Hello Folks!
We are working on getting smart card authentication working using pinpad card readers for improved security. To do this we use: FreeIPA Server is running on Fedora32 with latest updates. FreeIPA is also configured to be Certificate Authority. FreeIPA Clients are Fedora 32 based with latest updates with connected usb card reader Gemalto C700 with pinpad, we use several user individual SmartCard HSM 4K with FreeIPA signed certificates on them. FreeIPA Clients run OpenSC and are configured to use smartcard certificate based authentication, setup per Smartare HSM best practice. Further clients are using SSSD and not PAM_PKCS#11.
All working great using smartcard for authentication, as long not enabling the pinpad in opensc. If doing so we are prompted for the PIN not only in the pinpad reader but also GDM prompts you to enter PIN on keyboard. Expected result is to be logged in directly after entering correct PIN code on pinpad reader, not being prompted by GDM to enter PIN on keyboard as well.
If enabling pinpad, login gets a bit odd: 1. Fedora 32 workstation GDM menu prompts a few users that can login 2. Smartcard is inserted in reader 3. GDM blanks out the screen and smartcard reader prompts to enter PIN. 4. Entering pin on smartcard reader followed by pressing ok button on smartcard reader at getting result Pin OK in reader display. 5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of being logged in to the window manager, here Gnome or xfce. 6. Any number can be entered, it does not matter, followed by hitting enter. 7. Once again smartcard reader now prompts for PIN. 8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button. 9. You are now logged in, and all is normal. If ripping out the smartcard from reader the screen locks, as expected.
What could this be, anyone who have seen this before or know how to set it up ?
On Fri, Oct 02, 2020 at 07:25:47PM -0000, Peter Steen via FreeIPA-users wrote:
Hello Folks!
We are working on getting smart card authentication working using pinpad card readers for improved security. To do this we use: FreeIPA Server is running on Fedora32 with latest updates. FreeIPA is also configured to be Certificate Authority. FreeIPA Clients are Fedora 32 based with latest updates with connected usb card reader Gemalto C700 with pinpad, we use several user individual SmartCard HSM 4K with FreeIPA signed certificates on them. FreeIPA Clients run OpenSC and are configured to use smartcard certificate based authentication, setup per Smartare HSM best practice. Further clients are using SSSD and not PAM_PKCS#11.
All working great using smartcard for authentication, as long not enabling the pinpad in opensc. If doing so we are prompted for the PIN not only in the pinpad reader but also GDM prompts you to enter PIN on keyboard. Expected result is to be logged in directly after entering correct PIN code on pinpad reader, not being prompted by GDM to enter PIN on keyboard as well.
If enabling pinpad, login gets a bit odd:
- Fedora 32 workstation GDM menu prompts a few users that can login
- Smartcard is inserted in reader
- GDM blanks out the screen and smartcard reader prompts to enter PIN.
- Entering pin on smartcard reader followed by pressing ok button on smartcard reader at getting result Pin OK in reader display.
- GDM now prompts for entering PIN on keyboard, this is unexpected, instead of being logged in to the window manager, here Gnome or xfce.
- Any number can be entered, it does not matter, followed by hitting enter.
- Once again smartcard reader now prompts for PIN.
- Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button.
- You are now logged in, and all is normal. If ripping out the smartcard from reader the screen locks, as expected.
What could this be, anyone who have seen this before or know how to set it up ?
Hi,
this is kind of expected since until recently I didn't had a reader with an pinpad, so I wasn't able to test this setup properly. Would you mind to open a ticket on https://github.com/SSSD/sssd or https://bugzilla.redhat.com for the SSSD component to fix this.
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hi Bose!
I will open a ticket. We tried with Gemalto C700 reader which has a pinpad, also we are waiting on an order from card contact with more readers of different brands to see if they behave the same way.
As a comment, if we are going back to the old pam_pkcs#11, which we do not want to do, then it actually works, but then we hit another challenge, that thing is not able download revoked certificates from IPA, and if downloading them using curl or wget it still can not read revoked certificates.
Hello !
I opened a bugzilla so far, https://bugzilla.redhat.com/show_bug.cgi?id=1886841
Hello !
I opened a bugzilla ticket with all details:
On Mon, Oct 12, 2020 at 10:48:45AM -0000, Peter Steen via FreeIPA-users wrote:
Hello !
I opened a bugzilla ticket with all details:
Thanks, I've already seen it.
bye, Sumit
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Hello !
We tried also Fedora33, the same issue remains, you are asked to enter pincode in pinpad reader then asked again to enter it on the PC on keyboard, and then once more asked to enter pincode in pinpad reader, then you are logged in.
Also we tried a few other pinpad readers from ACS APG8201 PINhandy and AGP-3201-B2 plus Gemalto IdBridge CT710, they all work with the same result.
Can we help solving this in a way, we have programming skills :-) ?
Thank you in advance!
(As a parantece and this is not the way we want because it is legacy way, using Linux dialects that still uses the legacy pam_pkcs11 and not sssd, here latest Ubuntu and Debian, it works as expected, e.g. you are logged in directly after successfully entering the pincode on pinpad reader.)
freeipa-users@lists.fedorahosted.org