eToken PRO 64k

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

eToken PRO 64k

Mr Dash Four
I have the above token and have been trying to configure my FC13
(x86_64) to login with it without the need to type uid/password without
much success!  I have all the necessary packages (as shown on the
opensc-project.org web site) installed. This is what happens (long post!):

Inserting token (openct and pcscd services running):

=====syslog messages=====================================================
Oct 13 21:27:53 test1 kernel: usb 4-2: new low speed USB device using
uhci_hcd and address 2
Oct 13 21:27:53 test1 kernel: usb 4-2: New USB device found,
idVendor=0529, idProduct=0600
Oct 13 21:27:53 test1 kernel: usb 4-2: New USB device strings: Mfr=1,
Product=2, SerialNumber=0
Oct 13 21:27:53 test1 kernel: usb 4-2: Product: eToken Pro 0600
Oct 13 21:27:53 test1 kernel: usb 4-2: Manufacturer: AKS
===============================================

When I check the available readers:

================================================
[root@test1 ~]# opensc-tool --list-readers
[opensc-tool] reader-pcsc.c:896:pcsc_detect_readers: SCardListReaders
failed: 0x8010002e
[opensc-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No
readers found
Readers known about:
Nr.    Driver     Name
0      openct     Aladdin eToken PRO 64k*
1      openct     OpenCT reader (detached)
================================================

The above shows my Aladdin token, but the reader does NOT work (marked
with '*') - I can't read ANYTHING! After installing the pcsc-lite-openct
package I get this:

================================================
[root@test1 ~]# opensc-tool --list-readers
Readers known about:
Nr.    Driver     Name
0      openct     Aladdin eToken PRO 64k
1      openct     OpenCT reader (detached)
2      pcsc       Aladdin eToken PRO 64 00 00**
================================================

There is a new reader (marked with '**') which WORKS! When I execute the
relevant commands to see my private keys and certificates I am able to
see them - no problem, EXCEPT that I had to specify "--reader 2" (or "-r
2") otherwise it doesn't work.

================================================
[root@test1 ~]# pkcs11-tool --list-slots
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] card-cardos.c:86:cardos_match_card: APDU transmit
failed: Generic reader error
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] card-cardos.c:86:cardos_match_card: APDU transmit
failed: Generic reader error
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] card-default.c:66:autodetect_class: APDU transmit
failed: Generic reader error
[opensc-pkcs11] card-default.c:113:default_init: unable to determine the
right class byte
[opensc-pkcs11] card.c:202:sc_connect_card: driver 'Default driver for
unknown cards' init() failed: Card is invalid or cannot be handled
[opensc-pkcs11] card.c:213:sc_connect_card: unable to find driver for
inserted card
[opensc-pkcs11] card.c:228:sc_connect_card: returning with: Card is
invalid or cannot be handled
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] card-cardos.c:86:cardos_match_card: APDU transmit
failed: Generic reader error
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] card-cardos.c:86:cardos_match_card: APDU transmit
failed: Generic reader error
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] card-default.c:66:autodetect_class: APDU transmit
failed: Generic reader error
[opensc-pkcs11] card-default.c:113:default_init: unable to determine the
right class byte
[opensc-pkcs11] card.c:202:sc_connect_card: driver 'Default driver for
unknown cards' init() failed: Card is invalid or cannot be handled
[opensc-pkcs11] card.c:213:sc_connect_card: unable to find driver for
inserted card
[opensc-pkcs11] card.c:228:sc_connect_card: returning with: Card is
invalid or cannot be handled
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] card-cardos.c:86:cardos_match_card: APDU transmit
failed: Generic reader error
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] card-cardos.c:86:cardos_match_card: APDU transmit
failed: Generic reader error
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] card-default.c:66:autodetect_class: APDU transmit
failed: Generic reader error
[opensc-pkcs11] card-default.c:113:default_init: unable to determine the
right class byte
[opensc-pkcs11] card.c:202:sc_connect_card: driver 'Default driver for
unknown cards' init() failed: Card is invalid or cannot be handled
[opensc-pkcs11] card.c:213:sc_connect_card: unable to find driver for
inserted card
[opensc-pkcs11] card.c:228:sc_connect_card: returning with: Card is
invalid or cannot be handled
Available slots:
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] card-cardos.c:86:cardos_match_card: APDU transmit
failed: Generic reader error
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] card-cardos.c:86:cardos_match_card: APDU transmit
failed: Generic reader error
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] apdu.c:528:sc_transmit_apdu: unable to acquire lock
[opensc-pkcs11] card-default.c:66:autodetect_class: APDU transmit
failed: Generic reader error
[opensc-pkcs11] card-default.c:113:default_init: unable to determine the
right class byte
[opensc-pkcs11] card.c:202:sc_connect_card: driver 'Default driver for
unknown cards' init() failed: Card is invalid or cannot be handled
[opensc-pkcs11] card.c:213:sc_connect_card: unable to find driver for
inserted card
[opensc-pkcs11] card.c:228:sc_connect_card: returning with: Card is
invalid or cannot be handled
Slot 0           (empty)
Slot 1           (empty)
Slot 2           (empty)
Slot 3           (empty)
Slot 4           (empty)
Slot 5           (empty)
Slot 6           (empty)
Slot 7           (empty)
Slot 8           Aladdin eToken PRO 64 00 00
  token label:   zeek (zeek PIN)
  token manuf:   OpenSC Project
  token model:   PKCS#15
  token flags:   login required, PIN initialized, token initialized
  serial num  :  2512E8162013
Slot 9           (empty)
Slot 10          (empty)
Slot 11          (empty)
Slot 12          (empty)
Slot 13          (empty)
Slot 14          (empty)
Slot 15          (empty)
=====================================================

