, I followed again the procedure to install my token cert on the slot 2 of my YubiKey. Now if I run the command you suggested I get: ~~~ $ yubico-piv-tool -a list-readers Yubico YubiKey OTP+FIDO+CCID 00 00 ~~~ I didn't find any specific documentation on the output of this command. What does this output means? Thanks, Antonio It seems that finally I've been able to fix my issue (at least on Firefox, because on Chrome I still have this problem). On Firefox: 1. Insert (into the search/address bar) the following address: about:preferences#privacy 2. Search into the page the section: Security >> Certificates >> Security Devices... 3. In Security Modules and Devices I had: p11-kit-proxy Yubico YubiKey OTP+FIDO+CCID 00 00 4. Once selected p11-kit-proxy I unloaded this module. As soon as I removed this, I didn't get the pop-up show up in the browser during Satellite pages navigation. (In reply to Antonio Romito from comment #23) > It seems that finally I've been able to fix my issue (at least on Firefox, > because on Chrome I still have this problem). > > On Firefox: > > 1. Insert (into the search/address bar) the following address: > > about:preferences#privacy > > 2. Search into the page the section: > > Security >> Certificates >> Security Devices... > > 3. In Security Modules and Devices I had: > > p11-kit-proxy > Yubico YubiKey OTP+FIDO+CCID 00 00 > > 4. Once selected p11-kit-proxy I unloaded this module. > > > As soon as I removed this, I didn't get the pop-up show up in the browser > during Satellite pages navigation. Correct - this will work, until you boot. And then it comes back and you have to repeat it. That's what I've been doing for 5 months now (you do the same in Thunderbird). What finally made it completely go away was removing the PIV cert from the yubi key. I'm no longer sure this is a "satellite" issue - it seems that a valid authentication certicate using p11-kit-proxy will automatically be injected/adapted by several pieces of software including the browser. What's not so clear is how you reset this behavior. Guys, fix for this bug ought to be implemented on the server side. Documentation to amend smart card or browser setting won't be enough. Imagine following use-case: User has a smart card set-up and inserted. User needs this to access resources of her organization. When visiting Satellite 6 UI, however, she is presented with an inquiry to use the smart card, even though it is of no use for the Satellite 6. This issue is probably caused by http server config. IIRC there are settings for certificate authentication (for candlepin?) these settings needs to be amended, that backend functions using PKI keep working while frontend (users) requests are not offered PKI (smart card is just PKI; contains private key and cert). The other approach (perhaps even preferable_ to fix this issue might be to implement smart-card authentication on Satellite 6 UI. (In reply to Šimon Lukašík from comment #25) > Guys, fix for this bug ought to be implemented on the server side. > Documentation to amend smart card or browser setting won't be enough. > > Imagine following use-case: User has a smart card set-up and inserted. User > needs this to access resources of her organization. When visiting Satellite > 6 UI, however, she is presented with an inquiry to use the smart card, even > though it is of no use for the Satellite 6. > > This issue is probably caused by http server config. IIRC there are settings > for certificate authentication (for candlepin?) these settings needs to be > amended, that backend functions using PKI keep working while frontend > (users) requests are not offered PKI (smart card is just PKI; contains > private key and cert). The other approach (perhaps even preferable_ to fix > this issue might be to implement smart-card authentication on Satellite 6 UI. Simon, True with one caveat - in your example, the PIV is already authenticated and active because the certificate is valid, and the user has already activated it for the other apps. This means there will be no popup when Satellite or other apps open that require authentication that isn't related to the PIV Card. Note, to my knowledge any organization that implements PIV cards would do so enterprise wide so the use-case is a bit moot. But please don't see my post/suggestion as indicating there's no server part here. That said, I don't think it's a browser issue. I have the same issue in other applications. With an invalid key this prompts just kept coming over and over again. If it was valid, I wouldn't expect to have to keep entering the private key - and it's a one time deal on initial login (inserting the PIV card etc). Hi there, I found a dirty workaround for this issue (client-side unfortunately): systemctl stop pcscd.service systemctl disable pcscd.service systemctl mask pcscd.service I had this issue also on Google Chrome and it was really annoying, I mainly got this window popup while trying accessing an OpenShift console. BTW I don't use SmartCard in my computer, just a yubikey as described in previous posts, so I don't mind if I need to stop and mask that service! BR I, on the other hand cannot just stop pcscd.service as I also use SmartCards. On the current Fedora32 I no longer see this issue at all - not even in Thunderbird. Still trying to find out what update resolved this, but I no longer see a popup even when the YubiKey is inserted during login and during browser launch. "nss-softokn-3.52.0-2" seems to be the related update. I could be wrong as it came down as part of a mega update (250+ packages). But since it was implemented 2 weeks ago, I no longer get prompts for a token password at all. I can not agree with Comment 29. I am running the latest Fedora 32 and I still see this dialog popping up in both, Firefox and Chrome. Sometimes it pops up when Satellite WebUI is doing auto-refresh and I am having a video chat. This dialog