RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1002222 - Screen Lock when Smart Card is removed fails
Summary: Screen Lock when Smart Card is removed fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: coolkey
Version: 6.5
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: 6.5
Assignee: Bob Relyea
QA Contact: Asha Akkiangady
URL:
Whiteboard:
Depends On: 990631 1087926
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-08-28 16:22 UTC by Roshni
Modified: 2014-04-15 15:18 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2013-11-21 23:06:04 UTC
Target Upstream Version:
Embargoed:
msvoboda: needinfo-

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2013:1699 0 normal SHIPPED_LIVE coolkey bug fix and enhancement update 2013-11-20 21:52:09 UTC

Description Roshni 2013-08-28 16:22:02 UTC 
Description of problem:
Authentication configuration has screen lock set for smart card authentication. The Screen is not locked when the Gemalto 64K smart card is removed.

Version-Release number of selected component (if applicable):
gnome-screensaver-2.28.3-28.el6.x86_64
coolkey-1.1.0-29.el6.x86_64
ccid-1.3.9-6.el6.x86_64
RHEL 6.5

How reproducible:
always

Steps to Reproduce:
1. Smart Card authentication configuration should have setting Lock screen
2. Restart the machine and relogin using the smart card
3. Remove the Smart Card

Actual results:
Screen does not lock when card is removed.

Expected results:
Screen should be locked and prompt for Smart Card pin.

Additional info:
Comment 2 Ray Strode [halfline] 2013-08-29 16:42:50 UTC 
1) did you log in with the smartcard?

2) if you open a terminal what is the output of:

echo $PKCS11_LOGIN_TOKEN_NAME

and 

gconftool-2 -R /desktop/gnome/peripherals/smartcard

(as the logged in user not root)
3) can you attach /etc/sysconfig/authconfig ?

4) what version of authconfig do you have installed?
Comment 3 Roshni 2013-08-30 13:59:06 UTC 
Ray,

The following are the answers to your questions.

1) did you log in with the smartcard? - Yes

2) if you open a terminal what is the output of:

echo $PKCS11_LOGIN_TOKEN_NAME - kdcuser1 (the KDC user associated with the card)

and 

gconftool-2 -R /desktop/gnome/peripherals/smartcard - removal action = lock_screen

(as the logged in user not root)
3) can you attach /etc/sysconfig/authconfig ?

IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USESSSD=no
PASSWDALGORITHM=sha512
FORCELEGACY=no
USEFPRINTD=yes
FORCESMARTCARD=no
USELDAPAUTH=no
USEPASSWDQC=no
IPAV2NONTP=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=yes
USELDAP=yes
USENIS=no
USEKERBEROS=yes
USESYSNETAUTH=no
USEDB=no
USEHESIOD=no

4) what version of authconfig do you have installed? 

authconfig-6.1.12-13.el6.x86_64
Comment 4 Bob Relyea 2013-08-30 17:36:35 UTC 
What does: ls -l /etc/pki/nssdb show?
Comment 5 Roshni 2013-08-30 17:42:05 UTC 
Bob, 

All files have root ownership and rw-r--r-- permission
Comment 6 Roshni 2013-09-04 19:11:21 UTC 
Also noticed, if the "Lock Screen when card is removed" is set, after logging in with the smart the screen locks even when the card is still inserted and have to log in again.
Comment 8 Bob Relyea 2013-09-09 17:31:47 UTC 
roshni,

what do you get if you run:

modutil -rawlist -dbdir sql:/etc/pki/nssdb

and

modutil -rawlist -dbdir dbm:/etc/pki/nssdb

?
Comment 9 Roshni 2013-09-09 18:06:36 UTC 
[root@localhost ~]# modutil -rawlist -dbdir sql:/etc/pki/nssdb/
library="libnsssysinit.so" name="NSS Internal PKCS #11 Module" NSS="Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})" parameters="configdir=sql:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly "

name="CoolKey PKCS #11 Module" library="libcoolkeypk11.so"

[root@localhost ~]# modutil -rawlist -dbdir dbm:/etc/pki/nssdb/
 name="NSS Internal PKCS #11 Module" parameters="configdir=dbm:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical"

library=libcoolkeypk11.so name="CoolKey PKCS #11 Module"
Comment 10 Bob Relyea 2013-09-09 18:36:37 UTC 
Roshni, can you run those commands as the user you logged in as with your smartcard.

Also what do you get if you run:

modutil -list -dbdir sql:/etc/pki/nssdb


> Also noticed, if the "Lock Screen when card is removed" is set, after
> logging in with the smart the screen locks even when the card is still
> inserted and have to log in again.