The above errors seems to be from the openct driver. After disabling it
in /etc/opensc.conf ("reader_drivers = pcsc, ctapi;" instead of
"reader_drivers = openct, pcsc, ctapi;") I get this:

================================================
[root@test1 ~]# pkcs11-tool --list-slots
Available slots:
Slot 0           Aladdin eToken PRO 64 00 00
  token label:   zeek (zeek PIN)
  token manuf:   OpenSC Project
  token model:   PKCS#15
  token flags:   login required, PIN initialized, token initialized
  serial num  :  2512E8162013
Slot 1           (empty)
Slot 2           (empty)
Slot 3           (empty)
Slot 4           (empty)
Slot 5           (empty)
Slot 6           (empty)
Slot 7           (empty)
Slot 8           (empty)
Slot 9           (empty)
Slot 10          (empty)
Slot 11          (empty)
Slot 12          (empty)
Slot 13          (empty)
Slot 14          (empty)
Slot 15          (empty)
================================================

Next, I tried to configure pam_pkcs11.

================================================
[root@test1 ~]# modutil -list -dbdir /etc/pki/nssdb

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
     slots: 2 slots attached
    status: loaded

     slot: NSS Internal Cryptographic Services
    token: NSS Generic Crypto Services

     slot: NSS User Private Key and Certificate Services
    token: NSS Certificate DB

  2. CoolKey PKCS #11 Module
    library name: libcoolkeypk11.so
     slots: 1 slot attached
    status: loaded

     slot: Aladdin eToken PRO 64 00 00
    token:
-----------------------------------------------------------
================================================

As evident from the above - There is NO TOKEN according to CoolKey (and
it should be there as the card is inserted and I can read all the
keys/certificates etc!!!). As a 'work-around' I tried to force the
OpenSC module to 'register' with the NSS database:

================================================
modutil -add "OpenSC PKCS #11 Module" -libfile opensc-pkcs11.so -dbdir
/etc/pki/nssdb

[root@test1 ~]# modutil -list -dbdir /etc/pki/nssdb

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
     slots: 2 slots attached
    status: loaded

     slot: NSS Internal Cryptographic Services
    token: NSS Generic Crypto Services

     slot: NSS User Private Key and Certificate Services
    token: NSS Certificate DB

  2. CoolKey PKCS #11 Module
    library name: libcoolkeypk11.so
     slots: 1 slot attached
    status: loaded

     slot: Aladdin eToken PRO 64 00 00
    token:

