Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.
RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1205171

Summary: smartcard cannot work after restart guest
Product: Red Hat Enterprise Linux 6 Reporter: zhoujunqin <juzhou>
Component: spice-gtkAssignee: Default Assignee for SPICE Bugs <rh-spice-bugs>
Status: CLOSED ERRATA QA Contact: SPICE QE bug list <spice-qe-bugs>
Severity: medium Docs Contact:
Priority: medium    
Version: 6.7CC: cfergeau, dblechte, djasa, fidencio, jherrman, marcandre.lureau, mzhan, rbalakri, tpelka, tzheng, xiaodwan
Target Milestone: rc   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: spice-gtk-0.26-4.el6 Doc Type: Bug Fix
Doc Text:
When using an emulated smart card on a virtual machine, the smart card was not properly re-initialized after disconnecting and reconnecting the guest. As a consequence, the smart card became unusable. With this update, the smart card state is set properly after reconnecting the guest, and no longer becomes unusable after the operation.
 Story Points: ---
Clone Of:
: 1205548 (view as bug list) Environment:
Last Closed: 2015-07-22 06:32:22 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1205548    
Attachments:
Description Flags
After restart guest
none
rerun step4.4
none
debug info for step4.4 and restart guest none

Description zhoujunqin 2015-03-24 11:39:49 UTC 
Description of problem:
when use virt-viewer to connect a guest with smartcard passthrough with option "reconnect"&"wait", after reboot guest, smartcard cannot work.

Version-Release number of selected component (if applicable):

virt-viewer-2.0-3.el6.x86_64
spice-server-0.12.4-12.el6.x86_64
gtk-vnc-0.4.2-5.el6.x86_64
gvnc-0.4.2-5.el6.x86_64

How reproducible:
100%

Steps to Reproduce:
1. Prepared a rhel6 guest with smartcard passthrough and have spice graphics:

...
    <smartcard mode='passthrough' type='spicevmc'>
      <alias name='smartcard0'/>
      <address type='ccid' controller='0' slot='0'/>
    </smartcard>
...
    <graphics type='spice' port='5900' autoport='yes'/>
...

2. On both of your host and guest. 
 #yum groupinstall "smart card support"
 #yum remove '*openct*'
 #Service pcscd start

3. Run on guest:

3.1 get root CA certificate and install it. For the setup above and Firefox, it can be obtained by following this procedure, but YMMV:
navigate to https://aakkiang-csvm1.idmqe.lab.eng.bos.redhat.com:9444/ca/ee/ca/ and choose "Retrieval" tab, and click "Import CA Certificate Chain" in the left list
Choose "Import the CA certificate chain into your browser" and click submit button
A "Downloading Certificate" dialog will come out, then click "View".
Choose "Details" tab, and click "Export..."
 Choose PEM format, append .pem extension to the file name
 copy the file to /etc/pam_pkcs11/cacerts directory(you need to create it manually)
 restore selinux context of the certificate and directories: 
# restorecon -FvvR /etc/pam_pkcs11
  install the certificate: 
# certutil -A -d /etc/pki/nssdb -n "<your name for the CA>" -t "CT,C,C" -i /etc/pam_pkcs11/cacerts/<ca_file>.pem

3.2 In console, run #pklogin_finder debug, your UID should be the username you filled and the certificate should be verified

3.3. Add a user with same name as your smartcard.
3.4  Click System->Administration->Authentication->Advanced options->Check enable Smart card support. DO NOT check "Required smart card for login"

4. In your host run:
4.1 use virt-viewer to open guest

  #virt-viewer $guest --spice-smartcard

4.2 Check pklogin_finder can reader the smartcard.

   #pklogin_finder debug

4.3 switch user in guest, change to new created user,select Smartcard Authentication,and input smardcard pin

4.4 close virt-viewer,re-run virt-viewer in client:

#virt-viewer --spice-smartcard --reconnect --wait --connect qemu:///system $guest

4.5 in another console,use virsh restart the guest

#virsh destroy $guest; virsh start $guest

4.6 check smartcard worked when guest restart


Actual results:
1. After step 4.3 and step4.4, gdm should recognize the card, prompt for the pin and upon entering correct pin, the user on the smartcard should be logged in.

2. But after restart guest, step4.6, smartcard cannot use in guest. As screenshot.

Expected results:
Using reconnect and wait, can keep smartcard worked when guest restart.

