Bug 1672898 - CKR_KEY_TYPE_INCONSISTENT while doing ssh using sssd smart card
Summary: CKR_KEY_TYPE_INCONSISTENT while doing ssh using sssd smart card
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: opensc
Version: 7.6
Hardware: x86_64
OS: Linux
Target Milestone: rc
: ---
Assignee: Jakub Jelen
QA Contact: Asha Akkiangady
Depends On:
TreeView+ depends on / blocked
Reported: 2019-02-06 07:27 UTC by amitkuma
Modified: 2019-08-06 12:59 UTC (History)
7 users (show)

Fixed In Version: opensc-0.19.0-1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-08-06 12:59:50 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2019:2154 0 None None None 2019-08-06 12:59:55 UTC

Comment 3 Jakub Jelen 2019-02-06 09:56:14 UTC
The attachment is the OpenSSH log which is already pasted inline. But from the previous mail discussion, it looks like there is a bug in the keyUsage extension parsing:

  asn1.c:1474:asn1_decode: Looking for 'bitString', tag 0x3
  asn1.c:1266:asn1_decode_entry: decoding 'bitString', raw data:0780

which represents bit string of length 1 with 1 bit set. I suspect it will be fixed with the following upstream patch:


Can you try with RHEL8 beta OpenSC if the problem is still present? We plan to rebase to newer version of OpenSC in the next release anyway so I will be able to provide a testing build for RHEL7 soon too.

Comment 4 amitkuma 2019-02-06 10:02:13 UTC
Thanks for update jakub.
We have already suggested customer to test RHEL8.

Comment 6 amitkuma 2019-02-08 04:19:58 UTC
Hey Jakub
Thanks for update.
We have already suggested RHEL8 to customer He's setting up the env.

Comment 7 Simo Sorce 2019-02-11 15:39:49 UTC
This issue was not selected to be included either in Red Hat Enterprise Linux 7.7 because it is seen either as low or moderate impact to a small amount of use-cases. The next release will be in Maintenance Support 1 Phase, which means that qualified Critical and Important Security errata advisories (RHSAs) and Urgent Priority Bug Fix errata advisories (RHBAs) may be released as they become available. We will now close this issue, but if you believe that it qualifies for the Maintenance Support 1 Phase, please re-open; otherwise we recommend moving the request to Red Hat Enterprise Linux 8 if applicable.

Comment 8 Jakub Jelen 2019-02-11 16:26:20 UTC
Not so fast ... this is something that will be probably fixed by the planned rebase and we would really like to keep track of this bug since it is pain point for several customers.

Comment 9 Marc Sauton 2019-02-13 18:36:37 UTC
we need this from
into the next errata.

it does solve GUI login, screen lock/unlock, sudo problems with the following card:
  ID-ONE PIV 2.4.0 ON COSMO V8 from Oberthur / Idemia

the login error was:
  ERROR:pam_pkcs11.c:589: sign_value() failed
and related to the signature feature into cert_policy

Comment 27 Jakub Jelen 2019-03-25 10:13:11 UTC
Please, remove the coolkey pkcs11 module from the NSS DB that is used for the all other tests but SSH. It should give you better results.

Comment 29 Jakub Jelen 2019-03-27 09:43:53 UTC
The p11_child log from last week says the coolkey is loaded. What NSS DB is used in the SSSD?

(Wed Mar 20 17:01:33:332938 2019) [[sssd[p11_child[16756]]]] [do_card] (0x4000): common name: [Coolkey PKCS #11 Module].
(Wed Mar 20 17:01:33:332961 2019) [[sssd[p11_child[16756]]]] [do_card] (0x4000): dll name: [/usr/lib64/pkcs11/libcoolkeypk11.so].

Could it be caused by the coolkey being specified in the pkcs11_eventmgr.conf of the pam_pkcs11, or everything goes through the sssd now?

Comment 30 amitkuma 2019-03-27 10:04:49 UTC
Dear jakub,
This is customer's /etc/pam_pkcs11/pkcs11_eventmgr.conf
pkcs11_eventmgr  {

        # Run in background? Implies debug=false if true
        daemon = true;

        # show debug messages?
        debug = false;

        # polling time in seconds
        polling_time = 1;

        # expire time in seconds
        # default = 0 ( no expire )
        expire_time = 0;

        # pkcs11 module to use
        pkcs11_module = libcoolkeypk11.so;

        # list of events and actions

        # Card inserted
        event "card_insert" {
                # what to do if an action fail?
                # ignore  : continue to next action
                # return  : end action sequence
                # quit    : end program
                on_error = ignore;

                # You can enter several, comma-separated action entries
                # they will be executed in turn
                #action = "/usr/sbin/gdm-safe-restart",
                #         "/usr/X11R6/bin/xscreensaveer-command -deactivate";
                action = "/usr/sbin/gdm-safe-restart";

        # Card has been removed
        event "card_remove" {
                on_error = ignore;
                #action = "/usr/sbin/gdm-safe-restart",
                #         "/usr/X11R6/bin/xscreensaveer-command -lock";
                action = "/usr/sbin/gdm-safe-restart";

        # Too much time card removed
        event "expire_time" {
                on_error = ignore;
                action = /bin/false;

Comment 31 amitkuma 2019-03-27 10:09:35 UTC
Asked customer to use "opensc-pkcs11.so"

Comment 32 amitkuma 2019-04-03 07:41:12 UTC
Dear jakub,
Customer removed coolkey with yum  and verified the NSSDB only used OpenSC. Still Same results.