  3. OpenSC PKCS #11 Module
    library name: opensc-pkcs11.so
     slots: 16 slots attached
    status: loaded

     slot: Aladdin eToken PRO 64 00 00
    token: zeek (zeek PIN)

     slot: Aladdin eToken PRO 64 00 00
    token:

     slot: Aladdin eToken PRO 64 00 00
    token:

     slot: Aladdin eToken PRO 64 00 00
    token:

     slot: Virtual slot
    token:

     slot: Virtual slot
    token:

     slot: Virtual slot
    token:

     slot: Virtual slot
    token:

     slot: Virtual slot
    token:

     slot: Virtual slot
    token:

     slot: Virtual slot
    token:

     slot: Virtual slot
    token:

     slot: Virtual slot
    token:

     slot: Virtual slot
    token:

     slot: Virtual slot
    token:

     slot: Virtual slot
    token:
-----------------------------------------------------------
================================================

As evident from the above the newly registered module appears to show
that there is token on slot 0 with the correct label displayed. Next, I
modified pam_pkcs11.conf ("use_pkcs11_module = coolkey;") and executed
pkcs11_inspect to check whether there is a token (/etc/pam_pkcs11/cn_map
already contains "zeek -> zeek" to reflect the certificatn CN to User
login mapping):

================================================
[root@test1 ~]# pkcs11_inspect debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:222: Looking up module in list
DEBUG:pkcs11_lib.c:225: modList = 0xdc8660 next = 0xdda930

DEBUG:pkcs11_lib.c:226: dllName= <null>

DEBUG:pkcs11_lib.c:225: modList = 0xdda930 next = 0xdf03d0

DEBUG:pkcs11_lib.c:226: dllName= libcoolkeypk11.so

DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module...
DEBUG:pkcs11_inspect.c:95: no token available
======================================================

Again, - NO TOKEN! Not really a surprise as CoolKey did not show any
token when I executed "modutil -list" in the first place, so next I
tried to replace this and enable opensc:

======================================================
pam_pkcs11.conf: use_pkcs11_module = opensc;

pkcs11_module opensc {
    module = opensc-pkcs11.so;
    description = "OpenSC PKCS#11 module";
    # Slot-number to use. One for the first, two for the second and so
    # on. The default value is zero which means to use the first slot
    # with an available token.
    slot_num = 0;

    # Path to the directory where the CA certificates are stored. The
    # directory must contain an openssl hash-link to each certificate.
    # The default value is /etc/pam_pkcs11/cacerts.
    ca_dir = /etc/pam_pkcs11/cacerts;

    # Path to the directory where the CRLs are stored. The directory
    # must contain an openssl hash-link to each CRL. The default value
======================================================

And tried to execute pkcs11_inspect again:

======================================================
[root@test1 ~]# pkcs11_inspect debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:201: NSS_Initialize faile: security library: bad
database.
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
DEBUG:pkcs11_inspect.c:64: crypto_init() failed:
======================================================

NO luck! And that is where I am currently stuck. I don't think there is
a problem with the NSS database as when I execute:

======================================================
[root@test1 ~]# certutil -L -d /etc/pki/nssdb

Certificate Nickname                                         Trust
Attributes
                                                             
SSL,S/MIME,JAR/XPI

My Certificate Authority                                     CT,C,C
======================================================

Everything seems to be OK. Any ideas on what am I doing wrong?
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: eToken PRO 64k

Ludovic Rousseau
2010/10/14 Mr Dash Four <[hidden email]>:

> And tried to execute pkcs11_inspect again:
>
> ======================================================
> [root@test1 ~]# pkcs11_inspect debug
> DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
> DEBUG:pkcs11_lib.c:182: Initializing NSS ...
> DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
> DEBUG:pkcs11_lib.c:201: NSS_Initialize faile: security library: bad
> database.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> DEBUG:pkcs11_inspect.c:64: crypto_init() failed:
> ======================================================
>
> NO luck! And that is where I am currently stuck. I don't think there is
> a problem with the NSS database as when I execute:
>
> ======================================================
> [root@test1 ~]# certutil -L -d /etc/pki/nssdb
>
> Certificate Nickname                                         Trust
> Attributes
>
> SSL,S/MIME,JAR/XPI
>
> My Certificate Authority                                     CT,C,C
> ======================================================
>
> Everything seems to be OK. Any ideas on what am I doing wrong?

