Bug 1632664
| Summary: | sssd does not display meaningful error CERT_VerifyCertificateNow failed [-8102] | ||||||
|---|---|---|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | amitkuma | ||||
| Component: | sssd | Assignee: | SSSD Maintainers <sssd-maint> | ||||
| Status: | CLOSED CANTFIX | QA Contact: | sssd-qe <sssd-qe> | ||||
| Severity: | unspecified | Docs Contact: | |||||
| Priority: | unspecified | ||||||
| Version: | 7.6 | CC: | amitkuma, fedoraproject, grajaiya, jhrozek, lslebodn, mzidek, pbrezina, sbose, tscherf | ||||
| Target Milestone: | rc | ||||||
| Target Release: | --- | ||||||
| Hardware: | Unspecified | ||||||
| OS: | Linux | ||||||
| Whiteboard: | |||||||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |||||
| Doc Text: | Story Points: | --- | |||||
| Clone Of: | Environment: | ||||||
| Last Closed: | 2020-03-23 16:30:14 UTC | Type: | Bug | ||||
| Regression: | --- | Mount Type: | --- | ||||
| Documentation: | --- | CRM: | |||||
| Verified Versions: | Category: | --- | |||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||
| Embargoed: | |||||||
| Attachments: |
|
||||||
|
Description
amitkuma
2018-09-25 10:43:20 UTC
(In reply to amitkuma from comment #0) > Description of problem: > Configured Smart card Authentication for active directory user Login using > Smart card and SSSD. > > Followed: > https://docs.pagure.org/SSSD.sssd/design_pages/ > smartcard_authentication_testing_with_ad.html > ... > > (Tue Sep 25 15:38:42 2018) [sssd[ssh]] [cert_to_ssh_key] (0x0020): > CERT_VerifyCertificateNow failed [-8102]. In the next RHEL version the SSH responder will use p11_child to verify the certificate which will print the description of the error code as well. For older SSSD versions please use e.g https://www-archive.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html to translate the error codes. > (Tue Sep 25 15:38:42 2018) [sssd[ssh]] [get_valid_certs_keys] (0x0040): > cert_to_ssh_key failed, ignoring. > (Tue Sep 25 15:38:42 2018) [sssd[ssh]] [ssh_protocol_done] (0x4000): Sending > reply: success > (Tue Sep 25 15:38:42 2018) [sssd[ssh]] [client_recv] (0x0200): Client > disconnected! > (Tue Sep 25 15:38:42 2018) [sssd[ssh]] [client_close_fn] (0x2000): > Terminated client [0x55b4cb3d2380][18] > > > Version-Release number of selected component (if applicable): > # rpm -qa | grep sssd > sssd-common-pac-1.16.0-19.el7_5.5.x86_64 > sssd-ldap-1.16.0-19.el7_5.5.x86_64 > sssd-krb5-1.16.0-19.el7_5.5.x86_64 > python-sssdconfig-1.16.0-19.el7_5.5.noarch > sssd-ipa-1.16.0-19.el7_5.5.x86_64 > sssd-tools-1.16.0-19.el7_5.5.x86_64 > sssd-ad-1.16.0-19.el7_5.5.x86_64 > sssd-1.16.0-19.el7_5.5.x86_64 > sssd-krb5-common-1.16.0-19.el7_5.5.x86_64 > sssd-proxy-1.16.0-19.el7_5.5.x86_64 > sssd-dbus-1.16.0-19.el7_5.5.x86_64 > redhat-internal-sssd-config-0.3-8.el7.csb.noarch > sssd-common-1.16.0-19.el7_5.5.x86_64 > sssd-client-1.16.0-19.el7_5.5.x86_64 > > > How reproducible: > all times in local env > > Further Queries: > 1. This is sssd checking client certificate on smart-card against CA cert > present in nssdb, Can we disable this check? Please see the 'no_verification' argument of the certificate_verification option explained in man sssd.conf. > 2. Is KU=Digital Signature required all times in client certificate? Is this > critical extension and required all times? This restriction should be lifted in the next RHEL version as well. > > > Actual results: > #/usr/bin/sss_ssh_authorizedkeys prasad > does not return public keys > > Expected results: > #/usr/bin/sss_ssh_authorizedkeys prasad > Should return public keys > > Additional info: > none After specifying no_verification.
