On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users wrote:
hi,
trying to get smart card authentication using a yubikey.
I follow the
$ opensc-tool --list-readers
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
I managed to import a key and certificate (generated by openssl):
$ yubico-piv-tool -a status -v
trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'.
Action 'status' does not need authentication.
Now processing for action 'status'.
CHUID: No data available
CCC: No data available
Slot 9a:
Algorithm: RSA2048
Subject DN: O=UNIX.ASENJO.NL, CN=user50
Issuer DN: O=UNIX.ASENJO.NL, CN=Certificate Authority
Fingerprint:
dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9
Not Before: Nov 8 22:40:02 2018 GMT
Not After: Nov 8 22:40:02 2020 GMT
PIN tries left: 3
And this user50 has this certificate in ipa.
My trouble starts when running this step on the client:
# modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so
-force
ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11
error."
I have tried using full paths (/usr/lib64/opensc-pkcs11.so,
/usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.
So, basically, I'm stuck now :(, because without this piece opensc cannot
work apparently.
This is a fedora 29 host, by the way.
Any clues?
Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if
p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that
p11-kit-proxy is added by default to the NSS databases and the PKCS#11
modules only register with p11-kit.
HTH
bye,
Sumit
--
regards,
Natxo
--
Groeten,
natxo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...