You are using  /etc/pam_pkcs11/nssdb in pam_pkcs11 but /etc/pki/nssdb
in the test code. Is that normal?

What is the output of:
$ certutil -L -d /etc/pam_pkcs11/nssdb

Bye

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: eToken PRO 64k

Martin Paljak-2
In reply to this post by Mr Dash Four
Hello,

On Thu, Oct 14, 2010 at 01:00, Mr Dash Four <[hidden email]> wrote:
> (x86_64) to login with it without the need to type uid/password without
> much success!
AFAIK you will not succeed, as you will need to type/select at least
the user, the "detect my user when I plug in my card" does not work
[1]


> Inserting token (openct and pcscd services running):
Ideally you should not have two services, but as your token is not
CCID/ICCD you need OpenCT. OK. You should remove only one.


> When I check the available readers:
>
> ================================================
> [root@test1 ~]# opensc-tool --list-readers
> [opensc-tool] reader-pcsc.c:896:pcsc_detect_readers: SCardListReaders
> failed: 0x8010002e
> [opensc-tool] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No
> readers found
> Readers known about:
> Nr.    Driver     Name
> 0      openct     Aladdin eToken PRO 64k*
> 1      openct     OpenCT reader (detached)
> ================================================
>
> The above shows my Aladdin token, but the reader does NOT work (marked
> with '*') - I can't read ANYTHING! After installing the pcsc-lite-openct
> package I get this:
>
> ================================================
> [root@test1 ~]# opensc-tool --list-readers
> Readers known about:
> Nr.    Driver     Name
> 0      openct     Aladdin eToken PRO 64k
> 1      openct     OpenCT reader (detached)
> 2      pcsc       Aladdin eToken PRO 64 00 00**
> ================================================
>
> There is a new reader (marked with '**') which WORKS! When I execute the
> relevant commands to see my private keys and certificates I am able to
> see them - no problem, EXCEPT that I had to specify "--reader 2" (or "-r
> 2") otherwise it doesn't work.

This is strange, as if the OpenCT driver itself does not work, how
could the openct-pcsc wrapper make it work? This requires debugging,
but you then should leave only pcsc as the reader driver in your
opensc.conf

> The above errors seems to be from the openct driver. After disabling it
> in /etc/opensc.conf ("reader_drivers = pcsc, ctapi;" instead of
> "reader_drivers = openct, pcsc, ctapi;") I get this:

This should be filed as a bug report for OpenCT. Unfortunately I don't
use/know OpenCT.

So here the reader problem stops.
1) figure out why OpenCT is not working as expected (and then
uninstall pcscd and only set openct as a reader driver in opensc.conf)
2) leave it as it is, remove ctapi and openct as reader drivers in opensc.conf


> Next, I tried to configure pam_pkcs11.
>  2. CoolKey PKCS #11 Module
>    library name: libcoolkeypk11.so
>     slots: 1 slot attached
>    status: loaded
>
>     slot: Aladdin eToken PRO 64 00 00
>    token:
> -----------------------------------------------------------
> ================================================
>
> As evident from the above - There is NO TOKEN according to CoolKey (and
> it should be there as the card is inserted and I can read all the
> keys/certificates etc!!!). As a 'work-around' I tried to force the
> OpenSC module to 'register' with the NSS database:

OpenSC is not a workaround for Coolkey nor are they similar in any
other way than both provide PKCS#11 modules. Coolkey works with the
Coolkey applet (and I think also PIV cards) whereas OpenSC works with
cards that it has drivers for.



> As evident from the above the newly registered module appears to show
> that there is token on slot 0 with the correct label displayed. Next, I
> modified pam_pkcs11.conf ("use_pkcs11_module = coolkey;") and executed
Again, don't mix up Coolkey PKCS#11 module (libcoolkeypk11.so) and
OpenSC module (opensc-pkcs11.so).
I suspect that Fedora comes with coolkey pre-configured. But they are
not the same.