[sssd]
certificate_verification = no_verification
# /usr/bin/sss_ssh_authorizedkeys prasad
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCDuOofqXTcSkOpbHLVRkpnCaveM9RABzLWGT/2qwNXvW1a53T2VsBet769s1i7UsZbIjBooOGbYX6Uv/nYS3AphXHDsBozki+J/ecWtxXnUUVMOrKUNprViWfp6vRFlziTgfVO7u8qZzrlgdXO4Q0Hw8d9OCIZGEb0jkJ0KGfMJQ==
But ssh fails.
# ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so prasad@localhost
Enter PIN for 'prasad (prasad)': <<Entered correct PIN
C_Login failed: 5
sign_and_send_pubkey: signing failed: error in libcrypto
no such identity: /root/.ssh/id_ecdsa: No such file or directory
no such identity: /root/.ssh/id_ed25519: No such file or directory
Password:
5 means general error.
./src/pkcs11/pkcs11.h:#define CKR_GENERAL_ERROR (5UL)
I suppose ssh is not able to send public Key to Server?
Though Public key is present in sssd cache entry.
With coolkey
# ssh -I /usr/lib64/pkcs11/libcoolkeypk11.so prasad@localhost
Enter PIN for 'prasad':
C_Login failed: 179
sign_and_send_pubkey: signing failed: error in libcrypto
no such identity: /root/.ssh/id_ecdsa: No such file or directory
no such identity: /root/.ssh/id_ed25519: No such file or directory
Password:
If C_Login fails ssh cannot access the private key on the card. Does login by other means work, e.g. p11toll --provider /usr/lib64/pkcs11/opensc-pkcs11.so --list-all --login? Does 'ssh -v -v -v ....' show more details? You might want to enablee debugging for OpenSC in /etc/opensc-x86_64.conf to get more details about the communication with the Smartcard. # p11tool --provider /usr/lib64/pkcs11/opensc-pkcs11.so --list-all --login Token 'prasad (prasad)' with URL 'pkcs11:model=PKCS%2315%20emulated;manufacturer=4090%20GemAlto%20%28Infineon%29;serial=9061450c01231622;token=prasad%20%28prasad%29' requires user PIN Enter PIN: Object 0: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=4090%20GemAlto%20%28Infineon%29;serial=9061450c01231622;token=prasad%20%28prasad%29;id=%01;object=signing%20key%20for%20prasad;type=private Type: Private key Label: signing key for prasad Flags: CKA_PRIVATE; CKA_SENSITIVE; ID: 01 Object 1: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=4090%20GemAlto%20%28Infineon%29;serial=9061450c01231622;token=prasad%20%28prasad%29;id=%01;object=signing%20key%20for%20prasad;type=public Type: Public key Label: signing key for prasad ID: 01 Object 2: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=4090%20GemAlto%20%28Infineon%29;serial=9061450c01231622;token=prasad%20%28prasad%29;id=%01;object=signing%20key%20for%20prasad;type=cert Type: X.509 Certificate Label: signing key for prasad ID: 01 Object 3: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=4090%20GemAlto%20%28Infineon%29;serial=9061450c01231622;token=prasad%20%28prasad%29;id=%02;object=encryption%20key%20for%20prasad;type=private Type: Private key Label: encryption key for prasad Flags: CKA_WRAP/UNWRAP; CKA_PRIVATE; CKA_SENSITIVE; ID: 02 Object 4: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=4090%20GemAlto%20%28Infineon%29;serial=9061450c01231622;token=prasad%20%28prasad%29;id=%02;object=encryption%20key%20for%20prasad;type=public Type: Public key Label: encryption key for prasad Flags: CKA_WRAP/UNWRAP; ID: 02 Object 5: URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=4090%20GemAlto%20%28Infineon%29;serial=9061450c01231622;token=prasad%20%28prasad%29;id=%02;object=encryption%20key%20for%20prasad;type=cert Type: X.509 Certificate Label: encryption key for prasad ID: 02 # # ssh -vvv -I /usr/lib64/pkcs11/opensc-pkcs11.so prasad@localhost OpenSSH_7.4p1, OpenSSL 1.0.2k-fips 26 Jan 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 60: Applying options for * debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 localhost debug1: permanently_set_uid: 0/0 debug1: permanently_drop_suid: 0 debug1: provider /usr/lib64/pkcs11/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framework> libraryVersion 0.16 debug1: provider /usr/lib64/pkcs11/opensc-pkcs11.so slot 0: label <prasad (prasad)> manufacturerID <4090 GemAlto (Infineon)> model <PKCS#15 emulate> serial <9061450c0123162> flags 0x40c debug1: have 1 keys debug1: have 2 keys debug1: pkcs11_provider_unref: 0x55e61ad05b80 refcount 3 debug1: pkcs11_provider_unref: 0x55e61ad05b80 refcount 3 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: key_load_public: No such file or directory debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_7.