1:02 a.m.
hi,
trying to get smart card authentication using a yubikey.
I follow the
$ opensc-tool --list-readers
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
I managed to import a key and certificate (generated by openssl):
$ yubico-piv-tool -a status -v
trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'.
Action 'status' does not need authentication.
Now processing for action 'status'.
CHUID: No data available
CCC: No data available
Slot 9a:
Algorithm: RSA2048
Subject DN: O=UNIX.ASENJO.NL, CN=user50
Issuer DN: O=UNIX.ASENJO.NL, CN=Certificate Authority
Fingerprint:
dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9
Not Before: Nov 8 22:40:02 2018 GMT
Not After: Nov 8 22:40:02 2020 GMT
PIN tries left: 3
And this user50 has this certificate in ipa.
My trouble starts when running this step on the client:
# modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so
-force
ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11
error."
I have tried using full paths (/usr/lib64/opensc-pkcs11.so,
/usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.
So, basically, I'm stuck now :(, because without this piece opensc cannot
work apparently.
This is a fedora 29 host, by the way.
Any clues?
--
regards,
Natxo
--
Groeten,
natxo
1:38 a.m.
On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users wrote:
hi,
trying to get smart card authentication using a yubikey.
I follow the
$ opensc-tool --list-readers
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
I managed to import a key and certificate (generated by openssl):
$ yubico-piv-tool -a status -v
trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'.
Action 'status' does not need authentication.
Now processing for action 'status'.
CHUID: No data available
CCC: No data available
Slot 9a:
Algorithm: RSA2048
Subject DN: O=UNIX.ASENJO.NL, CN=user50
Issuer DN: O=UNIX.ASENJO.NL, CN=Certificate Authority
Fingerprint:
dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9
Not Before: Nov 8 22:40:02 2018 GMT
Not After: Nov 8 22:40:02 2020 GMT
PIN tries left: 3
And this user50 has this certificate in ipa.
My trouble starts when running this step on the client:
# modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so
-force
ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11
error."
I have tried using full paths (/usr/lib64/opensc-pkcs11.so,
/usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.
So, basically, I'm stuck now :(, because without this piece opensc cannot
work apparently.
This is a fedora 29 host, by the way.
Any clues?
Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if
p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that
p11-kit-proxy is added by default to the NSS databases and the PKCS#11
modules only register with p11-kit.
HTH
bye,
Sumit
--
regards,
Natxo
--
Groeten,
natxo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
3:56 a.m.
On Fri, Nov 9, 2018 at 9:29 AM Sumit Bose via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via
FreeIPA-users
wrote:
> hi,
>
> trying to get smart card authentication using a yubikey.
>
> I follow the
>
> $ opensc-tool --list-readers
> # Detected readers (pcsc)
> Nr. Card Features Name
> 0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
>
> I managed to import a key and certificate (generated by openssl):
>
> $ yubico-piv-tool -a status -v
> trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'.
> Action 'status' does not need authentication.
> Now processing for action 'status'.
> CHUID: No data available
> CCC: No data available
> Slot 9a:
> Algorithm: RSA2048
> Subject DN: O=UNIX.ASENJO.NL, CN=user50
> Issuer DN: O=UNIX.ASENJO.NL, CN=Certificate Authority
> Fingerprint:
> dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9
> Not Before: Nov 8 22:40:02 2018 GMT
> Not After: Nov 8 22:40:02 2020 GMT
> PIN tries left: 3
>
> And this user50 has this certificate in ipa.
>
> My trouble starts when running this step on the client:
>
> # modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so
> -force
> ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS
#11
> error."
>
> I have tried using full paths (/usr/lib64/opensc-pkcs11.so,
> /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.
>
> So, basically, I'm stuck now :(, because without this piece opensc cannot
> work apparently.
>
> This is a fedora 29 host, by the way.
>
> Any clues?
Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if
p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that
p11-kit-proxy is added by default to the NSS databases and the PKCS#11
modules only register with p11-kit.