> ======================================================
> pam_pkcs11.conf: use_pkcs11_module = opensc;
>
> pkcs11_module opensc {
>    module = opensc-pkcs11.so;
>    description = "OpenSC PKCS#11 module";
>    # Slot-number to use. One for the first, two for the second and so
>    # on. The default value is zero which means to use the first slot
>    # with an available token.
>    slot_num = 0;
Note to self: this semantics should be fixed, slot indexes and slot
identifiers are not the same.



> [root@test1 ~]# pkcs11_inspect debug
> DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
> DEBUG:pkcs11_lib.c:182: Initializing NSS ...
> DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
> DEBUG:pkcs11_lib.c:201: NSS_Initialize faile: security library: bad
> database.
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> DEBUG:pkcs11_inspect.c:64: crypto_init() failed:
> ======================================================
The "shared NSS DB" which Fedora supports to some extent is
/etc/pki/nssdb. You should either use that or initialize a new DB to
the location that is in the sample pam_pkcs11 file. If unsure, use
/etc/pki/nssdb



> Everything seems to be OK. Any ideas on what am I doing wrong?
- Try to figure out what is wrong with OpenCT (but as the wrapper
works, this is not critical)
- Don't mix up Coolkey and OpenSC PKCS#11 modules. You probably only
need one (the one that works with your token - OpenSC)
- Don't mix up the location of the NSS database (where certificates
are) - either use the system wide /etc/pki/nssdb or make sure you
create a new database at the location you specify in pam_pkcs11
configuration.

--
@martinpaljak.net
+3725156495

I'm moving! martin.paljak.pri.ee -> martinpaljak.net
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: eToken PRO 64k

Mr Dash Four
In reply to this post by Ludovic Rousseau

>> Everything seems to be OK. Any ideas on what am I doing wrong?
>>    
>
> You are using  /etc/pam_pkcs11/nssdb in pam_pkcs11 but /etc/pki/nssdb
> in the test code. Is that normal
Well spotted!

That is exactly what the problem was. Unfortunately, the supplied
pam_pkcs11.conf with the pam_pkcs11 package includes
"nss_dir=/etc/pki/nssdb" in the CoolKey section, but this statement is
MISSING from the opensc section, hence why these two commands
(pkcs11_inspect and pklogin_finder) seek the 'default' directory in
/etc/pam_pkcs11/nssdb which triggers the error.

Adding the above statement in the opensc section cures this problem
beautifully, though I have some other difficulties which I will cover in
my other post in a minute (will cc you in).
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: eToken PRO 64k

Mr Dash Four
In reply to this post by Martin Paljak-2

>> (x86_64) to login with it without the need to type uid/password without
>> much success!
>>    
> AFAIK you will not succeed, as you will need to type/select at least
> the user, the "detect my user when I plug in my card" does not work
> [1]
>  
Could you elaborate please? I have succeeded insofar recognising the
user/etoken card with both pkcs11_inspect and pklogin_finder.


>> Inserting token (openct and pcscd services running):
>>    
> Ideally you should not have two services, but as your token is not
> CCID/ICCD you need OpenCT. OK. You should remove only one.
>  
What do you mean?! If I remove/stop openct pcscd won't run properly - I
tried this already, it does not work.


>> The above errors seems to be from the openct driver. After disabling it
>> in /etc/opensc.conf ("reader_drivers = pcsc, ctapi;" instead of
>> "reader_drivers = openct, pcsc, ctapi;") I get this:
>>    
>
> This should be filed as a bug report for OpenCT. Unfortunately I don't
> use/know OpenCT.
>
> So here the reader problem stops.
> 1) figure out why OpenCT is not working as expected (and then
> uninstall pcscd and only set openct as a reader driver in opensc.conf)
> 2) leave it as it is, remove ctapi and openct as reader drivers in opensc.conf
>  
Done option 2 as option 1 at present is not possible (don't know why it
does not recognise the driver).