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.4 debug1: match: OpenSSH_7.4 pat OpenSSH* compat 0x04000000 debug2: fd 5 setting O_NONBLOCK debug2: fd 4 setting O_NONBLOCK debug1: Authenticating to localhost:22 as 'prasad' debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:140 debug3: load_hostkeys: loaded 1 keys from localhost debug3: hostkeys_foreach: reading file "/var/lib/sss/pubconf/known_hosts" debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01,ecdsa-sha2-nistp384-cert-v01,ecdsa-sha2-nistp521-cert-v01,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521 debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01,ecdsa-sha2-nistp384-cert-v01,ecdsa-sha2-nistp521-cert-v01,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01,ssh-rsa-cert-v01,ssh-dss-cert-v01,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ssh-dss debug2: ciphers ctos: chacha20-poly1305,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes256-gcm,aes128-cbc,aes192-cbc,aes256-cbc debug2: ciphers stoc: chacha20-poly1305,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes256-gcm,aes128-cbc,aes192-cbc,aes256-cbc debug2: MACs ctos: umac-64-etm,umac-128-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-sha1-etm,umac-64,umac-128,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm,umac-128-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-sha1-etm,umac-64,umac-128,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib,zlib debug2: compression stoc: none,zlib,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: chacha20-poly1305,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes256-gcm,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc debug2: ciphers stoc: chacha20-poly1305,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm,aes256-gcm,aes128-cbc,aes192-cbc,aes256-cbc,blowfish-cbc,cast128-cbc,3des-cbc debug2: MACs ctos: umac-64-etm,umac-128-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-sha1-etm,umac-64,umac-128,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: MACs stoc: umac-64-etm,umac-128-etm,hmac-sha2-256-etm,hmac-sha2-512-etm,hmac-sha1-etm,umac-64,umac-128,hmac-sha2-256,hmac-sha2-512,hmac-sha1 debug2: compression ctos: none,zlib debug2: compression stoc: none,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305 MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305 MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=64 dh_need=64 debug1: kex: curve25519-sha256 need=64 dh_need=64 debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:4eMH4pM5oecTvLcLkOD2TQ6KcPOyg66obgBD48bFi7o debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:140 debug3: load_hostkeys: loaded 1 keys from localhost debug3: hostkeys_foreach: reading file "/var/lib/sss/pubconf/known_hosts" debug1: Host 'localhost' is known and matches the ECDSA host key. debug1: Found key in /root/.ssh/known_hosts:140 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey after 134217728 blocks debug2: key: /usr/lib64/pkcs11/opensc-pkcs11.so (0x55e61ad249e0) debug2: key: /usr/lib64/pkcs11/opensc-pkcs11.so (0x55e61ad26410) debug2: key: /root/.ssh/id_rsa ((nil)) debug2: key: /root/.ssh/id_dsa ((nil)) debug2: key: /root/.ssh/id_ecdsa ((nil)), explicit debug2: key: /root/.ssh/id_ed25519 ((nil)), explicit debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug3: preferred gssapi-keyex,gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-keyex debug3: remaining preferred: gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-keyex debug1: Next authentication method: gssapi-keyex debug1: No valid Key exchange context debug2: we did not send a packet, disable method debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information Server not found in Kerberos database debug3: send packet: type 50 debug2: we sent a gssapi-with-mic packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /usr/lib64/pkcs11/opensc-pkcs11.so debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive debug1: Offering RSA public key: /usr/lib64/pkcs11/opensc-pkcs11.so debug3: send_pubkey_test debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 60 debug1: Server accepts key: pkalg rsa-sha2-512 blen 151 debug2: input_userauth_pk_ok: fp SHA256:KJa3SdGtNR5YcL3G1CQdt5DcpdWGrKdWv17xEzBbYrY debug3: sign_and_send_pubkey: RSA SHA256:KJa3SdGtNR5YcL3G1CQdt5DcpdWGrKdWv17xEzBbYrY Enter PIN for 'prasad (prasad)': C_Login failed: 5 sign_and_send_pubkey: signing failed: error in libcrypto debug1: Trying private key: /root/.ssh/id_rsa debug3: no such identity: /root/.ssh/id_rsa: No such file or directory debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ecdsa no such identity: /root/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ed25519 no such identity: /root/.ssh/id_ed25519: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup keyboard-interactive debug3: remaining preferred: password debug3: authmethod_is_enabled keyboard-interactive debug1: Next authentication method: keyboard-interactive debug2: userauth_kbdint debug3: send packet: type 50 debug2: we sent a keyboard-interactive packet, wait for reply debug3: receive packet: type 60 debug2: input_userauth_info_req debug2: input_userauth_info_req: num_prompts 1 Password: # id prasad uid=107601139(prasad) gid=107600513(domain users) groups=107600513(domain users) [root@amitkuma ~]# sss_cache -E [root@amitkuma ~]# sss_cache -u prasad [root@amitkuma ~]# id prasad uid=107601139(prasad) gid=107600513(domain users) groups=107600513(domain users) # Created attachment 1487778 [details]
opensc debug logs debug=3
Hey Sumit. Any updates!! ah, sorry for the delay. I asked Jakub Jelen about the logs and here is what he replied: """ Hello Sumit, in the bug description, I see first issue that both coolkey and OpenSC pkcs11 modules are in NSS DB, which might cause some problems, but they should not let the SSH itself fail, as it is using the OpenSC pkcs11 module directly. But first things first. Are the pkcs11 modules needed in the NSS DB in this use case at all? The debug log is from three initialization of pkcs11 module from two places. The first one can be called 0x7faf3b5ee840 by the first column, and that is probably the ssh process from where we ask for a PIN. But in the meantime, some other process tries to search something on the card (sssd through NSS DB?) and it closes its session before we attempt to login: pkcs11-session.c:164:C_CloseAllSessions: C_CloseAllSessions(0x0) slot.c:418:slot_get_token: Slot(id=0x0): get token slot.c:436:slot_get_token: Slot-get-token returns OK pkcs11-session.c:129:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x0) 1 pkcs11-session.c:98:sc_pkcs11_close_session: real C_CloseSession(0x5577988cf7e0) pkcs11-global.c:304:C_Finalize: C_Finalize() ctx.c:846:sc_cancel: called reader-pcsc.c:677:pcsc_cancel: called slot.c:184:card_removed: Gemalto PC Twin Reader 00 00: card removed This boils down to two issues: * Calling C_Finalize() from one process disconnects the card on PCSC level, which unpowers the card and it loses all the state information. This might be worked around (already changed upstream and in RHEL8) by setting disconnect_action=leave instead of reset or unpower in opensc.conf. * Coolkey cards have additional security measure in form of nonce, that is passed as part of some APDUs to the card, which is making sure we talk to the same application and nobody hijacked our "authenticated" connection. This might not matter until we log in, but might matter later if these issues will continue. I would suggest checking what and why is touching the card while running ssh (sssd checking known hosts initializes NSS DB?), if that is needed or if some different DB would make sense to be used in that case. Later I would suggest changing the configuration option disconnect_action=leave which should workaround this problem in opensc. Additionally, if the coolkey cards are used as the only cards, there might be issues with matching them (we had some bug), so setting explicitly card_drivers=coolkey,internal might avoid some failures with matching. Let me know if you will need some clarifications or if it will help you to move on with this. """ So I would first suggest to try ssh from a different host. If that works than the certificate validation done by SSSD and the login process of the ssh client step on each others toes as Jakub assumes. bye, Sumit Thanks Sumit. Will check your update. ||I would suggest checking what and why is touching the card while running ssh (sssd checking known hosts initializes NSS DB?) I have placed the smart card on my local machine. configured sssd for AD auth. How can I check card being touched while running ssh? There is no different DB i am using. ||After changing /etc/opensc.conf ||disconnect_action = leave; ||card_drivers = coolkey; # ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so prasad@localhost Enter PIN for 'prasad (prasad)': C_SignInit failed: 99 sign_and_send_pubkey: signing failed: error in libcrypto no such identity: /root/.ssh/id_ecdsa: No such file or directory no such identity: /root/.ssh/id_ed25519: No such file or directory Password: # ssh -I /usr/lib64/pkcs11/libcoolkeypk11.so prasad@localhost Enter PIN for 'prasad': <worked> [prasad@amitkuma ~]$ ||So I would first suggest to try ssh from a different host. If that works than the certificate validation done by SSSD and the login process of the