On Fri, Nov 9, 2018 at 9:29 AM Sumit Bose via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users wrote:
> hi,
>
> trying to get smart card authentication using a yubikey.
>
> I follow the
>
> $ opensc-tool --list-readers
> # Detected readers (pcsc)
> Nr.  Card  Features  Name
> 0    Yes             Yubico Yubikey NEO OTP+U2F+CCID 00 00
>
> I managed to import a key and certificate (generated by openssl):
>
> $ yubico-piv-tool -a status -v
> trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'.
> Action 'status' does not need authentication.
> Now processing for action 'status'.
> CHUID:    No data available
> CCC:    No data available
> Slot 9a:
>     Algorithm:    RSA2048
>     Subject DN:    O=UNIX.ASENJO.NL, CN=user50
>     Issuer DN:    O=UNIX.ASENJO.NL, CN=Certificate Authority
>     Fingerprint:
>  dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9
>     Not Before:    Nov  8 22:40:02 2018 GMT
>     Not After:    Nov  8 22:40:02 2020 GMT
> PIN tries left:    3
>
> And this user50 has this certificate in ipa.
>
> My trouble starts when running this step on the client:
>
> # modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so
> -force
> ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11
> error."
>
> I have tried using full paths (/usr/lib64/opensc-pkcs11.so,
> /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.
>
> So, basically, I'm stuck now :(, because without this piece opensc cannot
> work apparently.
>
> This is a fedora 29 host, by the way.
>
> Any clues?

Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if
p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that
p11-kit-proxy is added by default to the NSS databases and the PKCS#11
modules only register with p11-kit.


It definitely does:
  2. p11-kit-proxy
    library name: p11-kit-proxy.so
       uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
     slots: 1 slot attached
    status: loaded

     slot: Yubico Yubikey NEO OTP+U2F+CCID 00 00
    token: user50
      uri: pkcs11:token=user50;manufacturer=piv_II;serial=00000000;model=PKCS%2315%20emulated

so what should I do to enable smartcard auth then? When I try logging in as this user in gdm it never prompts me for a pin:

I have
[pam]
pam_cert_auth = True

in /etc/sssd/sssd.conf


--
Groeten,
natxo