Additional info:
1. After step4.7, use Ctrl+c exit step4.4, and rerun step4.4 again, then smartcard can be work again, as screenshot-1.

2. I will attach debug info.
Comment 1 zhoujunqin 2015-03-24 11:42:26 UTC 
Created attachment 1005803 [details]
After restart guest
Comment 2 zhoujunqin 2015-03-24 11:43:02 UTC 
Created attachment 1005804 [details]
rerun step4.4
Comment 3 zhoujunqin 2015-03-24 11:45:16 UTC 
Created attachment 1005805 [details]
debug info for step4.4 and restart guest
Comment 6 Marc-Andre Lureau 2015-03-24 17:39:13 UTC 
With spice-gtk git, I can reproduce the issue.

Furthermore, when removing the card, I get a crash:

(virt-viewer:6176): GSpice-DEBUG: smartcard-manager.c:292 smartcard: card-removed

(virt-viewer:6176): GLib-GObject-WARNING **: invalid unclassed pointer in cast to 'SpiceSmartcardChannel'

(virt-viewer:6176): GLib-GObject-WARNING **: invalid unclassed pointer in cast to 'SpiceChannel'

(virt-viewer:6176): GSpice-CRITICAL **: spice_msg_out_new: assertion 'c != NULL' failed

Program received signal SIGSEGV, Segmentation fault.
send_msg_generic_with_data (channel=0xa61470, reader=<optimized out>, msg_type=VSC_CardRemove, data=0x0, data_len=0, serialize_msg=1) at channel-smartcard.c:372
372	    msg_out->marshallers->msgc_smartcard_header(msg_out->marshaller, &header);
(gdb) bt
#0  0x00007ffff50252db in send_msg_generic_with_data (channel=0xa61470, reader=<optimized out>, msg_type=VSC_CardRemove, data=0x0, data_len=0, serialize_msg=1) at channel-smartcard.c:372
#4  0x00007ffff079d34f in <emit signal ??? on instance 0x8dc990 [SpiceSmartcardManager]> (instance=<optimized out>, signal_id=signal_id@entry=255, detail=detail@entry=0) at gsignal.c:3365
    #1  0x00007ffff0782c55 in g_closure_invoke (closure=0x8fb280, return_value=return_value@entry=0x0, n_param_values=2, param_values=param_values@entry=0x7fffffffd190, invocation_hint=invocation_hint@entry=0x7fffffffd130)
    at gclosure.c:768
    #2  0x00007ffff07949e2 in signal_emit_unlocked_R (node=node@entry=0x8faf40, detail=detail@entry=0, instance=instance@entry=0x8dc990, emission_return=emission_return@entry=0x0, instance_and_params=instance_and_params@entry=0x7fffffffd190) at gsignal.c:3553
    #3  0x00007ffff079d121 in g_signal_emit_valist (instance=<optimized out>, signal_id=<optimized out>, detail=<optimized out>, var_args=var_args@entry=0x7fffffffd320) at gsignal.c:3309
#5  0x00007ffff5027c43 in smartcard_monitor_dispatch (event=<error reading variable: value has been optimized out>, user_data=0x8dc990, user_data@entry=<error reading variable: value has been optimized out>)
    at smartcard-manager.c:293
#6  0x00007ffff50275ba in smartcard_source_dispatch (source=0x98dbd0, callback=<optimized out>, user_data=<optimized out>) at smartcard-manager.c:341
#7  0x00007ffff04837fb in g_main_context_dispatch (context=0x686210) at gmain.c:3111
#8  0x00007ffff04837fb in g_main_context_dispatch (context=context@entry=0x686210) at gmain.c:3710
#9  0x00007ffff0483b98 in g_main_context_iterate (context=0x686210, block=block@entry=1, dispatch=dispatch@entry=1, self=<optimized out>) at gmain.c:3781
#10 0x00007ffff0483ec2 in g_main_loop_run (loop=0x982590) at gmain.c:3975
#11 0x00007ffff6590055 in gtk_main () at gtkmain.c:1207
#12 0x000000000040f931 in main (argc=1, argv=0x7fffffffd828) at virt-viewer-main.c:119
Comment 7 Marc-Andre Lureau 2015-03-24 23:12:47 UTC 
patch sent to ML:
http://lists.freedesktop.org/archives/spice-devel/2015-March/019232.html
Comment 12 errata-xmlrpc 2015-07-22 06:32:22 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2015-1322.html