Bug 454003 - GEMALTO GCX4 72K D1 : Card class failure : pam_pkcs11(login:auth): sign_value() failed [NEEDINFO]
GEMALTO GCX4 72K D1 : Card class failure : pam_pkcs11(login:auth): sign_value...
Status: CLOSED WONTFIX
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: pam_pkcs11 (Show other bugs)
5.2
All Linux
low Severity medium
: rc
: ---
Assigned To: Bob Relyea
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-07-03 15:24 EDT by Aaron Lippold
Modified: 2014-04-22 16:32 EDT (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-04-22 16:32:04 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
pm-rhel: needinfo? (aaron.lippold)


Attachments (Terms of Use)

  None (edit)
Description Aaron Lippold 2008-07-03 15:24:35 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.15) Gecko/20080623 Firefox/2.0.0.15

Description of problem:
General Error:

When I try to use the Gemalto GCX4 72k D1 card to login via GDM or the console the authentication always fails. It seems that there is a signature failed when signing the challenge from the private key however this is a guess.

Results:

I get an 'authentication failed' for both GDM and the console ( which is expected ) and the /var/log/security lists:

[12:37] aaronlippold: Jul 2 12:35:09 localhost login: pam_pkcs11(login:auth): sign_value() failed:
Jul 2 12:35:09 localhost login: FAILED LOGIN 1 FROM (null) FOR aaronl, Insufficient credentials to access authentication data

Other Notes:

1) Working

READING: The middleware can read and display all the data using the standard
tools ( esd, pklogin_finder, etc. )
Installing Certs: The 2048 certs are installed into the nssdb with out
issues
Removing Certs: The 2048 certs are removed from the nssdb with out issues
PKLOGIN_FINDER: The pklogin_finder is able to find the user cert on the card
and map it correctly to the associated user account
PKLOGIN_FINDER DEBUG : Properly established the trust chain and displays all
the expected debug info that the 64k cards give


2) Broken

- Auth via GDM: The coolkey middleware throws an error when it tries to use
the private key on the card
- Auth via console: same error because it is the same subsystem.




Version-Release number of selected component (if applicable):
nss-3.12.0.3-1.el5, nss_tools-3.12.0.3-1.el5,pam_pkcs11-0.5.3-23

How reproducible:
Always


Steps to Reproduce:
( assuming your RH client is setup to use smartcard already )

1. Install the root and intermediate certs for the test tokens into the nssdb using standard methods
2. Logout back to GDM or goto a console
3. Insert a GEMALTO GCX4 72K D1 into a supported reader
4. Get GDM or the console to ask for your pin and notice the card ( i.e. hit enter or pull and replace the card once or twice )
5. GDM or the console will ask for the pin of the user cert
6. enter pin
7. gdm/console will return with 'authentication failed'

Actual Results:
[12:37] aaronlippold: Jul 2 12:35:09 localhost login:
pam_pkcs11(login:auth): sign_value() failed:
Jul 2 12:35:09 localhost login: FAILED LOGIN 1 FROM (null) FOR aaronl,
Insufficient credentials to access authentication data

Was issued to /var/log/security

Expected Results:
Authentication should have been valid

Additional info:
Comment 1 RHEL Product and Program Management 2014-03-07 08:35:44 EST
This bug/component is not included in scope for RHEL-5.11.0 which is the last RHEL5 minor release. This Bugzilla will soon be CLOSED as WONTFIX (at the end of RHEL5.11 development phase (Apr 22, 2014)). Please contact your account manager or support representative in case you need to escalate this bug.

Note You need to log in before you can comment on or make changes to this bug.