It definitely does:
2. p11-kit-proxy
library name: p11-kit-proxy.so
uri:
pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
slots: 1 slot attached
status: loaded
slot: Yubico Yubikey NEO OTP+U2F+CCID 00 00
token: user50
uri:
pkcs11:token=user50;manufacturer=piv_II;serial=00000000;model=PKCS%2315%20emulated
so what should I do to enable smartcard auth then? When I try logging in as
this user in gdm it never prompts me for a pin:
I have
[pam]
pam_cert_auth = True
in /etc/sssd/sssd.conf
--
Groeten,
natxo
5:01 a.m.
On Fri, Nov 09, 2018 at 10:56:31AM +0100, Natxo Asenjo via FreeIPA-users wrote:
On Fri, Nov 9, 2018 at 9:29 AM Sumit Bose via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users
> wrote:
> > hi,
> >
> > trying to get smart card authentication using a yubikey.
> >
> > I follow the
> >
> > $ opensc-tool --list-readers
> > # Detected readers (pcsc)
> > Nr. Card Features Name
> > 0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
> >
> > I managed to import a key and certificate (generated by openssl):
> >
> > $ yubico-piv-tool -a status -v
> > trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'.
> > Action 'status' does not need authentication.
> > Now processing for action 'status'.
> > CHUID: No data available
> > CCC: No data available
> > Slot 9a:
> > Algorithm: RSA2048
> > Subject DN: O=UNIX.ASENJO.NL, CN=user50
> > Issuer DN: O=UNIX.ASENJO.NL, CN=Certificate Authority
> > Fingerprint:
> > dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9
> > Not Before: Nov 8 22:40:02 2018 GMT
> > Not After: Nov 8 22:40:02 2020 GMT
> > PIN tries left: 3
> >
> > And this user50 has this certificate in ipa.
> >
> > My trouble starts when running this step on the client:
> >
> > # modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile
opensc-pkcs11.so
> > -force
> > ERROR: Failed to add module "OpenSC". Probable cause : "Unknown
PKCS #11
> > error."
> >
> > I have tried using full paths (/usr/lib64/opensc-pkcs11.so,
> > /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.
> >
> > So, basically, I'm stuck now :(, because without this piece opensc cannot
> > work apparently.
> >
> > This is a fedora 29 host, by the way.
> >
> > Any clues?
>
> Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if
> p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that
> p11-kit-proxy is added by default to the NSS databases and the PKCS#11
> modules only register with p11-kit.
>
>
It definitely does:
2. p11-kit-proxy
library name: p11-kit-proxy.so
uri:
pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
slots: 1 slot attached
status: loaded
slot: Yubico Yubikey NEO OTP+U2F+CCID 00 00
token: user50
uri:
pkcs11:token=user50;manufacturer=piv_II;serial=00000000;model=PKCS%2315%20emulated
so what should I do to enable smartcard auth then? When I try logging in as
this user in gdm it never prompts me for a pin:
I have
[pam]
pam_cert_auth = True
in /etc/sssd/sssd.conf
I would suggest to first check if SSSD can see the certificate as well.
For this please call:
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
At the end you should see the base64 enoded certificate with some other
Smartcard details. If not the debug output might help to figure out why
the certificate was not found.
bye,
Sumit
--
Groeten,
natxo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
6:05 a.m.
hi Sumit,
On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
I would suggest to first check if SSSD can see the certificate as well.
For this please call:
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
--pre
At the end you should see the base64 enoded certificate with some other
Smartcard details. If not the debug output might help to figure out why
the certificate was not found.
ok, it does not see anything:
$ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
--pre
(Fri Nov 9 12:58:37:924551 2018) [[sssd[p11_child[6490]]]] [main]
(0x0400): p11_child started.
(Fri Nov 9 12:58:37:924597 2018) [[sssd[p11_child[6490]]]] [main]
(0x2000): Running in [pre-auth] mode.
(Fri Nov 9 12:58:37:924612 2018) [[sssd[p11_child[6490]]]] [main]
(0x2000): Running with effective IDs: [1000][1000].
(Fri Nov 9 12:58:37:924624 2018) [[sssd[p11_child[6490]]]] [main]
(0x2000): Running with real IDs [1000][1000].
(Fri Nov 9 12:58:37:925728 2018) [[sssd[p11_child[6490]]]]
[init_verification] (0x0040): X509_LOOKUP_load_file failed
[185090184][error:0B084088:x509 certificate
routines:X509_load_cert_crl_file:no certificate or crl found].