I saw this on RHEL-5. It happens when gnome-screensaver can't find libcoolkeypk11.so. I was able to replicate it on RHEL-6 if /etc/pki/nssdb/pkcs.txt was rw--------.

I have a RHEL-5 patch that allows the fallback code to work, but I'm very curious why we are now running into this on your RHEL-6 system, I'm working correctly with:

gnome-screensaver-2.28.3-24.el6.x86_64
coolkey-1.1.0-29.1.el6_bob.x86_64
ccid-1.3.9-6.el6.x86_64


(coolkey-1.1.0-29.1 is my own build of coolkey-1.1.0-30, which fixes the issue that coolkey wasn't getting properly added to /etc/pki/nssdb in -29).
Comment 11 Roshni 2013-09-09 18:49:53 UTC 
Bob,

sh-4.1$ modutil -rawlist -dbdir sql:/etc/pki/nssdb/
library= name="NSS Internal PKCS #11 Module" parameters="configdir=sql:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})"

sh-4.1$ modutil -rawlist -dbdir dbm:/etc/pki/nssdb/
 name="NSS Internal PKCS #11 Module" parameters="configdir=dbm:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical"

library=libcoolkeypk11.so name="CoolKey PKCS #11 Module"  

sh-4.1$ modutil -list -dbdir sql:/etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB
-----------------------------------------------------------


As root user:

[root@localhost ~]# modutil -list -dbdir sql:/etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal Crypto Services
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. CoolKey PKCS #11 Module
	library name: libcoolkeypk11.so
	 slots: 1 slot attached
	status: loaded

	 slot: OmniKey CardMan 3121 00 00
	token: kdcuser1
-----------------------------------------------------------

I am using the following rpm's:

gnome-screensaver-2.28.3-28.el6.i686
coolkey-1.1.0-30.el6.i686
ccid-1.3.9-6.el6.i686

I updated to the latest coolkey errata build today to test the other bug, but now issue described in this bug (screensaver locking) does not seem to be showing up. I tried with both "Ignore" and "Lock" set. The difference I noticed is that when this build of coolkey was install the PKCS#11 Coolkey Module was automatically added to /etc/pki/nssdb
Comment 12 Bob Relyea 2013-09-09 21:48:59 UTC 
> sh-4.1$ modutil -rawlist -dbdir sql:/etc/pki/nssdb/
> library= name="NSS Internal PKCS #11 Module" parameters="
> configdir=sql:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db
> flags=readOnly "
> NSS="Flags=internal,critical trustOrder=75 cipherOrder=100
> slotParams=(1={slotFlags[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,
>TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})"

This is why. We aren't seeing coolkey from the sql database.

> I updated to the latest coolkey errata build today to test the other bug,
> but now issue described in this bug (screensaver locking) does not seem to be
> showing up. I tried with both "Ignore" and "Lock" set. The difference I noticed
> is that when this build of coolkey was install the PKCS#11 Coolkey Module was
>  automatically added to /etc/pki/nssdb

yes, I thought your problem may be in this realm somewhere.
Comment 13 Bob Relyea 2013-09-30 22:33:20 UTC 
What you  are seeing is gnome-screensaver is failing to load coolkey in the case where you have logged in using the card. The screen saver immediately locks the screen and then when you unlock it it can no longer get screen events.

In RHEL-5 this looks like some sort of environmental problem where you can't load coolkey from the load path (even though pam_pkcs11 could). There is backup code in gnome-screensaver which will attempt to hand load coolkey if it fails to load, but this backup code is broken in the RHEL-5 bug I've attached a patch to fix this.

In RHEL-6, I was only able to reproduce this in the case where I've set the NSS_DEFAULT_DB_TYPE environment variable to sql in my profile, and set pkcs11.txt to r----- (well it got set to the by installing coolkey because of bug 990631, which has caused roshni other problems). Once I got pkcs11.txt to be r--r--r-- then my 6.5 beta started working find. 

This is just another flavor of the RHEL-5 issue, which we can clean up a bit by fixing the fallback code in gnome-screensaver.

In any case coolkey is functioning properly. esc is properly getting insertion/removal events, so the basic problem is why gnome-screensaver isn't able to load libcoolkey (which probably isn't a gnome-screensaver issue either).

bob
Comment 14 Bob Relyea 2013-10-03 16:55:44 UTC 
marking modified so the bug can be added to the erratta and verified.
Comment 16 Roshni 2013-10-03 18:28:45 UTC 
Works fine with coolkey-1.1.0-31.el6
Comment 19 errata-xmlrpc 2013-11-21 23:06:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1699.html
Note You need to log in before you can comment on or make changes to this bug.