Hide Forgot
Jakub, Could you provide the commands to run that will list the certificates on the smartcard when using opensc.
When smart login is configured using authconfig, smartcard inserted before gdm login after a reboot, gdm does not prompt for smartcard pin. I also see the following [rpattath@localhost ~]$ pklogin_finder debug DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:182: Initializing NSS ... DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pam_pkcs11/nssdb DEBUG:pkcs11_lib.c:201: NSS_Initialize faile: (null) DEBUG:pklogin_finder.c:66: Couldn't initialize crypto module
We should be able to list all the objects on the card including certificates using pkcs11-tool -O --module=/usr/lib64/pkcs11/opensc-pkcs11.so If I remember well, we discussed something related to these events with Bob last year and he pointed out that it can be problem in some cases because of some false expectation of some software. 1) Does it work with Coolkey? 2) Is pam_pkcs11 correctly configured to use OpenSC? Looking to my tests for interactive wait, I seems to be able to make it work only if I specify the slot where I expect the card to appear, but Bob's one does it without it using NSS. Whole trace of what is going on there on PKCS11 level would be useful (running with PKCS11SPY for example).
Also to pinpoint the problem 3) Does it work with PIV and OpenSC?
(In reply to Jakub Jelen from comment #4) > We should be able to list all the objects on the card including certificates > using pkcs11-tool -O --module=/usr/lib64/pkcs11/opensc-pkcs11.so > > If I remember well, we discussed something related to these events with Bob > last year and he pointed out that it can be problem in some cases because of > some false expectation of some software. > > 1) Does it work with Coolkey? Yes it does work with coolkey > 2) Is pam_pkcs11 correctly configured to use OpenSC? I made this change to pam_pkcs11.conf use_pkcs11_module = opensc; > > Looking to my tests for interactive wait, I seems to be able to make it work > only if I specify the slot where I expect the card to appear, but Bob's one > does it without it using NSS. Whole trace of what is going on there on > PKCS11 level would be useful (running with PKCS11SPY for example). Would provide more information on how this can be run?
(In reply to Jakub Jelen from comment #5) > Also to pinpoint the problem > > 3) Does it work with PIV and OpenSC? Since the PIV cards we use for testing does not have the assiciated Ca information, pklogin_finder cannot be tested. I tried using a Gemalto 64K card and I see the same output as in comment 3
Looking through the logs and playing around in my Fedora, it looks like pam_pkcs11 default configuration does not change the default nss_db to /etc/pki/nssdb (as coolkey does) so there are two possibilities how to make it work: * set nss_db=/etc/pki/nssdb (and also make sure this DB has OpenSC PKCS#11 module) * initialize new NSS DB in the existing path /etc/pam_pkcs11/nssdb I went the second way and I was able to initialize the NSS db and move further (though I don't have the CAs set up so I didn't verify it worked completely). Let me know if there will be some other issues. I guess we should either change the configuration shipped in the pam_pkcs11 or document it somewhere.
It looks like Coolkey is picking up the label not from PKCS#15 structures, but from the CN of the certificate itself. Browsing through the code, it is implemented in src/coolkey/object.cpp:2525 /* if we didn't get a label, set one based on the CN */ This can be useful feature worth implementing in OpenSC, but it does not look like something that would be a blocker for RHEL7.4. I added a note for future plans. Thanks for pointing to the correct doc. I added a note to the bug #1425712 to make sure it will get updated.
[root@dhcp129-77 ~]# rpm -qi opensc Name : opensc Version : 0.16.0 Release : 4.20170227git777e2a3.el7 Architecture: x86_64 Install Date: Mon 01 May 2017 01:34:30 PM EDT Group : System Environment/Libraries Size : 3256689 License : LGPLv2+ Signature : RSA/SHA256, Thu 13 Apr 2017 04:32:48 AM EDT, Key ID 199e2f91fd431d51 Source RPM : opensc-0.16.0-4.20170227git777e2a3.el7.src.rpm Build Date : Thu 13 Apr 2017 04:04:15 AM EDT Build Host : x86-017.build.eng.bos.redhat.com Relocations : (not relocatable) Packager : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla> Vendor : Red Hat, Inc. URL : https://github.com/OpenSC/OpenSC/wiki Summary : Smart card library and applications Certificates were detected by firefox. gdm login and pklogin_finder were successful
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2017:1989