(Fri Nov 9 12:58:37:925742 2018) [[sssd[p11_child[6490]]]] [do_work]
(0x0040): init_verification failed.
(Fri Nov 9 12:58:37:925753 2018) [[sssd[p11_child[6490]]]] [main]
(0x0040): do_work failed.
(Fri Nov 9 12:58:37:925762 2018) [[sssd[p11_child[6490]]]] [main]
(0x0020): p11_child failed!
but certutil sees it ok, after entering the pin:
$ certutil -L -d /etc/pki/nssdb/ -h user10
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "user10":
user10:Certificate for PIV Authentication u,u,u
6:26 a.m.
On Fri, Nov 09, 2018 at 01:05:19PM +0100, Natxo Asenjo via FreeIPA-users wrote:
hi Sumit,
On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
>
> I would suggest to first check if SSSD can see the certificate as well.
> For this please call:
>
> /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
> --pre
>
> At the end you should see the base64 enoded certificate with some other
> Smartcard details. If not the debug output might help to figure out why
> the certificate was not found.
ok, it does not see anything:
$ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
--pre
Ah, sorry, I forgot you use F29. On F29 SSSD does not use NSS anymore. Please add your CA
certificates in PEM format to /etc/sssd/pki/sssd_auth_ca_db.pem and call
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --pre
again. Please check man sssd.conf and search for 'openssl' to see the
differences between the NSS and OpenSSL version.
HTH
bye,
Sumit
(Fri Nov 9 12:58:37:924551 2018) [[sssd[p11_child[6490]]]] [main]
(0x0400): p11_child started.
(Fri Nov 9 12:58:37:924597 2018) [[sssd[p11_child[6490]]]] [main]
(0x2000): Running in [pre-auth] mode.
(Fri Nov 9 12:58:37:924612 2018) [[sssd[p11_child[6490]]]] [main]
(0x2000): Running with effective IDs: [1000][1000].
(Fri Nov 9 12:58:37:924624 2018) [[sssd[p11_child[6490]]]] [main]
(0x2000): Running with real IDs [1000][1000].
(Fri Nov 9 12:58:37:925728 2018) [[sssd[p11_child[6490]]]]
[init_verification] (0x0040): X509_LOOKUP_load_file failed
[185090184][error:0B084088:x509 certificate
routines:X509_load_cert_crl_file:no certificate or crl found].
(Fri Nov 9 12:58:37:925742 2018) [[sssd[p11_child[6490]]]] [do_work]
(0x0040): init_verification failed.
(Fri Nov 9 12:58:37:925753 2018) [[sssd[p11_child[6490]]]] [main]
(0x0040): do_work failed.
(Fri Nov 9 12:58:37:925762 2018) [[sssd[p11_child[6490]]]] [main]
(0x0020): p11_child failed!
but certutil sees it ok, after entering the pin:
$ certutil -L -d /etc/pki/nssdb/ -h user10
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "user10":
user10:Certificate for PIV Authentication u,u,u
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
7:31 a.m.
On Fri, Nov 9, 2018 at 2:18 PM Sumit Bose via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
On Fri, Nov 09, 2018 at 01:05:19PM +0100, Natxo Asenjo via
FreeIPA-users
wrote:
> hi Sumit,
>
>
> On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
> >
> > I would suggest to first check if SSSD can see the certificate as well.
> > For this please call:
> >
> > /usr/libexec/sssd/p11_child -d 10 --debug-fd=1
--nssdb=/etc/pki/nssdb
> > --pre
> >
> > At the end you should see the base64 enoded certificate with some other
> > Smartcard details. If not the debug output might help to figure out why
> > the certificate was not found.
>
>
>
> ok, it does not see anything:
> $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
> --pre
Ah, sorry, I forgot you use F29. On F29 SSSD does not use NSS anymore.
Please add your CA
certificates in PEM format to /etc/sssd/pki/sssd_auth_ca_db.pem and call
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --pre
again. Please check man sssd.conf and search for 'openssl' to see the
differences between the NSS and OpenSSL version.
HTH
it did!
Thanks, working perfectly now, awesome.
--
regards,
Natxo
1987
days inactive
1987
days old
freeipa-users@lists.fedorahosted.org
6 comments
2 participants
participants (2)
-
Natxo Asenjo -
Sumit Bose