Bug 1002222 - Screen Lock when Smart Card is removed fails
Screen Lock when Smart Card is removed fails
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: coolkey (Show other bugs)
6.5
Unspecified Unspecified
unspecified Severity unspecified
: rc
: 6.5
Assigned To: Bob Relyea
Asha Akkiangady
: Regression
Depends On: 990631 1087926
Blocks:
  Show dependency treegraph
 
Reported: 2013-08-28 12:22 EDT by Roshni
Modified: 2014-04-15 11:18 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2013-11-21 18:06:04 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
msvoboda: needinfo-


Attachments (Terms of Use)

  None (edit)
Description Roshni 2013-08-28 12:22:02 EDT
Description of problem:
Authentication configuration has screen lock set for smart card authentication. The Screen is not locked when the Gemalto 64K smart card is removed.

Version-Release number of selected component (if applicable):
gnome-screensaver-2.28.3-28.el6.x86_64
coolkey-1.1.0-29.el6.x86_64
ccid-1.3.9-6.el6.x86_64
RHEL 6.5

How reproducible:
always

Steps to Reproduce:
1. Smart Card authentication configuration should have setting Lock screen
2. Restart the machine and relogin using the smart card
3. Remove the Smart Card

Actual results:
Screen does not lock when card is removed.

Expected results:
Screen should be locked and prompt for Smart Card pin.

Additional info:
Comment 2 Ray Strode [halfline] 2013-08-29 12:42:50 EDT
1) did you log in with the smartcard?

2) if you open a terminal what is the output of:

echo $PKCS11_LOGIN_TOKEN_NAME

and 

gconftool-2 -R /desktop/gnome/peripherals/smartcard

(as the logged in user not root)
3) can you attach /etc/sysconfig/authconfig ?

4) what version of authconfig do you have installed?
Comment 3 Roshni 2013-08-30 09:59:06 EDT
Ray,

The following are the answers to your questions.

1) did you log in with the smartcard? - Yes

2) if you open a terminal what is the output of:

echo $PKCS11_LOGIN_TOKEN_NAME - kdcuser1 (the KDC user associated with the card)

and 

gconftool-2 -R /desktop/gnome/peripherals/smartcard - removal action = lock_screen

(as the logged in user not root)
3) can you attach /etc/sysconfig/authconfig ?

IPADOMAINJOINED=no
USEMKHOMEDIR=yes
USEPAMACCESS=no
CACHECREDENTIALS=yes
USESSSDAUTH=no
USESHADOW=yes
USEWINBIND=no
USESSSD=no
PASSWDALGORITHM=sha512
FORCELEGACY=no
USEFPRINTD=yes
FORCESMARTCARD=no
USELDAPAUTH=no
USEPASSWDQC=no
IPAV2NONTP=no
USELOCAUTHORIZE=yes
USECRACKLIB=yes
USEIPAV2=no
USEWINBINDAUTH=no
USESMARTCARD=yes
USELDAP=yes
USENIS=no
USEKERBEROS=yes
USESYSNETAUTH=no
USEDB=no
USEHESIOD=no

4) what version of authconfig do you have installed? 

authconfig-6.1.12-13.el6.x86_64
Comment 4 Bob Relyea 2013-08-30 13:36:35 EDT
What does: ls -l /etc/pki/nssdb show?
Comment 5 Roshni 2013-08-30 13:42:05 EDT
Bob, 

All files have root ownership and rw-r--r-- permission
Comment 6 Roshni 2013-09-04 15:11:21 EDT
Also noticed, if the "Lock Screen when card is removed" is set, after logging in with the smart the screen locks even when the card is still inserted and have to log in again.
Comment 8 Bob Relyea 2013-09-09 13:31:47 EDT
roshni,

what do you get if you run:

modutil -rawlist -dbdir sql:/etc/pki/nssdb

and

modutil -rawlist -dbdir dbm:/etc/pki/nssdb

?
Comment 9 Roshni 2013-09-09 14:06:36 EDT
[root@localhost ~]# modutil -rawlist -dbdir sql:/etc/pki/nssdb/
library="libnsssysinit.so" name="NSS Internal PKCS #11 Module" NSS="Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})" parameters="configdir=sql:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly "

name="CoolKey PKCS #11 Module" library="libcoolkeypk11.so"

[root@localhost ~]# modutil -rawlist -dbdir dbm:/etc/pki/nssdb/
 name="NSS Internal PKCS #11 Module" parameters="configdir=dbm:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical"

library=libcoolkeypk11.so name="CoolKey PKCS #11 Module"
Comment 10 Bob Relyea 2013-09-09 14:36:37 EDT
Roshni, can you run those commands as the user you logged in as with your smartcard.

Also what do you get if you run:

modutil -list -dbdir sql:/etc/pki/nssdb


> Also noticed, if the "Lock Screen when card is removed" is set, after
> logging in with the smart the screen locks even when the card is still
> inserted and have to log in again.