>> Everything seems to be OK. Any ideas on what am I doing wrong?
>>    
> - Try to figure out what is wrong with OpenCT (but as the wrapper
> works, this is not critical)
> - Don't mix up Coolkey and OpenSC PKCS#11 modules. You probably only
> need one (the one that works with your token - OpenSC)
> - Don't mix up the location of the NSS database (where certificates
> are) - either use the system wide /etc/pki/nssdb or make sure you
> create a new database at the location you specify in pam_pkcs11
> configuration.
>  
1 - I don't have enough knowledge of OpenCT to know where to begin, so
I'll have to leave this for the time being unfortunately.
2 - Will follow this recommendation as I don't need coolkey - it does
not work anyway.
3 - This is caused by absent option in the "opensc" section in default
pam_pkcs11.conf file supplied with the distribution - see my previous
post to Ludovic. Perhaps you could fix this and add the relevant option
as this is the way it should have been done in the first place!


I have another - bigger - problem though:

When I try to configure "/etc/pam.d/login", "/etc/pam.d/gdm" to login
with my smart card (via the console and gtk/gdm) I can't make it work.

I have tried two variants:

1) Inserting "auth sufficient pam_pkcs11.so" in /etc/pam.d/login and
then trying to login from the console (Alt-F2/F3 etc) - I don't get
anywhere!
2) Inserting "auth [success=done authinfo_unavail=ignore ignore=ignore
default=die] pam_pkcs11.so" in /etc/pam.d/login and then trying to login
from the console (Alt-F2/F3 etc) I am getting this:

=syslog=======================
Oct 15 00:18:51 test1 login: FAILED LOGIN SESSION FROM (null) FOR zeek,
Module is unknown
Oct 15 00:18:53 test1 login: PAM unable to
dlopen(/lib64/security/pam_pkcs11.so): /lib64/security/pam_pkcs11.so:
undefined symbol: get_slot_login_required
Oct 15 00:18:53 test1 login: PAM adding faulty module:
/lib64/security/pam_pkcs11.so
Oct 15 00:18:53 test1 login: PAM unable to
dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so:
cannot open shared object file: No such file or directory
Oct 15 00:18:53 test1 login: PAM adding faulty module:
/lib64/security/pam_fprintd.so
=============================

 From this I can see two problems:-

1. pam_fprintd.so relates to another set of packages/dependancies
(libfprint-0.2.0-1.fc13.x86_64, fprintd-0.2.0-1.fc13.x86_64 and
fprintd-pam-0.2.0-1.fc13.x86_64) which are not picked up and specified
as required when installing pam_pkcs11, so I presume this is a bug
developers should be aware of (hence including this entire post in the
opensc-devel list).

2. /lib64/security/pam_pkcs11.so: undefined symbol:
get_slot_login_required seems to be related to a long-standing bug (Bug
#597501) carried from FC12 and, from what I gather, is still NOT fixed.
Older versions of pam_pkcs11 (0.5.3-29) seem to work, though I have not
yet tried this route.

What I did next is to install the 3 failed dependencies
(libfprint-0.2.0-1.fc13.x86_64, fprintd-0.2.0-1.fc13.x86_64 and
fprintd-pam-0.2.0-1.fc13.x86_64) and when I tried to log in again (by
both hitting space - " " - and pressing Enter and by typing my user
name) I've only got the second error above:

=syslog=======================
Oct 15 00:29:48 test1 login: FAILED LOGIN SESSION FROM (null) FOR  ,
Module is unknown
Oct 15 00:29:49 test1 login: PAM unable to
dlopen(/lib64/security/pam_pkcs11.so): /lib64/security/pam_pkcs11.so:
undefined symbol: get_slot_login_required
Oct 15 00:29:49 test1 login: PAM adding faulty module:
/lib64/security/pam_pkcs11.so
=============================

Next, I tried to download, compile and install the latest version -
pam_pkcs11-0.6.3 (downloaded
http://www.opensc-project.org/files/pam_pkcs11/pam_pkcs11-0.6.3.tar.gz).
I successfully ran "./configure":


=============================
PAM-PKCS#11 has been configured with the following options

Version:             0.6.3
User binaries:       /usr/bin
Configuration files: /etc

Host:                x86_64-unknown-linux-gnu
Compiler:            gcc
Compiler flags:      -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
Preprocessor flags:
Linker flags:      
Libraries:           -lpam

Debugging:           yes
DocBook support:     yes
PC/SC support:       yes
CURL support:        no
LDAP support:        no
NSS support:         yes
OPENSSL support:     no
confdir:             /etc/pam_pkcs11
=============================