always completely mutes the video chat in another tab until I dismiss the dialog. This is really inappropriate and disturbing behavior. # rpm -q nss-softokn pcsc-lite pcsc-lite-ccid pcsc-lite-acsccid pcsc-lite-libs gdm nss-softokn-3.54.0-1.fc32.x86_64 pcsc-lite-1.9.0-1.fc32.x86_64 pcsc-lite-ccid-1.4.33-1.fc32.x86_64 pcsc-lite-acsccid-1.1.8-2.fc32.x86_64 pcsc-lite-libs-1.9.0-1.fc32.x86_64 gdm-3.36.3-1.fc32.x86_64 # ykman info Device type: YubiKey 5 NFC Serial number: XXXXXX45 Firmware version: 5.2.4 Form factor: Keychain (USB-A) Enabled USB interfaces: OTP+FIDO+CCID NFC interface is enabled. Applications USB NFC OTP Enabled Enabled FIDO U2F Enabled Enabled OpenPGP Enabled Enabled PIV Enabled Enabled OATH Enabled Enabled FIDO2 Enabled Enabled Can confirm, I'm having this issue on Fedora 32 as well. $ ykman info Device type: YubiKey 4 Serial number: 4944962 Firmware version: 4.3.1 Enabled USB interfaces: OTP+CCID Applications OTP Enabled FIDO U2F Disabled OpenPGP Enabled PIV Enabled OATH Enabled FIDO2 Not available $ rpm -q nss-softokn pcsc-lite pcsc-lite-ccid pcsc-lite-acsccid pcsc-lite-libs firefox nss-softokn-3.55.0-1.fc32.x86_64 pcsc-lite-1.9.0-1.fc32.x86_64 pcsc-lite-ccid-1.4.33-1.fc32.x86_64 package pcsc-lite-acsccid is not installed pcsc-lite-libs-1.9.0-1.fc32.x86_64 firefox-79.0-5.fc32.x86_64 I am having the same problem with Thunderbird in Fedora 32. I have updated packages and rebooted just yesterday rpm -q nss-softokn pcsc-lite pcsc-lite-ccid pcsc-lite-acsccid pcsc-lite-libs firefox nss-softokn-3.55.0-1.fc32.x86_64 nss-softokn-3.55.0-1.fc32.i686 pcsc-lite-1.9.0-1.fc32.x86_64 pcsc-lite-ccid-1.4.33-1.fc32.x86_64 package pcsc-lite-acsccid is not installed pcsc-lite-libs-1.9.0-1.fc32.x86_64 firefox-79.0-5.fc32.x86_64 To add insult to injury, the pop-up window could not be closed normally. After I closed it forcefully, the Thunderbird process hung silently during its startup not showing any GUI. ykman and yubico-piv-tool also hung. Stopping pcscd.service has helped. The popup-window appears unpredictably. I have restarted Thunderbird a few times - the popup does not appear anymore. $ yubico-piv-tool -a list-readers Yubico YubiKey OTP+FIDO+CCID 00 00 $ ykman info Device type: YubiKey 5 NFC Serial number: 12345678 Firmware version: 5.2.6 Form factor: Keychain (USB-A) Enabled USB interfaces: OTP+FIDO+CCID NFC interface is enabled. Applications USB NFC OTP Enabled Enabled FIDO U2F Enabled Enabled OpenPGP Enabled Enabled PIV Enabled Enabled OATH Enabled Enabled FIDO2 Enabled Enabled I never saw this problem with Fedora 32 but I just fresh installed Fedora 33 on two systems with yubikey nanos and now see this constantly in firefox. I'll probably open a separate bugzilla entry for this that's Fedora specific, but thought I'd comment on here as an additional datapoint. Andy, after short discussion with Marek Hulan, who commented earlier in this BZ, I would say that this BZ is Foreman/Satellite specific rather than Fedora specific bug. Marek, can you please confirm that? (In reply to Andy Wang from comment #34) > I never saw this problem with Fedora 32 but I just fresh installed Fedora 33 > on two systems with yubikey nanos and now see this constantly in firefox. > > I'll probably open a separate bugzilla entry for this that's Fedora > specific, but thought I'd comment on here as an additional datapoint. I'm having the exact same experience as Andy Wang. Have never seen this happen, but only started seeing it on Fedora 33 in Firefox 82.0. That is correct, it's Foreman confiugration causing this. However it's quite common problem of many apps that allows client certificate login. Based on the developer comment in bug 1892137 it looks like there is something with opensc and yubikeys that may be problematic for the specific use case. It sounds like Foreman can be configured to require smartcard access, but that doesn't explain the request for a password for a yubikey that is not configured as a smartcard (which based on the original poster's comment 'Since I own 3 YubiKet devices, aside from the fact that I never bound any of them to satellite.internal.pcfe.net, I would not even know which YubiKety and which password it wants off me.' is likely the root problem. It sounds like a limitation of the current opensc - with a PR available to make it work better. Upon review of our valid but aging backlog the Satellite Team has concluded that this Bugzilla does not meet the criteria for a resolution in the near term, and are planning to close in approximately a month. If you have any concerns about this, please contact your Red Hat Account team. Thank you. Thank you for your interest in Satellite 6. We have evaluated this request, and while we recognize that it is a valid request, we do not expect this to be implemented in the product in the foreseeable future. This is due to other priorities for the product, and not a reflection on the request itself. We are therefore closing this out as WONTFIX. If you have any concerns about this, please do not reopen. Instead, feel free to contact your Red Hat Account Team. Thank you. This is not a Satellite bug as it also happen when open other websites (In reply to Alessandro Arrichiello from comment #27) > Hi there, > > I found a dirty workaround for this issue (client-side unfortunately): > > systemctl stop pcscd.service > systemctl disable pcscd.service > systemctl mask pcscd.service > > > I had this issue also on Google Chrome and it was really annoying, I mainly > got this window popup while trying accessing an OpenShift console. > > BTW I don't use SmartCard in my computer, just a yubikey as described in > previous posts, so I don't mind if I need to stop and mask that service! > > BR This was really driving me crazy and disabling pcscd "solved" the issue for me. It's funny that I never *hit* this issue with thunderbird nor firefox and all of a sudden, I keep getting those popups. |