I saw this on RHEL-5. It happens when gnome-screensaver can't find libcoolkeypk11.so. I was able to replicate it on RHEL-6 if /etc/pki/nssdb/pkcs.txt was rw--------.

I have a RHEL-5 patch that allows the fallback code to work, but I'm very curious why we are now running into this on your RHEL-6 system, I'm working correctly with:

gnome-screensaver-2.28.3-24.el6.x86_64
coolkey-1.1.0-29.1.el6_bob.x86_64
ccid-1.3.9-6.el6.x86_64


(coolkey-1.1.0-29.1 is my own build of coolkey-1.1.0-30, which fixes the issue that coolkey wasn't getting properly added to /etc/pki/nssdb in -29).
Comment 11 Roshni 2013-09-09 14:49:53 EDT
Bob,

sh-4.1$ modutil -rawlist -dbdir sql:/etc/pki/nssdb/
library= name="NSS Internal PKCS #11 Module" parameters="configdir=sql:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})"

sh-4.1$ modutil -rawlist -dbdir dbm:/etc/pki/nssdb/
 name="NSS Internal PKCS #11 Module" parameters="configdir=dbm:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db flags=readOnly " NSS="trustOrder=75 cipherOrder=100 slotParams={0x00000001=[slotFlags=RSA,RC4,RC2,DES,DH,SHA1,MD5,MD2,SSL,TLS,AES,RANDOM askpw=any timeout=30 ] }  Flags=internal,critical"

library=libcoolkeypk11.so name="CoolKey PKCS #11 Module"  

sh-4.1$ modutil -list -dbdir sql:/etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB
-----------------------------------------------------------


As root user:

[root@localhost ~]# modutil -list -dbdir sql:/etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal Crypto Services
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. CoolKey PKCS #11 Module
	library name: libcoolkeypk11.so
	 slots: 1 slot attached
	status: loaded

	 slot: OmniKey CardMan 3121 00 00
	token: kdcuser1
-----------------------------------------------------------

I am using the following rpm's:

gnome-screensaver-2.28.3-28.el6.i686
coolkey-1.1.0-30.el6.i686
ccid-1.3.9-6.el6.i686

I updated to the latest coolkey errata build today to test the other bug, but now issue described in this bug (screensaver locking) does not seem to be showing up. I tried with both "Ignore" and "Lock" set. The difference I noticed is that when this build of coolkey was install the PKCS#11 Coolkey Module was automatically added to /etc/pki/nssdb
Comment 12 Bob Relyea 2013-09-09 17:48:59 EDT
> sh-4.1$ modutil -rawlist -dbdir sql:/etc/pki/nssdb/
> library= name="NSS Internal PKCS #11 Module" parameters="
> configdir=sql:/etc/pki/nssdb certPrefix= keyPrefix= secmod=secmod.db
> flags=readOnly "
> NSS="Flags=internal,critical trustOrder=75 cipherOrder=100
> slotParams=(1={slotFlags[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,
>TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})"

This is why. We aren't seeing coolkey from the sql database.

> I updated to the latest coolkey errata build today to test the other bug,
> but now issue described in this bug (screensaver locking) does not seem to be
> showing up. I tried with both "Ignore" and "Lock" set. The difference I noticed
> is that when this build of coolkey was install the PKCS#11 Coolkey Module was
>  automatically added to /etc/pki/nssdb

yes, I thought your problem may be in this realm somewhere.
Comment 13 Bob Relyea 2013-09-30 18:33:20 EDT
What you  are seeing is gnome-screensaver is failing to load coolkey in the case where you have logged in using the card. The screen saver immediately locks the screen and then when you unlock it it can no longer get screen events.

In RHEL-5 this looks like some sort of environmental problem where you can't load coolkey from the load path (even though pam_pkcs11 could). There is backup code in gnome-screensaver which will attempt to hand load coolkey if it fails to load, but this backup code is broken in the RHEL-5 bug I've attached a patch to fix this.

In RHEL-6, I was only able to reproduce this in the case where I've set the NSS_DEFAULT_DB_TYPE environment variable to sql in my profile, and set pkcs11.txt to r----- (well it got set to the by installing coolkey because of bug 990631, which has caused roshni other problems). Once I got pkcs11.txt to be r--r--r-- then my 6.5 beta started working find. 

This is just another flavor of the RHEL-5 issue, which we can clean up a bit by fixing the fallback code in gnome-screensaver.

In any case coolkey is functioning properly. esc is properly getting insertion/removal events, so the basic problem is why gnome-screensaver isn't able to load libcoolkey (which probably isn't a gnome-screensaver issue either).

bob
Comment 14 Bob Relyea 2013-10-03 12:55:44 EDT
marking modified so the bug can be added to the erratta and verified.
Comment 16 Roshni 2013-10-03 14:28:45 EDT
Works fine with coolkey-1.1.0-31.el6
Comment 19 errata-xmlrpc 2013-11-21 18:06:04 EST
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

http://rhn.redhat.com/errata/RHBA-2013-1699.html

Note You need to log in before you can comment on or make changes to this bug.