1583836 – Not able to unlock Gnome screen with SmartCard using Coolkey

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1583836 - Not able to unlock Gnome screen with SmartCard using Coolkey

Summary: Not able to unlock Gnome screen with SmartCard using Coolkey

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	gdm
Sub Component:
Version:	7.5
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	medium
Target Milestone:	rc
Target Release:	---
Assignee:	Ray Strode [halfline]
QA Contact:	Desktop QE
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	1727111
TreeView+	depends on / blocked

Reported:	2018-05-29 20:55 UTC by Josip Vilicic
Modified:	2023-09-15 00:09 UTC (History)
CC List:	7 users (show)
Fixed In Version:	gnome-shell-3.28.3-12.el7
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-03-31 19:38:49 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)
/var/log/messages with GDM Debug enabled (372.36 KB, text/plain) 2018-05-29 20:55 UTC, Josip Vilicic	no flags	Details
SmartCard information (406 bytes, text/plain) 2019-09-12 09:45 UTC, Pavlin Georgiev	no flags	Details
Listing of PKCS #11 Modules (1.12 KB, text/plain) 2019-09-12 09:46 UTC, Pavlin Georgiev	no flags	Details
View All

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2020:1021	0	None	None	None	2020-03-31 19:39:44 UTC

Description Josip Vilicic 2018-05-29 20:55:17 UTC

Created attachment 1445552 [details]
/var/log/messages with GDM Debug enabled

Description of problem:
After logging in successfully, the user is not able to unlock Gnome screen with a SmartCard using Coolkey


Version-Release number of selected component (if applicable):
gdm-3.26.2.1-5.el7.x86_64
coolkey-1.1.0-37.el7.x86_64 


How reproducible:
consistent


Steps to Reproduce:
1) Configure a RHEL 7.5 server to authenticate with a SmartCard, and successfully authenticate on the console
2) Authenticate successfully with the SmartCard on the Gnome GUI
3) Lock the screen
4) Try to unlock screen


Actual results:
The box that should accept the user's PIN keeps flashing and the line under it says "Authentication error".  


Expected results:
the screen is unlocked


Additional info:
1) At first, the customer was unable to log into the GUI with the smartcard altogether, but after performing these steps, they were able to log in (but still unable to unlock the screen):
      # /bin/rm /var/cache/coolkey/*
      # logrotate -f /etc/logrotate.conf
      # systemctl restart gdm.service

      And while in the user's home directory (/home/jmulholl):
      # rm -rf .gnome2_private .gnome .gnome2 .gconf .gconfd .metacity .cache .dbus .dmrc .mission-control .thumbnails ~/.config/dconf/user
logrotate -f /etc/logrotate.conf


2) These are some of the errors we see in /var/log/messages with GDM debugging enabled:

May 25 16:45:28 nix436975 journal: JS WARNING: [resource:///org/gnome/shell/ui/modalDialog.js 218]: reference to undefined property "GdkX11Screen"
May 25 16:45:28 nix436975 journal: JS ERROR: TypeError: can't convert undefined to object#012ObjectManager<._onNameVanished@resource:///org/gnome/shell/misc/objectManager.js:241:34#012wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22#012ObjectManager<._onManagerProxyLoaded/<@resource:///org/gnome/shell/misc/objectManager.js:191:17
May 25 16:45:28 nix436975 org.gtk.vfs.Daemon: A connection to the bus can't be made
May 25 16:45:28 nix436975 com.redhat.imsettings: [ 1527281128.424883]: IMSettings-Daemon[23745]: INFO: Release the ownership of com.redhat.imsettings
May 25 16:45:28 nix436975 com.redhat.imsettings: Exiting...
May 25 16:45:28 nix436975 com.redhat.imsettings: [ 1527281128.429624]: GLib-GIO[23745]: CRITICAL **: Error while sending AddMatch() message: The connection is closed
May 25 16:45:28 nix436975 com.redhat.imsettings: [ 1527281128.430494]: GLib-GIO[23745]: CRITICAL **: Error while sending AddMatch() message: The connection is closed
May 25 16:45:28 nix436975 org.gnome.Shell.CalendarServer: gnome-shell-calendar-server[24037]: Lost (or failed to acquire) the name org.gnome.Shell.CalendarServer - exiting
May 25 16:45:28 nix436975 com.redhat.imsettings: [ 1527281128.431358]: IMSettings-Daemon[23745]: INFO: Unloading imesttings module: qt
May 25 16:45:28 nix436975 com.redhat.imsettings: [ 1527281128.432487]: IMSettings-Daemon[23745]: INFO: Unloading imesttings module: gsettings
May 25 16:45:28 nix436975 journal: Error releasing name org.freedesktop.portal.IBus: The connection is closed
May 25 16:45:28 nix436975 com.redhat.imsettings: [ 1527281128.433306]: IMSettings-Daemon[23745]: INFO: imsettings-daemon is shut down.
May 25 16:45:28 nix436975 org.freedesktop.Tracker1: Received signal:15->'Terminated'
May 25 16:45:28 nix436975 org.freedesktop.Tracker1: OK