ssh client step on each others toes as Jakub assumes. :( I don't have different machine But I will try to look around, will take some time. You can create a new NSSDB with the CA certificate only and add the 'ca_db' option to the [ssh] section of sssd.conf with the path to the new NSSDB. Does it work now? Can the bug be closed? Dear jakub, opensc.conf card_drivers=coolkey # ssh -I /usr/lib64/pkcs11/libcoolkeypk11.so prasad@localhost -> Works I would like to get it work with opensc(Driver). # ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so prasad@localhost Enter PIN for 'prasad (prasad)': C_SignInit failed: 99 sign_and_send_pubkey: signing failed: error in libcrypto no such identity: /root/.ssh/id_ecdsa: No such file or directory no such identity: /root/.ssh/id_ed25519: No such file or directory Password: Considering Since RHEL-7.4 coolkey deprecated & opensc taken up, https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/7.4_release_notes/chap-red_hat_enterprise_linux-7.4_release_notes-deprecated_functionality Getting it work with opensc becomes more weighty. Sumit: ||You can create a new NSSDB with the CA certificate only and add the 'ca_db' option to the [ssh] section of sssd.conf with the path to the new NSSDB. IF i am not wrong, this is best habit to be followed. Will is make ssh work with opensc? (In reply to amitkuma from comment #13) ... > Sumit: > ||You can create a new NSSDB with the CA certificate only and add the > 'ca_db' option to the [ssh] section of sssd.conf with the path to the new > NSSDB. > IF i am not wrong, this is best habit to be followed. Will is make ssh work > with opensc? I hope, but you have to try. Hello sumit,
About creating a new NSSDB with the CA certificate only.
- Presently /etc/pki/nssdb only has CA cert.
'ca_db' option to the [ssh] section of sssd.conf
- ca_db defaults to nssdb only.
I think CA certificate present in nssdb is correct and validates user certificate correctly.
]# certutil -L -d /etc/pki/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
RHCS CA Cert CT,C,C <<<<<<<<<<<<<<
#
# certutil -L -d /etc/pki/nssdb -h all
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "prasad (prasad)":
Enter Password or Pin for "prasad":
RHCS CA Cert CT,C,C <<<<<<<<<<<
prasad:signing key for prasad u,u,u
prasad (prasad):signing key for prasad u,u,u
prasad:encryption key for prasad u,u,u
prasad (prasad):encryption key for prasad u,u,u
I tested using pam_pkcs11. Later I removed pam_pkcs11.
Here "user certificate" present on smart card named "prasad" is validated using CA certificate present in nssdb.
# pklogin_finder debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb <<<<<<<<<<<
DEBUG:pkcs11_lib.c:210: ... NSS Complete
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:235: Looking up module in list
DEBUG:pkcs11_lib.c:238: modList = 0x1aa3d10 next = 0x1ab2960
DEBUG:pkcs11_lib.c:239: dllName= <null>
DEBUG:pkcs11_lib.c:238: modList = 0x1ada130 next = 0x0
DEBUG:pkcs11_lib.c:239: dllName= opensc-pkcs11.so <<<<<<<<<<<<<<<<<<<
DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
PIN for token:
DEBUG:pkcs11_lib.c:48: PIN = [prasad]
DEBUG:pkcs11_lib.c:759: cert 0: found (prasad (prasad):signing key for prasad), "UID=prasad,O=Token Key User,CN=prasad"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'cn'
DEBUG:mapper_mgr.c:197: Inserting mapper [cn] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'uid'
DEBUG:mapper_mgr.c:197: Inserting mapper [uid] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'pwent'
DEBUG:mapper_mgr.c:197: Inserting mapper [pwent] into list
DEBUG:mapper_mgr.c:73: Loading static module for mapper 'null'
DEBUG:mapper_mgr.c:197: Inserting mapper [null] into list
DEBUG:pklogin_finder.c:127: Found '1' certificate(s)
DEBUG:pklogin_finder.c:131: verifing the certificate #1
DEBUG:cert_vfy.c:34: Verifying Cert: prasad (prasad):signing key for prasad (UID=prasad,O=Token Key User,CN=prasad)
DEBUG:pklogin_finder.c:145: Trying to deduce login from certificate
DEBUG:pklogin_finder.c:151: Certificate is valid and maps to user test2 <<<<<<<<<<<<<<<<<<<<<
test2
DEBUG:mapper_mgr.c:214: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() cn
DEBUG:mapper_mgr.c:148: Module cn is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() uid
DEBUG:mapper_mgr.c:148: Module uid is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent
DEBUG:mapper_mgr.c:148: Module pwent is static: don't remove
DEBUG:mapper_mgr.c:137: calling mapper_module_end() null
DEBUG:mapper_mgr.c:148: Module null is static: don't remove
DEBUG:pklogin_finder.c:169: releasing pkcs #11 module...
