Bug 1886841

Summary:	Pinpad card reader for login authentication yet you are asked also enter pin on pc keyboard
Product:	[Fedora] Fedora	Reporter:	Peter Steen <peter>
Component:	sssd	Assignee:	Sumit Bose <sbose>
Status:	NEW ---	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	high	Docs Contact:
Priority:	unspecified
Version:	39	CC:	abokovoy, atikhono, bthekkep, jhrozek, lslebodn, mzidek, pbrezina, sbose, ssorce, sssd-maintainers, thalman, tmihinto
Target Milestone:	---	Keywords:	Triaged
Target Release:	---
Hardware:	x86_64
OS:	Linux
URL:	https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/FLLIA5RLHT3MO4NI2F3MJNMBBNGGZA4Z/
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:		Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Peter Steen 2020-10-09 14:02:41 UTC

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Build Identifier:

Hello Folks!

We are working on getting smart card authentication working using pinpad card readers for improved security.

To do this we use:
FreeIPA Server is running on Fedora 32 with latest updates.
FreeIPA Clients is Fedora 32 Workstation installed on pc with latest updates with connected usb card reader.

The card reader is Gemalto CT700 with pinpad, we use several user individual SmartCard HSM 4K with FreeIPA signed certificates on them.
FreeIPA Clients run OpenSC and are configured to use smartcard certificate based authentication, setup per Smartare HSM best practice.
Further clients are using SSSD and not PAM_PKCS#11.

All working great using smartcard for authentication, as long not enabling the pinpad in opensc.
If doing so we are prompted for the PIN not only in the pinpad reader but also GDM prompts you to enter PIN on keyboard.
Expected result is to be logged in directly after entering correct PIN code on pinpad reader, not being prompted by GDM to enter PIN on keyboard as well.

If enabling pinpad in opensc, login gets a bit odd:
1. Fedora 32 Workstation GDM menu prompts a few users that can login.
2. Smartcard is inserted in reader.
3. GDM blanks out the screen and smartcard reader prompts to enter PIN in its lcd display.
4. Entering pin on smartcard reader followed by pressing ok button on smartcard reader at getting result Pin OK in reader display.
5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of directly being logged in to the window manager, here Gnome (or xfce, whatever window manager you selected to use).
6. You have to enter the PIN now on keyboard, followed by hitting enter.
7. Once again smartcard reader now prompts for PIN in its lcd display.
8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button.
9. You are now logged in, and all is normal. If ripping out the smartcard from reader the screen locks, as expected.

Sometimes, but not always, you are logged in to window manager directly after step 5.

What could this be, anyone who have seen this before or know how to set it up ?

Reproducible: Always

Steps to Reproduce:
1. Install and setup FreeIPA server and client on Fedora32 latest updates to use smartcard authentication for login.

Work on IPA Server:
-------------------
Install Fedora 32 server minimal installation all excluded, update to latest version (dnf update -y), set hostname, enter server hostname (ipaserver.mydomain.com) and ip in /etc/hosts, enable and start chrony, reboot.

(As root user)
dnf install ipa-server bind-dyndb-ldap ipa-server-dns -y
for SERVICES in ntp http https ldap ldaps kerberos kpasswd dns; do firewall-cmd --permanent --add-service=$SERVICES; done
ipa-server-install --setup-dns
.
.
.

Add one secondary DNS in /etc/NetworkManager/conf.d/zzz-ipa.conf
klist
kinit admin
authselect select sssd with-sudo with-mkhomedir
ipa user-add user3 --first=user3 --last=test --email=user3 --shell=/bin/bash --password
id user3
ipa user-find user3
ssh user3.com
(change password)
reboot

(As root user)
klist
kinit admin
ipa-advise config-server-for-smart-card-auth > config-server-for-smart-card-auth.sh
chmod u+x config-server-for-smart-card-auth.sh
./config-server-for-smart-card-auth.sh /etc/ipa/ca.crt
.
.
reboot

ipa-advise config-client-for-smart-card-auth > /tmp/config-client-for-smart-card-auth.sh
chmod a+r /tmp/config-client-for-smart-card-auth.sh

