Bug 1173548 - Does not use p11-kit configured tokens
Summary: Does not use p11-kit configured tokens
Alias: None
Product: Fedora
Classification: Fedora
Component: pam_pkcs11
Version: 21
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Bob Relyea
QA Contact: Fedora Extras Quality Assurance
Depends On: 1173577
Blocks: PKCS11
TreeView+ depends on / blocked
Reported: 2014-12-12 12:05 UTC by David Woodhouse
Modified: 2014-12-16 14:06 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2014-12-12 18:41:09 UTC
Type: Bug

Attachments (Terms of Use)

Description David Woodhouse 2014-12-12 12:05:20 UTC
pam_pkcs11 appears to need explicit configuration to use hardware tokens which are already present in the system p11-kit configuration.

We should probably ship with a default configuration that uses p11-kit-proxy.so (or p11-kit directly).

Also, perhaps the configuration file should accept standard PKCS#11 URIs for things like 'slot_description'.

Comment 1 David Woodhouse 2014-12-12 12:56:03 UTC
There is a possibility that generic NSS fixes could address much of the problem here. Those are discussed in bug 1173577.

Comment 2 Bob Relyea 2014-12-12 18:41:09 UTC
The use of p11-kit should be done through NSS generic, since pam_pkcs11 is an NSS app.

Comment 3 David Woodhouse 2014-12-13 14:04:21 UTC
Yes, that's one alternative. But another, if NSS isn't going to get fixed in the short term, is to build pam_pkcs11 against OpenSSL and explicitly load p11-kit-proxy.so.

Or to continue building against NSS and explicitly load p11-kit-proxy.so perhaps, as long as we can be sure it doesn't conflict with however NSS *will* eventually get fixed to load the p11-kit configured modules.

So unless the fixes for NSS are forthcoming, I think it is worth having a separate bug for pam_pkcs11, as we do have options for fixing it "locally".

Comment 4 David Woodhouse 2014-12-13 14:11:30 UTC
I suppose within Fedora we can be sure to update pam_pkcs11 to remove any workaround, when NSS gets fixed. So perhaps the way to close this bug in the short term is just to fix the configuration.

Just make it load p11-kit-proxy.so either explicitly in pam_pkcs11.conf or by ensuring it's referenced in in /etc/pki/nssdb and using that with 'module="any module"'.

Comment 5 Bob Relyea 2014-12-15 18:24:28 UTC
I'm pretty unlikely to switch pam_pkcs11 off of NSS;). The other stuff are fixes to either nss or pk11-kit.

Comment 6 David Woodhouse 2014-12-16 14:06:35 UTC
Fixing NSS definitely works for me. Do you have thoughts on how best to do that? A number of options have been put forward...

Note You need to log in before you can comment on or make changes to this bug.