DEBUG:pklogin_finder.c:172: Process completed
[root@amitkuma ~]#
# vim /etc/opensc.conf
card_drivers = opensc,internal;
# ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so prasad@localhost
Enter PIN for 'prasad (prasad)':
C_SignInit failed: 99
sign_and_send_pubkey: signing failed: error in libcrypto
no such identity: /root/.ssh/id_ecdsa: No such file or directory
no such identity: /root/.ssh/id_ed25519: No such file or directory
prasad@localhost's password:
# vim /etc/opensc.conf
card_drivers = coolkey,internal;
# ssh -I /usr/lib64/pkcs11/libcoolkeypk11.so prasad@localhost
WORKS
So I feel this has to do with coolkey and opensc, not on certificate validation.
Since coolkey has verified certificate successfully and given login prompt.
I will dive more into it.
The reason I asked to use a separate NSSDB is that Jakub found in the OpenSC logs that it looks like two processes stepping on each others toes. So it might help to let SSSD's ssh responder to use a different NSSDB which does not has OpenSC attached. This way ssh would be the only process using OpenSC at this time. bye, Sumit # mkdir new_nssdb
[root@amitkuma ~]# certutil -N -d ./new_nssdb/
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
[root@amitkuma ~]# ls -ltr new_nssdb/
total 60
-rw------- 1 root root 16384 Dec 21 13:13 secmod.db
-rw------- 1 root root 16384 Dec 21 13:13 key3.db
-rw------- 1 root root 65536 Dec 21 13:13 cert8.db
[root@amitkuma ~]# certutil -L -d ./new_nssdb/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
[root@amitkuma ~]# certutil -d ./new_nssdb/ -A -n "RHCS Root CA Cert" -t CT,CT,CT -a -i ./rhcs-ca-latest.crt
[root@amitkuma ~]# certutil -L -d ./new_nssdb/ -h all
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
RHCS Root CA Cert CT,C,C
[root@amitkuma ~]
sssd.conf
[domain/amitserver.com]
cache_credentials = True
krb5_store_password_if_offline = True
ipa_domain = amitserver.com
id_provider = ipa
auth_provider = ipa
access_provider = ipa
ldap_tls_cacert = /etc/ipa/ca.crt
ipa_hostname = amitkuma.pnq.csb
chpass_provider = ipa
ipa_server = _srv_, rhel7-ipa-2.amitserver.com
dns_discovery_domain = amitserver.com
[sssd]
services = nss, sudo, pam, ssh
certificate_verification = no_verification
domains = amitserver.com
[nss]
homedir_substring = /home
[pam]
pam_cert_auth = True
debug_level = 5
[sudo]
[autofs]
[ssh]
ca_db = /root/new_nssdb
[pac]
[ifp]
[secrets]
[session_recording]
# service sssd restart
# ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so prasad@localhost
Enter PIN for 'prasad (prasad)':
C_SignInit failed: 99
sign_and_send_pubkey: signing failed: error in libcrypto
no such identity: /root/.ssh/id_ecdsa: No such file or directory
no such identity: /root/.ssh/id_ed25519: No such file or directory
prasad@localhost's password:
any updates here? Hi, iirc Jakub mentioned some time ago in some other context that the key size might cause issue here and that when using a different size e.g. 2048bits for the user key it might work. I close the ticket here because it is quite old. If you are still seeing similar issues on RHEL8 please open a new one. bye, Sumit |