May 25 16:45:29 nix436975 org.a11y.atspi.Registry: SpiRegistry daemon is running with well-known name - org.a11y.atspi.Registry
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Could not make systemd aware of QT_IM_MODULE=ibus environment variable: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.freedesktop.systemd1 exited with status 1
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Could not make systemd aware of XMODIFIERS=@im=ibus environment variable: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.freedesktop.systemd1 exited with status 1
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Could not make systemd aware of GNOME_DESKTOP_SESSION_ID=this-is-deprecated environment variable: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.freedesktop.systemd1 exited with status 1
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Could not make systemd aware of XDG_MENU_PREFIX=gnome- environment variable: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.freedesktop.systemd1 exited with status 1
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Using systemd for session tracking
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): GsmManager: setting client store 0x1b89e50
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Could not make systemd aware of SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/24672,unix/unix:/tmp/.ICE-unix/24672 environment variable: GDBus.Error:org.freedesktop.DBus.Error.Spawn.ChildExited: Process org.freedesktop.systemd1 exited with status 1
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): GsmXsmpServer: SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/24672,unix/unix:/tmp/.ICE-unix/24672
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): emitting SessionIsActive
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Getting session 'gnome'
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Looking if /var/lib/gdm/.config/gnome-session/sessions/gnome.session is a valid session file
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Cannot use session '/var/lib/gdm/.config/gnome-session/sessions/gnome.session': non-existing or invalid file.
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Looking if /etc/xdg/gnome-session/sessions/gnome.session is a valid session file
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Cannot use session '/etc/xdg/gnome-session/sessions/gnome.session': non-existing or invalid file.
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Looking if /usr/share/gdm/greeter/gnome-session/sessions/gnome.session is a valid session file
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Cannot use session '/usr/share/gdm/greeter/gnome-session/sessions/gnome.session': non-existing or invalid file.
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Looking if /usr/local/share/gnome-session/sessions/gnome.session is a valid session file
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): Cannot use session '/usr/local/share/gnome-session/sessions/gnome.session': non-existing or invalid file.
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Looking if /usr/share/gnome-session/sessions/gnome.session is a valid session file
May 25 16:45:29 nix436975 gnome-session-binary[24672]: DEBUG(+): fill: *** Checking required components


May 25 16:45:42 nix436975 gnome-session-binary[24672]: DEBUG(+): GsmManager: unable to find application for client - not restarting