Though during "make" I've got this:

=============================
make[4]: Entering directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/common'
/bin/sh ../../libtool  --tag=CC   --mode=compile gcc -DHAVE_CONFIG_H -I.
-I../..  -I/usr/include/nss3 -I/usr/include/nspr4  -DHAVE_NSS   -O2 -g
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -O0 -ggdb3 -c -o
libcommon_la-algorithm.lo `test -f 'algorithm.c' || echo './'`algorithm.c
libtool: compile:  gcc -DHAVE_CONFIG_H -I. -I../.. -I/usr/include/nss3
-I/usr/include/nspr4 -DHAVE_NSS -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -O0 -ggdb3 -c algorithm.c  
-fPIC -DPIC -o .libs/libcommon_la-algorithm.o
algorithm.c:54: error: conflicting types for 'Alg_get_digest_by_name'
./alg_st.h:50: note: previous declaration of 'Alg_get_digest_by_name'
was here
algorithm.c: In function 'Alg_get_digest_by_name':
algorithm.c:56: warning: return discards qualifiers from pointer target type
make[4]: *** [libcommon_la-algorithm.lo] Error 1
make[4]: Leaving directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/common'
Making all in rsaref
make[4]: Entering directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/common/rsaref'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/common/rsaref'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/common'

[...]

libtool: link: cannot find the library `../common/libcommon.la' or
unhandled argument `../common/libcommon.la'
make[3]: *** [libmappers.la] Error 1
make[3]: Leaving directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/mappers'

[...]

make[3]: *** No rule to make target `../common/libcommon.la', needed by
`card_eventmgr'.  Stop.
make[3]: Leaving directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/tools'
make[3]: Entering directory `/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src'
make[3]: Nothing to be done for `all-am'.
make[3]: Leaving directory `/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src'
Making all in tools
make[2]: Entering directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/tools'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/tools'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3'
make: *** [all] Error 2
=============================

So, in other words pam_pkcs11-0.6.3 will NOT COMPILE! Any ideas?
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: eToken PRO 64k

Ludovic Rousseau
In reply to this post by Mr Dash Four
2010/10/15 Mr Dash Four <[hidden email]>:

>
>>> Everything seems to be OK. Any ideas on what am I doing wrong?
>>>
>>
>> You are using  /etc/pam_pkcs11/nssdb in pam_pkcs11 but /etc/pki/nssdb
>> in the test code. Is that normal
>
> Well spotted!
>
> That is exactly what the problem was.

Great!

> Unfortunately, the supplied
> pam_pkcs11.conf with the pam_pkcs11 package includes
> "nss_dir=/etc/pki/nssdb" in the CoolKey section, but this statement is
> MISSING from the opensc section, hence why these two commands
> (pkcs11_inspect and pklogin_finder) seek the 'default' directory in
> /etc/pam_pkcs11/nssdb which triggers the error.

The "official" sample pam_pkcs11.conf [1] does not contain a CoolKey section.
I suggest you to report a bug to the pam_pkcs11 package in Fedora.

Bye

[1] https://www.opensc-project.org/pam_pkcs11/browser/trunk/etc/pam_pkcs11.conf.example.in

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: eToken PRO 64k

Mr Dash Four
In reply to this post by Mr Dash Four
OK, further to my previous post earlier, I have now made significant
progress.

For some strange reason the link I quoted in the previous post used to
download version 0.6.3 (even though the latest version is 0.6.4) and I
did not check the file itself as my own (Fedora-distributed) version was
0.6.2-2. When I had another crack later today and tried to download the
same file it downloaded the correct version (0.6.4).

I was able to create rpm package using the 0.6.2-2 version .spec file
with the only change being the version number (0.6.2 -> 0.6.4) and the
revision (2 -> 0). After executing "rpmbuild -bb" everything compiled OK
without a problem and I had my rpm file ready. I was then able to
install the new version and tested it straight away with the console
login (Alt-F2) - SUCCESS! No errors whatsoever! I was asked for my card
pin end then logged in to the console without problems.

I am still unable to make the graphical interface (gdm) login work
though. I am assuming that I have to change /etc/pam.d/gdm and add the
same line as I did with /etc/pam.d/login ("auth sufficient
pam_pkcs11.so"). Is that right?