Comment 33 amitkuma 2019-04-10 10:18:04 UTC
Jakub any updates here!
Customer still finding issues

Comment 34 Jakub Jelen 2019-04-15 08:40:30 UTC
I would probably have to see new logs and sosreport to be able to check what is going on there. Without that it is just guessing what could go wrong after the removal of the coolkey package.

Comment 36 Jakub Jelen 2019-04-23 08:37:36 UTC
What about the following error in the messages. It shows in the previous archive, but not in the sosreport:

Apr 17 12:41:50 warmachine pklogin_finder: Error parsing file /etc/pam_pkcs11/pam_pkcs11.conf
Apr 17 12:41:50 warmachine pklogin_finder: Error setting configuration parameters

But clearly, there is a mismatched brackets in the pam_pkcs11.conf in the sosreport.

Comment 38 Jakub Jelen 2019-04-29 11:38:18 UTC
The sosreport from Apr 25 2019 has the brackets in the pam_pkcs11 configuration file even more mismatched. The guide you provided to customer was not very helpful. Just put back the closing bracket on line 48 and remove the bogus bracket on line 37.

After fixing the above, please, check the debugging steps in [1] (already referenced). Namely getting some debug information from pam_pkcs11 by removing the nodebug option or running pkcs11_listcerts

[1] https://access.redhat.com/articles/3034441

Comment 42 amitkuma 2019-05-06 07:45:30 UTC
Customer have attached new sosreport as well.

Comment 43 Jakub Jelen 2019-05-06 09:06:21 UTC
>  Debug pam module: Change /etc/pam.d/smartcard-auth (add a debug option): auth [success=done ignore=ignore default=die] pam_pkcs11.so debug wait_for_card We are not using PAM_PKCS11.SO. We are using pam_sss. See attached sosreport to confirm PAM settings.

The remove the pam_pkcs11 from /etc/pam.d/system-auth-ac or regenerate the authconfig files. Having both sss and pam_pkcs11 in the pam stack is very likely to cause problems with login.

If it does not help, lets try if it will work isolated to opensc:

  OPENCS_DEBUG=9 pkcs11-tool --test --login --pin YOUR_CARD_PIN 2> /tmp/opensc_test_debug.log

Comment 45 Jakub Jelen 2019-05-20 12:50:41 UTC
I am already getting lost here. Is this the same issue as in the description or something else? If it is something else, please, try to summarize it in a new bug and lets get this closed.

Comment 46 amitkuma 2019-05-21 12:23:31 UTC
jakub, this bugzilla was opened for this case only (02292639).

Customer has same issue as in the description.

Comment 51 Scott Poore 2019-06-27 13:22:53 UTC
Verified (Sanity Only)

Version ::


Results ::

Ran a battery of IPA Smart Card Authentication tests with pkcs15 and PIV_II cards with no failures seen.  Tests included su, ssh, ipa-webui and gdm login.

Here's a sample with a PIV_II card:

[root@ipaclient1 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --export 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=SERIAL;token=TOKEN;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert' --outfile /tmp/piv_1.crt 

[root@ipaclient1 ~]# ipa certmap-match /tmp/piv_1.crt
4 users matched
  Domain: ad.test
  User logins: adcacuser1, newuser

  User logins: pivuser1, ipauser1
Number of entries returned 2

[root@ipaclient1 ~]# su - ipauser1 -c "su - ipauser1 -c whoami"

[root@ipaclient1 ~]# su - adcacuser1@ad.test -c "su - adcacuser1@ad.test -c whoami"

[root@ipaclient1 ~]# p11tool --provider /usr/lib64/opensc-pkcs11.so --export 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=SERIAL;token=TOKEN;id=%01;object=Certificate%20for%20PIV%20Authentication;type=cert' --outfile /tmp/piv_1.crt 
[root@ipaclient1 ~]# ipa certmap-match /tmp/piv_1.crt
4 users matched
  Domain: ad.test
  User logins: adcacuser1, newuser

  User logins: pivuser1, ipauser1
Number of entries returned 2

[root@ipaclient1 ~]# ssh -I /usr/lib64/opensc-pkcs11.so -l ipauser1 $(hostname) "hostname"
Enter PIN for 'TOKEN': 

[root@ipaclient1 ~]# ssh -I /usr/lib64/opensc-pkcs11.so -l adcacuser1@ad.test $(hostname) "hostname"
Enter PIN for 'TOKEN': 

[root@ipaclient1 ~]# ipa user-show ipauser1
  User login: ipauser1
  First name: ipauser1
  Last name: lastname
  Home directory: /home/ipauser1
  Login shell: /bin/sh
  Principal name: ipauser1@SMARTCARD.TEST
  Principal alias: ipauser1@SMARTCARD.TEST
  Email address: ipauser1@smartcard.test
  UID: 1203000065
  GID: 1203000065
  Certificate: MII....cert truncated....
  Account disabled: False
  Password: True
  Member of groups: ipausers
  Kerberos keys available: True

Also logged into GDM with the whole cert and mapping with both IPA and AD users.

Comment 56 errata-xmlrpc 2019-08-06 12:59:50 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.