May 25 16:45:42 nix436975 gdm: Failed to remove greeter program access to the display. Trying to proceed.
May 25 16:45:43 nix436975 com.redhat.imsettings: [ 1527281143.062934]: IMSettings-Daemon[25077]: INFO: Starting imsettings-daemon...
May 25 16:45:43 nix436975 com.redhat.imsettings: [ 1527281143.063927]: IMSettings-Daemon[25077]: INFO:   [HOME=/home/jmulholl/.config/imsettings]
May 25 16:45:43 nix436975 com.redhat.imsettings: [ 1527281143.064559]: IMSettings-Daemon[25077]: INFO:   [XINPUTRCDIR=/etc/X11/xinit/]
May 25 16:45:43 nix436975 com.redhat.imsettings: [ 1527281143.065214]: IMSettings-Daemon[25077]: INFO:   [XINPUTDIR=/etc/X11/xinit/xinput.d/]
May 25 16:45:43 nix436975 com.redhat.imsettings: [ 1527281143.066753]: IMSettings-Daemon[25077]: INFO:   [MODULEDIR=/usr/lib64/imsettings]
May 25 16:45:43 nix436975 com.redhat.imsettings: [ 1527281143.068080]: IMSettings-Daemon[25077]: INFO:   [MODULES=gsettings, qt]
May 25 16:45:43 nix436975 org.gtk.vfs.Daemon: fusermount: failed to open mountpoint for reading: Permission denied


May 25 16:45:45 nix436975 dbus[1511]: [system] Activating via systemd: service name='org.freedesktop.Avahi' unit='dbus-org.freedesktop.Avahi.service'
May 25 16:45:45 nix436975 dbus[1511]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.Avahi.service': Unit not found.
May 25 16:45:45 nix436975 journal: Failed to connect to avahi service: Daemon not running
May 25 16:45:45 nix436975 dbus[1511]: [system] Successfully activated service 'org.freedesktop.GeoClue2'
May 25 16:45:45 nix436975 systemd: Started Location Lookup Service.
May 25 16:45:45 nix436975 journal: Failed to register AuthenticationAgent
May 25 16:45:45 nix436975 org.gtk.vfs.AfcVolumeMonitor: Volume monitor alive
May 25 16:45:45 nix436975 spice-vdagent[25496]: Cannot access vdagent virtio channel /dev/virtio-ports/com.redhat.spice.0
May 25 16:45:45 nix436975 gnome-session: gnome-session-binary[24939]: WARNING: App 'spice-vdagent.desktop' exited with code 1
May 25 16:45:45 nix436975 gnome-session-binary[24939]: WARNING: App 'spice-vdagent.desktop' exited with code 1
May 25 16:45:45 nix436975 journal: Error setting up rfkill: Could not open RFKILL control device, please verify your installation
May 25 16:45:45 nix436975 org.gnome.SettingsDaemon.Mouse.desktop: error: XDG_RUNTIME_DIR not set in the environment.
May 25 16:45:45 nix436975 org.gnome.SettingsDaemon.Wacom.desktop: error: XDG_RUNTIME_DIR not set in the environment.
May 25 16:45:45 nix436975 journal: Loading NVML: libnvidia-ml.so: cannot open shared object file: No such file or directory
May 25 16:45:45 nix436975 journal: Failed to get current display configuration state: GDBus.Error:org.freedesktop.DBus.Error.NameHasNoOwner: Name "org.gnome.Mutter.DisplayConfig" does not exist
May 25 16:45:45 nix436975 org.gnome.SettingsDaemon.Keyboard.desktop: error: XDG_RUNTIME_DIR not set in the environment.


May 25 16:45:45 nix436975 journal: Failed to get password expiration policy for user: GDBus.Error:org.freedesktop.Accounts.Error.NotSupported: account expiration policy unknown to accounts service
May 25 16:45:45 nix436975 kernel: xhci_hcd 0000:00:14.0: WARN Event TRB for slot 1 ep 4 with no TDs queued?
May 25 16:45:45 nix436975 journal: Unable to inhibit keypresses: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: Permission denied
May 25 16:45:45 nix436975 journal: failed to obtain org.freedesktop.color-manager.create-profile auth


May 25 16:45:49 nix436975 journal: g_slice_set_config: assertion 'sys_page_size == 0' failed


