Bug 1309427 - Smart Card Locked after Linux login
Smart Card Locked after Linux login
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: pam_pkcs11 (Show other bugs)
x86_64 Linux
unspecified Severity medium
: rc
: ---
Assigned To: Bob Relyea
Asha Akkiangady
Depends On:
  Show dependency treegraph
Reported: 2016-02-17 14:04 EST by Jeffrey
Modified: 2017-10-17 13:49 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Department of Defense
Last Closed: 2017-10-17 13:49:20 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Jeffrey 2016-02-17 14:04:44 EST
Description of problem:After a user has authenticated via CAC to a RHEL box, it is somehow being locked.

This is discovered when the CAC is removed and inserted into their Windows machine only to show that the CAC has been blocked which then needs to be unlocked by our Security Office.

Version-Release number of selected component (if applicable):

How reproducible:Sporadic 

Steps to Reproduce:
1. Login to RHEL machine via CAC
2. Remove CAC and attempt to login to Windows machine
3. CAC shows "blocked"

Actual results:

Expected results:

Additional info: The RHEL machine matches the CAC EDIPI with cn_map that has the user's CAC information.
Comment 2 Bob Relyea 2016-02-17 18:40:38 EST
I'm not sure this is pam_pkcs11. If pam_pkcs11 logged in, then the card is unlocked. If a locked card can log in, then it by definition is not locked (at least at the time pam_pkcs11 sees it).

The question is what else is running. lots of apps could trigger attempts to log into the CAC card.

Can the user log in again with the card that was locked (if so we have a bug in pam_pkcs11). 

If not, then the card was locked by some other application running on the system and not pam.

Comment 3 Bob Relyea 2016-02-17 18:41:36 EST
see comment 2.
Comment 4 Jeffrey 2016-02-18 07:59:50 EST
Good morning,

Correct, pam_pkcs11 works properly during the initial login.

I will take a look at all the apps running when a user is logged into the machine and see what might be triggering the CAC to be locked.

If the CAC has been locked and the user were to attempt to unlock their Windows or RHEL machines, it will give them an error saying that the CAC has been blocked.

I don't know what application would keep querying the user's CAC repeatedly and then cause it to lock itself and I will check to see what might be doing so.

Thank you for your assistance.
Comment 5 Jeffrey 2016-02-23 10:43:28 EST

So I ran "pklogin_finder debug" once to see if there were any useful logs that would come out of it. After entering my CAC pin once, it said that it was incorrect. Curious, I removed my CAC and plugged it to my Windows machine to unlock it. It said that my CAC was blocked again, this time, the locking was almost instantaneous.
Comment 6 Bob Relyea 2016-02-24 12:42:22 EST
I think we're going to need a test CAC card. We aren't seeing this with our cards. Do you have any cards from your tets infrastructure we can get?

Comment 7 Jeffrey 2016-02-25 13:50:09 EST
Hi Bob,

Unfortunately, we cannot obtain test CACs at our site. I did however visit DISA's website to download the most recent package for the NSS data base and my CAC has yet to lock after the initial login or unlocking the screen saver.

I have reimaged the machine to test this properly just in case it's a fluke.

Comment 8 Jeffrey 2016-02-29 15:05:57 EST

So it was a false alarm, the CAC locked again a while later after leaving it in the machine.
Comment 9 Bob Relyea 2016-02-29 16:05:51 EST
That tends to say that there is something else running that's locking the smart card, since pam_pkcs11 is only involved at login time.
Comment 10 Jeffrey 2016-03-17 11:41:24 EDT

We found out within /var/log/messages that when cron runs on top of the hour, pcscd is invoked and keeps running every minute. Each minute that it runs seems to be a query to the CAC when it inserted and after three invocations, we check pklogin_finder debug and it shows the CAC being inaccessible or locked.

Is there a way to find out why cron keeps invoking pcscd?
Comment 11 Tyghe Vallard 2016-03-17 11:48:51 EDT
Additional information from today's debugging

We are watching /var/log/messages after setting pcscd's options to "-a -d"
Every minute we see that the card reader is activated

If we stop crond(service crond stop) then pcscd logs stop appearing every minute, which is why we suspect cron.

There are no cron jobs configured anywhere that we can find that run every minute
/etc/crontab, /etc/cron.d/*, /var/spool/cron/*

We tried commenting out all the pkcs11 lines inside of 
/etc/pam.d/password-auth and smartcard-auth

This did not stop pcscd logs from appearing when cron runs every minute
Comment 12 Bob Relyea 2016-03-17 18:30:42 EDT
Hmm it would surprise me if cron is directly accessing the smart card, I wonder if it's starting something else (even implicitly) like ssh or something?

ldd of /sbin/crond will tell us if cron itself has and pcsc-lite calls.
On my RHEL7 machine it does include the pam stack.

maybe try commenting out various pam modules to see if any of them are trying to open the smart card.

I tried looking for nss libraries of pcsc-lite in the pam files on my system and only found samba and pam_pkcs11. However I know that the pkinit code for kerberos is supposed to work with the smart card and I couldn't find any references in them in krb5* so I'm not sure my list is exhaustive.

You could also try disabling coolkey in /etc/pki/nssdb

 $ modutil -disable "CoolKey PKCS #11 Module" -dbdir sql:/etc/pki/nssdb
 $ modutil -disable "CoolKey PKCS #11 Module" -dbdir dbm:/etc/pki/nssdb

Be sure to turn off require smart card login before you do this or you won't be able to log in.

If this gets rid of the messages then we can know the offending application is using libcookpk11 to access the CAC and probably doing it through NSS.

Once we identify this, you can turn coolkey back o with:
 $ modutil -enable "CoolKey PKCS #11 Module" -dbdir sql:/etc/pki/nssdb
 $ modutil -enable "CoolKey PKCS #11 Module" -dbdir dbm:/etc/pki/nssdb

Comment 13 Jeffrey 2016-03-17 18:51:28 EDT
Hi Bob,

I tried the latter with disabling coolkey but pcscd was still being called afterwards. 

Commenting out various pam modules was something I think we attempted to do but I will have to get with Tyghe and verify.

Thanks for all your assistance in this matter.
Comment 14 Jeffrey 2016-03-21 08:34:37 EDT

I spoke with Tyghe last Friday and confirmed that he already tried commenting the pkcs11 lines and it was not successful. 

I'm going to try commenting the lines within /etc/pam.d/cron.d and see if it shows any results.

Comment 15 Jeffrey 2016-03-21 08:57:22 EDT

After commenting all the lines in /etc/pam.d/crond, the messages from pcscd stopped and I began to comment/uncomment each line one by one.

After commenting the following line....

auth       include    password-auth

The pcscd messages stopped popping up.
Comment 19 Bob Relyea 2016-11-04 18:33:06 EDT
OK, this looks like a config issue. It looks like password-auth has the pam_pkcs11 module in it when it shouldn't.

pam_pkcs11 should only show up in system-auth.

Note You need to log in before you can comment on or make changes to this bug.