Work on Fedora 32 workstation:
------------------------------
Install Fedora 32 Workstation from live dvd to PC, update to latest version (dnf update -y), set hostname, enter server hostname (workstation.mydomain.com) and ip in /etc/hosts, enable and start chrony.
change/add to /etc/sysconfig/network-scripts/reboot, so IPA server becomes primary DNS for the Fedora 32 Workstation:
PEERDNS=no
DNS1=<ipa server ip address>
DNS2=<second dns server>
SEARCH=mydomain.com
DOMAIN=mydomain.com
Then reboot

Login and check that DNS is working.
(as root user)
dnf install freeipa-client.x86_64 -y
ipa-client-install --mkhomedir
id user3
reboot

Connect gemalto CT700 card reader to pc/Fedora Workstation.
lsusb

dnf install opensc ccid pcsc-tools -y
systemctl enable pcscd
systemctl start pcscd

scp user3@ipaserver:/tmp/config-client-for-smart-card-auth.sh .
chmod +x config-client-for-smart-card-auth.sh
./config-client-for-smart-card-auth.sh /etc/ipa/ca.crt
.
.
.

In /etc/opensc.conf enable pinpad by uncommenting enable_pinpad = true;
Ensure pam_cert_auth is true in sssd.conf:
grep ^pam_cert_auth /etc/sssd/sssd.conf
pam_cert_auth = True

authselect select sssd with-mkhomedir with-sudo with-smartcard with-smartcard-lock-on-removal --force
authselect current
reboot

2. Prepare smartcard-hsm with user3 certificate using
(as root user)
kinit admin

Insert smartcard-hsm in gemalto ct700 card reader!

pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto Ezio Shield (I<some number>) 00 00

Wed Sep 23 14:12:27 2020
Reader 0: Gemalto Ezio Shield (I<some number>) 00 00
.
.
.
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
<some hex number>
Smartcard-HSM
http://www.cardcontact.de/products/sc-hsm.html

pensc-tool --list-readers
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes PIN pad Gemalto Ezio Shield (I<some number>) 00 00

pkcs11-tool --list-slots
Available slots:
Slot 0 (0x0): Gemalto Ezio Shield (I<some number>) 00 00
token label : UserPIN (SmartCard-HSM)
token manufacturer : www.CardContact.de
token model : PKCS#15 emulated
token flags : login required, PIN pad present, rng, token initialized, PIN initialized
hardware version : 24.13
firmware version : 2.5
serial num : DECM<some number>
pin min/max : 6/15

sc-hsm-tool --create-dkek-share dkek-share-1.pbe
.
.
.

sc-hsm-tool --initialize --so-pin <long pincode> --pin <pincode> --dkek-shares 1

sc-hsm-tool
.
.
.
DKEK shares : 1
DKEK import pending, 1 share(s) still missing
sc-hsm-tool --import-dkek-share dkek-share-1.pbe
.
.
.
Enter password to decrypt DKEK share : <pincode>

sc-hsm-tool
.
.
.
DKEK shares : 1
DKEK key check value : <some hex code>

# generate keypair
pkcs11-tool --module opensc-pkcs11.so --login --pin <pincode> --keypairgen --key-type rsa:2048 --id 10 --label "HSM RSA Key user3"

pkcs11-tool --list-objects
.
.
.

pkcs11-tool --test --login --pin <pincode>
.
.
.

# Backup DKEK
sc-hsm-tool --wrap-key wrap-key-1.bin --key-reference 1 --pin <pincode>

# Extract card public key for slot 10
pkcs15-tool --read-public-key 10 > user3.pub

# Prepping for and Create CSR to sign by IPA for user3
# Create a file hsm.conf with the content below

cat hsm.conf
# PKCS11 engine config
openssl_conf = openssl_def

[openssl_def]
engines = engine_section

[req]
distinguished_name = req_distinguished_name

[req_distinguished_name]
# empty.

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11
PIN =
init = 0

# Test that hsm.conf is working, and find pkcs11 engine
OPENSSL_CONF=./hsm.conf openssl engine
(rdrand) Intel RDRAND engine
(dynamic) Dynamic engine loading support
(pkcs11) pkcs11 engine

# Create CSR to sign by IPA for user3

OPENSSL_CONF=./hsm.conf openssl req -engine pkcs11 -keyform engine -new -key 10 -sha256 -out user3.csr -subj "/CN=user3"

Login to IPA server using the web interface https://ipaserver.mydomain.com (this can be performed from command line as well, but we did use the web interface to IPA)
user user3 Actions -> new certificate
select profile IECuserRoles
copy "user3.csr" from above and paste it in and click "issue" (IPA now sign the CSR)