May 25 16:46:05 nix436975 journal: JS ERROR: Failed to open reauthentication channel: Gio.DBusError: GDBus.Error:org.freedesktop.DBus.Error.AccessDenied: No session available#012ShellUserVerifier<._reauthenticationChannelOpened@resource:///org/gnome/shell/gdm/util.js:364:34#012wrapper@resource:///org/gnome/gjs/modules/_legacy.js:82:22

Comment 11 Pavlin Georgiev 2019-09-12 09:43:59 UTC

TEST SETUP
Distro: RHEL-7.8-20190905.0
Component version:
  gnome-shell-3.28.3-16.el7
  coolkey-1.1.0-40.el7

# lsusb
ID 072f:90cc Advanced Card Systems, Ltd ACR38 SmartCard Reader


TEST PROCEDURE
1. Follow instructions from:
   Red Hat Enterprise Linux > 7 > System-Level Authentication Guide > 4.4. Smart Cards
   https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/smartcards#authconfig-smartcards

2. Follow instructions for testing SmartCards from TCMS plan:
   https://tcms.engineering.redhat.com/case/172836/?from_plan=18015#attachment

3. Use a security certificate, which is in the test case
   in section Attachments: IdmqeLabEngBosRedhatCom_2015-2023.pem

4. Restart GDM.
5. Try to log in.

RESULT
GDM requires PIN. I enter the correct PIN, but I cannot log in.

Comment 12 Pavlin Georgiev 2019-09-12 09:45:23 UTC

Created attachment 1614418 [details]
SmartCard information

Comment 13 Pavlin Georgiev 2019-09-12 09:46:47 UTC

Created attachment 1614419 [details]
Listing of PKCS #11 Modules

Comment 14 sean@alderhost.net 2019-09-22 01:30:04 UTC

I have no additional data to provide, but I have about 20 desktops that exhibit similar behavior after update from 7.6 to 7.7.

Comment 15 sean@alderhost.net 2019-09-23 15:36:33 UTC

It appears the problem my systems are experiencing is related to the update to opensc-0.19.0.  This version of opensc replaces /etc/opensc-x86_64.conf with a symlink to /etc/opensc.conf, unless /etc/opensc-x86_64.conf has been modified and in that case, it creates an opensc-x86_64.conf.rpmnew.

The supplied opensc.conf contains very little information and configuration based on the differences with the opensc-x86_64.conf from the previous version in 7.6.  I have made an effort, which I'm not sure if it's entirely correct to port my config customization to the /etc/opensc.conf.  It seems I am not able to get past the gnome-shell screen locker w/ smartcard authentication after these changes.

Comment 16 David Jaša 2019-10-14 16:05:01 UTC

It works using:
coolkey-1.1.0-40.el7.x86_64, or:
opensc-0.19.0-3.el7.x86_64
pam_pkcs11-0.6.2-30.el7.x86_64
gdm-3.28.2-18.el7.x86_64
gnome-shell-3.28.3-18.el7.x86_64

Getting it working however took some while with no particular change clear that would block it. I suspected:
- coolkey vs. opensc in /etc/pam_pkcs11/pam_pkcs11.conf. At the end of the day, both middlewares work
- certificates on card. The card is old and certs are only 1024b RSA. I suspected they're refused by crypto policies but they're not

What seems to have made it work:
- the CA had to be imported to /etc/pki/nssdb
- the module specified in /etc/pam_pkcs11/pam_pkcs11.conf has to be loaded in nssdb (modutil -dbdir /etc/pki/nssdb -list), p11-kit magic doesn't seem to work even though p11-kit list-modules shows card certificates info just fine

Comment 18 errata-xmlrpc 2020-03-31 19:38:49 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:1021

Comment 19 Red Hat Bugzilla 2023-09-15 00:09:42 UTC

The needinfo request[s] on this closed bug have been removed as they have been unresolved for 500 days

Note You need to log in before you can comment on or make changes to this bug.