Hide Forgot
Description of problem: Authentication configuration has screen lock set for smart card authentication. The Screen is not locked when the Gemalto 64K smart card is removed. Version-Release number of selected component (if applicable): gnome-screensaver-2.28.3-28.el6.x86_64 coolkey-1.1.0-29.el6.x86_64 ccid-1.3.9-6.el6.x86_64 RHEL 6.5 How reproducible: always Steps to Reproduce: 1. Smart Card authentication configuration should have setting Lock screen 2. Restart the machine and relogin using the smart card 3. Remove the Smart Card Actual results: Screen does not lock when card is removed. Expected results: Screen should be locked and prompt for Smart Card pin. Additional info:
1) did you log in with the smartcard? 2) if you open a terminal what is the output of: echo $PKCS11_LOGIN_TOKEN_NAME and gconftool-2 -R /desktop/gnome/peripherals/smartcard (as the logged in user not root) 3) can you attach /etc/sysconfig/authconfig ? 4) what version of authconfig do you have installed?
Ray, The following are the answers to your questions. 1) did you log in with the smartcard? - Yes 2) if you open a terminal what is the output of: echo $PKCS11_LOGIN_TOKEN_NAME - kdcuser1 (the KDC user associated with the card) and gconftool-2 -R /desktop/gnome/peripherals/smartcard - removal action = lock_screen (as the logged in user not root) 3) can you attach /etc/sysconfig/authconfig ? IPADOMAINJOINED=no USEMKHOMEDIR=yes USEPAMACCESS=no CACHECREDENTIALS=yes USESSSDAUTH=no USESHADOW=yes USEWINBIND=no USESSSD=no PASSWDALGORITHM=sha512 FORCELEGACY=no USEFPRINTD=yes FORCESMARTCARD=no USELDAPAUTH=no USEPASSWDQC=no IPAV2NONTP=no USELOCAUTHORIZE=yes USECRACKLIB=yes USEIPAV2=no USEWINBINDAUTH=no USESMARTCARD=yes USELDAP=yes USENIS=no USEKERBEROS=yes USESYSNETAUTH=no USEDB=no USEHESIOD=no 4) what version of authconfig do you have installed? authconfig-6.1.12-13.el6.x86_64
What does: ls -l /etc/pki/nssdb show?
Bob, All files have root ownership and rw-r--r-- permission
Also noticed, if the "Lock Screen when card is removed" is set, after logging in with the smart the screen locks even when the card is still inserted and have to log in again.
roshni, what do you get if you run: modutil -rawlist -dbdir sql:/etc/pki/nssdb and modutil -rawlist -dbdir dbm:/etc/pki/nssdb ?
[root@localhost ~]# modutil -rawlist -dbdir sql:/etc/pki/nssdb/ library="libnsssysinit.so" name="NSS Internal PKCS #11 Module" NSS="Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})" parameters="configdir=sql:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " name="CoolKey PKCS #11 Module" library="libcoolkeypk11.so" [root@localhost ~]# modutil -rawlist -dbdir dbm:/etc/pki/nssdb/ name="NSS Internal PKCS #11 Module" parameters="configdir=dbm:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical" library=libcoolkeypk11.so name="CoolKey PKCS #11 Module"
Roshni, can you run those commands as the user you logged in as with your smartcard. Also what do you get if you run: modutil -list -dbdir sql:/etc/pki/nssdb > Also noticed, if the "Lock Screen when card is removed" is set, after > logging in with the smart the screen locks even when the card is still > inserted and have to log in again. I saw this on RHEL-5. It happens when gnome-screensaver can't find libcoolkeypk11.so. I was able to replicate it on RHEL-6 if /etc/pki/nssdb/pkcs.txt was rw--------. I have a RHEL-5 patch that allows the fallback code to work, but I'm very curious why we are now running into this on your RHEL-6 system, I'm working correctly with: gnome-screensaver-2.28.3-24.el6.x86_64 coolkey-1.1.0-29.1.el6_bob.x86_64 ccid-1.3.9-6.el6.x86_64 (coolkey-1.1.0-29.1 is my own build of coolkey-1.1.0-30, which fixes the issue that coolkey wasn't getting properly added to /etc/pki/nssdb in -29).
Bob, sh-4.1$ modutil -rawlist -dbdir sql:/etc/pki/nssdb/ library= name="NSS Internal PKCS #11 Module" parameters="configdir=sql:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})" sh-4.1$ modutil -rawlist -dbdir dbm:/etc/pki/nssdb/ name="NSS Internal PKCS #11 Module" parameters="configdir=dbm:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] } Flags=internal,critical" library=libcoolkeypk11.so name="CoolKey PKCS #11 Module" sh-4.1$ modutil -list -dbdir sql:/etc/pki/nssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB ----------------------------------------------------------- As root user: [root@localhost ~]# modutil -list -dbdir sql:/etc/pki/nssdb/ Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal Crypto Services slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. CoolKey PKCS #11 Module library name: libcoolkeypk11.so slots: 1 slot attached status: loaded slot: OmniKey CardMan 3121 00 00 token: kdcuser1 ----------------------------------------------------------- I am using the following rpm's: gnome-screensaver-2.28.3-28.el6.i686 coolkey-1.1.0-30.el6.i686 ccid-1.3.9-6.el6.i686 I updated to the latest coolkey errata build today to test the other bug, but now issue described in this bug (screensaver locking) does not seem to be showing up. I tried with both "Ignore" and "Lock" set. The difference I noticed is that when this build of coolkey was install the PKCS#11 Coolkey Module was automatically added to /etc/pki/nssdb
> sh-4.1$ modutil -rawlist -dbdir sql:/etc/pki/nssdb/ > library= name="NSS Internal PKCS #11 Module" parameters=" > configdir=sql:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db > flags=readOnly " > NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 > slotParams=(1={slotFlags[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL, >TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})" This is why. We aren't seeing coolkey from the sql database. > I updated to the latest coolkey errata build today to test the other bug, > but now issue described in this bug (screensaver locking) does not seem to be > showing up. I tried with both "Ignore" and "Lock" set. The difference I noticed > is that when this build of coolkey was install the PKCS#11 Coolkey Module was > automatically added to /etc/pki/nssdb yes, I thought your problem may be in this realm somewhere.
What you are seeing is gnome-screensaver is failing to load coolkey in the case where you have logged in using the card. The screen saver immediately locks the screen and then when you unlock it it can no longer get screen events. In RHEL-5 this looks like some sort of environmental problem where you can't load coolkey from the load path (even though pam_pkcs11 could). There is backup code in gnome-screensaver which will attempt to hand load coolkey if it fails to load, but this backup code is broken in the RHEL-5 bug I've attached a patch to fix this. In RHEL-6, I was only able to reproduce this in the case where I've set the NSS_DEFAULT_DB_TYPE environment variable to sql in my profile, and set pkcs11.txt to r----- (well it got set to the by installing coolkey because of bug 990631, which has caused roshni other problems). Once I got pkcs11.txt to be r--r--r-- then my 6.5 beta started working find. This is just another flavor of the RHEL-5 issue, which we can clean up a bit by fixing the fallback code in gnome-screensaver. In any case coolkey is functioning properly. esc is properly getting insertion/removal events, so the basic problem is why gnome-screensaver isn't able to load libcoolkey (which probably isn't a gnome-screensaver issue either). bob
marking modified so the bug can be added to the erratta and verified.
Works fine with coolkey-1.1.0-31.el6
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHBA-2013-1699.html