Because when I do that it seems to be ignored completely - the Fedora
login window (which shows my full name and an icon, followed by another
option called 'Other') does not actually give me the opportunity to
'press space' - if I do that It is the same as if I have selected myself
and then I am prompted for my login password, not the card PIN.

When I select 'Other' I am resented with a text field to complete the
user login name (similar to the one on the text console) and when I
press space - " " - and then Enter I am asked for a password, not the
card PIN.

Am I missing something here? Is there a different file I need to edit
(not /etc/pam.d/gdm) or is there something else I should know?

On a separate note, the Smart card prompt syntax is incorrect! It shows
"Found the <Smart Card>." where in fact the proper syntax should be
"<Smart Card> found." I thought I should point this out so that it can
be amended/fixed.
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: eToken PRO 64k

Ludovic Rousseau
2010/10/15 Mr Dash Four <[hidden email]>:

> OK, further to my previous post earlier, I have now made significant
> progress.
>
> For some strange reason the link I quoted in the previous post used to
> download version 0.6.3 (even though the latest version is 0.6.4) and I did
> not check the file itself as my own (Fedora-distributed) version was
> 0.6.2-2. When I had another crack later today and tried to download the same
> file it downloaded the correct version (0.6.4).
>
> I was able to create rpm package using the 0.6.2-2 version .spec file with
> the only change being the version number (0.6.2 -> 0.6.4) and the revision
> (2 -> 0). After executing "rpmbuild -bb" everything compiled OK without a
> problem and I had my rpm file ready. I was then able to install the new
> version and tested it straight away with the console login (Alt-F2) -
> SUCCESS! No errors whatsoever! I was asked for my card pin end then logged
> in to the console without problems.
>
> I am still unable to make the graphical interface (gdm) login work though. I
> am assuming that I have to change /etc/pam.d/gdm and add the same line as I
> did with /etc/pam.d/login ("auth sufficient pam_pkcs11.so"). Is that right?
>
> Because when I do that it seems to be ignored completely - the Fedora login
> window (which shows my full name and an icon, followed by another option
> called 'Other') does not actually give me the opportunity to 'press space' -
> if I do that It is the same as if I have selected myself and then I am
> prompted for my login password, not the card PIN.
>
> When I select 'Other' I am resented with a text field to complete the user
> login name (similar to the one on the text console) and when I press space -
> " " - and then Enter I am asked for a password, not the card PIN.
>
> Am I missing something here? Is there a different file I need to edit (not
> /etc/pam.d/gdm) or is there something else I should know?

No idea. I do not use Fedora.
At least the problem with pam_pkcs11 is now solved :-)

> On a separate note, the Smart card prompt syntax is incorrect! It shows
> "Found the <Smart Card>." where in fact the proper syntax should be "<Smart
> Card> found." I thought I should point this out so that it can be
> amended/fixed.

Fixed in revision 454.
Thanks

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: eToken PRO 64k

Mr Dash Four

>> Am I missing something here? Is there a different file I need to edit (not
>> /etc/pam.d/gdm) or is there something else I should know?
>>    
>
> No idea. I do not use Fedora.
> At least the problem with pam_pkcs11 is now solved :-)
>  
This is proving to be a VERY frustrating exercise indeed!

It turned out that I needed to install an additional package -
gdm-plugin-smartcard, but that proved to be more buggy than a 6-month
old french cheese!

The problem lies with gdm-smartcard-worker (part of that package above)
and the fact that it 'defaults' to using the bloody coolkey library
(which, as you know, do NOT work with my token) and there is NO way I
can fix that (it is hard-coded would you believe!). Compiling from
source is also not an option as I have to install an additional zillions
of packages I do not really need.

Anyway, I just subscribed to the gdm-list so hopefully will get some
help there!

>> On a separate note, the Smart card prompt syntax is incorrect! It shows
>> "Found the <Smart Card>." where in fact the proper syntax should be "<Smart
>> Card> found." I thought I should point this out so that it can be
>> amended/fixed.
>>    
>
> Fixed in revision 454.
>  
Minor problem, but a nuisance nevertheless.

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user