To retrieve the signed certificate for user3:
user user3 by Certificates click Actions -> Download and save as. (it downloads as cert.pem)

Copy the downloaded cerificate (cert.pem) to host with card reader (Fedora 32 Workstation)

Rename it:
mv cert.pem user3.pem

# convert to der format:
openssl x509 -in user3.pem -out user3.der -outform der

# write it to the card in slot 10
pkcs11-tool --module opensc-pkcs11.so --login --pin <pincode> --write-object user36.der --type cert --id 10

# check that it is there:
pkcs11-tool --list-objects
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
label: Certificate
subject: DN: O=MYDOMAIN.COM, CN=user3
ID: 10
Public Key Object; RSA 2048 bits
label: Certificate
ID: 10
Usage: encrypt, verify

Smartcard should now be ready for use with IPA.

3. Now try login to workstation.mydomain.com using GDM using the smartcard issued for user3
Note! user3 password must not have been expired, it should be fixed by the initial login test above.

As per details above:
1. Fedora 32 Workstation GDM menu prompts a few users that can login.
2. Smartcard is inserted in reader.
3. GDM blanks out the screen and smartcard reader prompts to enter PIN in its lcd display.
4. Entering pin on smartcard reader followed by pressing ok button on smartcard reader at getting result Pin OK in reader display.
5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of directly being logged in to the window manager, here Gnome (or xfce, whatever window manager you selected to use).
6. You have to enter the PIN now on keyboard, followed by hitting enter.
7. Once again smartcard reader now prompts for PIN in its lcd display.
8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button.
9. You are now logged in, and all is normal. If ripping out the smartcard from reader the screen locks, as expected.

Sometimes, but not always, you are logged in to window manager directly after step 5.

Actual Results:
You are asked to enter PIN using pinpad on card reader followed by enter PIN using the keyboard, then you are logged in.

Sometimes you need to enter PIN on pinpad once more after entering PIN using the keyboard.

Expected Results:
Directly after entering correct PIN using pinpad on card reader you should be logged in.

Versions:
Fedora32 with latest updates per Oct 9 2020.

freeipa-server-4.8.10-5.fc32.x86_64
freeipa-client-4.8.10-5.fc32.x86_64
sssd-client-2.3.1-2.fc32.x86_64
opensc-0.20.0-6.fc32.x86_64
pcsc-lite-libs-1.9.0-1.fc32.x86_64

Comment 1 Peter Steen 2020-12-03 18:17:12 UTC

Hello Folks!

We can report that in latest Fedora33 server and Workstation the same issue remains.

Basically the same behaviour as before:
1. Fedora 33 Workstation GDM menu prompts a few users that can login.
2. Smartcard is inserted in reader.
3. GDM blanks out the screen and smartcard reader prompts to enter PIN in its lcd display.
4. Entering pin on smartcard reader followed by pressing ok button on smartcard reader at getting result Pin OK in reader display.
5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of directly being logged in to the window manager, here Gnome (or xfce, whatever window manager you selected to use).
6. You have to enter the PIN now on keyboard, followed by hitting enter.
7. Once again smartcard reader now prompts for PIN in its lcd display.
8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button.
9. You are now logged in, and all is normal. If ripping out the smartcard from reader the screen locks, as expected.

One additional observation was that when running "isa-client install", it fails adding the client IP adress in the DNS.
We had to add the IPA client IP address manually in IPA server DNS to get it working.

Comment 2 Fedora Program Management 2021-04-29 16:57:27 UTC

This message is a reminder that Fedora 32 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '32'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 32 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

Comment 3 Ben Cotton 2021-08-10 13:39:56 UTC

This bug appears to have been reported against 'rawhide' during the Fedora 35 development cycle.
Changing version to 35.

Comment 4 Ben Cotton 2022-11-29 16:49:49 UTC

This message is a reminder that Fedora Linux 35 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 35 on 2022-12-13.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '35'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 35 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.

Comment 5 Aoife Moloney 2023-11-23 00:03:54 UTC

This message is a reminder that Fedora Linux 37 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora Linux 37 on 2023-12-05.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
'version' of '37'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, change the 'version' 
to a later Fedora Linux version. Note that the version field may be hidden.
Click the "Show advanced fields" button if you do not see it.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora Linux 37 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora Linux, you are encouraged to change the 'version' to a later version
prior to this bug being closed.