Red Hat Bugzilla – Bug 1309427
Smart Card Locked after Linux login
Last modified: 2017-10-17 13:49:20 EDT
Description of problem:After a user has authenticated via CAC to a RHEL box, it is somehow being locked.
This is discovered when the CAC is removed and inserted into their Windows machine only to show that the CAC has been blocked which then needs to be unlocked by our Security Office.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Login to RHEL machine via CAC
2. Remove CAC and attempt to login to Windows machine
3. CAC shows "blocked"
Additional info: The RHEL machine matches the CAC EDIPI with cn_map that has the user's CAC information.
I'm not sure this is pam_pkcs11. If pam_pkcs11 logged in, then the card is unlocked. If a locked card can log in, then it by definition is not locked (at least at the time pam_pkcs11 sees it).
The question is what else is running. lots of apps could trigger attempts to log into the CAC card.
Can the user log in again with the card that was locked (if so we have a bug in pam_pkcs11).
If not, then the card was locked by some other application running on the system and not pam.
see comment 2.
Correct, pam_pkcs11 works properly during the initial login.
I will take a look at all the apps running when a user is logged into the machine and see what might be triggering the CAC to be locked.
If the CAC has been locked and the user were to attempt to unlock their Windows or RHEL machines, it will give them an error saying that the CAC has been blocked.
I don't know what application would keep querying the user's CAC repeatedly and then cause it to lock itself and I will check to see what might be doing so.
Thank you for your assistance.
So I ran "pklogin_finder debug" once to see if there were any useful logs that would come out of it. After entering my CAC pin once, it said that it was incorrect. Curious, I removed my CAC and plugged it to my Windows machine to unlock it. It said that my CAC was blocked again, this time, the locking was almost instantaneous.
I think we're going to need a test CAC card. We aren't seeing this with our cards. Do you have any cards from your tets infrastructure we can get?
Unfortunately, we cannot obtain test CACs at our site. I did however visit DISA's website to download the most recent package for the NSS data base and my CAC has yet to lock after the initial login or unlocking the screen saver.
I have reimaged the machine to test this properly just in case it's a fluke.
So it was a false alarm, the CAC locked again a while later after leaving it in the machine.
That tends to say that there is something else running that's locking the smart card, since pam_pkcs11 is only involved at login time.
We found out within /var/log/messages that when cron runs on top of the hour, pcscd is invoked and keeps running every minute. Each minute that it runs seems to be a query to the CAC when it inserted and after three invocations, we check pklogin_finder debug and it shows the CAC being inaccessible or locked.
Is there a way to find out why cron keeps invoking pcscd?
Additional information from today's debugging
We are watching /var/log/messages after setting pcscd's options to "-a -d"
Every minute we see that the card reader is activated
If we stop crond(service crond stop) then pcscd logs stop appearing every minute, which is why we suspect cron.
There are no cron jobs configured anywhere that we can find that run every minute
/etc/crontab, /etc/cron.d/*, /var/spool/cron/*
We tried commenting out all the pkcs11 lines inside of
/etc/pam.d/password-auth and smartcard-auth
This did not stop pcscd logs from appearing when cron runs every minute
Hmm it would surprise me if cron is directly accessing the smart card, I wonder if it's starting something else (even implicitly) like ssh or something?
ldd of /sbin/crond will tell us if cron itself has and pcsc-lite calls.
On my RHEL7 machine it does include the pam stack.
maybe try commenting out various pam modules to see if any of them are trying to open the smart card.
I tried looking for nss libraries of pcsc-lite in the pam files on my system and only found samba and pam_pkcs11. However I know that the pkinit code for kerberos is supposed to work with the smart card and I couldn't find any references in them in krb5* so I'm not sure my list is exhaustive.
You could also try disabling coolkey in /etc/pki/nssdb
$ modutil -disable "CoolKey PKCS #11 Module" -dbdir sql:/etc/pki/nssdb
$ modutil -disable "CoolKey PKCS #11 Module" -dbdir dbm:/etc/pki/nssdb
Be sure to turn off require smart card login before you do this or you won't be able to log in.
If this gets rid of the messages then we can know the offending application is using libcookpk11 to access the CAC and probably doing it through NSS.
Once we identify this, you can turn coolkey back o with:
$ modutil -enable "CoolKey PKCS #11 Module" -dbdir sql:/etc/pki/nssdb
$ modutil -enable "CoolKey PKCS #11 Module" -dbdir dbm:/etc/pki/nssdb
I tried the latter with disabling coolkey but pcscd was still being called afterwards.
Commenting out various pam modules was something I think we attempted to do but I will have to get with Tyghe and verify.
Thanks for all your assistance in this matter.
I spoke with Tyghe last Friday and confirmed that he already tried commenting the pkcs11 lines and it was not successful.
I'm going to try commenting the lines within /etc/pam.d/cron.d and see if it shows any results.
After commenting all the lines in /etc/pam.d/crond, the messages from pcscd stopped and I began to comment/uncomment each line one by one.
After commenting the following line....
auth include password-auth
The pcscd messages stopped popping up.
OK, this looks like a config issue. It looks like password-auth has the pam_pkcs11 module in it when it shouldn't.
pam_pkcs11 should only show up in system-auth.