|[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]|
All, Op 12-02-11 00:30, Guy schreef:
Robert, Lyall, Op 11-02-11 19:11, Robert Relyea schreef:On 02/10/2011 10:39 PM, Guy wrote:Bob, Op 09-02-11 22:33, Robert Relyea schreef:On 02/09/2011 12:33 PM, Guy wrote:Hi, I'm the one who started this thread but it got slightly derailed and biased towards gentoo. My systems are Opensuse 11.3 and Fedora14 and the problem I have is that I do not get prompted for the PIN when issueing either pkcs11_inspect or pkcs11_listcerts. I've never seen it work on either of these systems. Pcsc_scan works though, it never complains.This seems to indicate a problem with the pkcs11 module (probably coolkey). Is the card you are using an actual CAC card, or one of ActiveCard's 'CAC-Like' (where they use the CAC applet, but issued through some other agency than DISA).It's not a card as such, it's a usb sim (appearance is that of a usb memory stick) so I guess it's CAC-Like. A lot of information can be found withing this thread where Lyall and myself supply output of various commands. I'm not qualified enough to give you the answer right away I' afraid.My Opensuse 11.3 bears all the latest pcsc-lite, opensc, coolkey, etc packages. The Fedora14 system is stock + all automatic updates. I run these 2 systems on a Dell Lattitude D830 over the usb port (opensuse on a usb disk, fedora on a usb memory stick). I plugged the Fedorea usb stick into my home tower pc, with an Asus mobo, but the results are the same, so it's not Dell specific. My home tower pc runs Opensuse 11.0 natively and there it just works fine, I'm asked for the PIN and when supplied I get the certificates listed. The coolkey package, version 1.1.0-79.1, dates from June 2008.Thanks, this is helpful. How many certs does your card have?There's only one cert on it (this is an excerpt from my old working Opensuse 11.0 distro) : DEBUG:pkcs11_lib.c:47: PIN = [xxxxxxxx] DEBUG:pkcs11_lib.c:528: cert 0: found (Guy Zelck:CAC ID Certificate), "E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company" DEBUG:pkcs11_listcerts.c:112: Found '1' certificate(s) DEBUG:pkcs11_listcerts.c:117: Certificate #1: DEBUG:pkcs11_listcerts.c:119: - Subject: E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company DEBUG:pkcs11_listcerts.c:121: - Issuer: CN=Hewlett-Packard Primary Class 2 Certification Authority,O=Hewlett-Packard Company,C=US,OU=IT Infrastructure,O=hp.com DEBUG:pkcs11_listcerts.c:123: - Algorithm: PKCS #1 RSA Encryption DEBUG:cert_vfy.c:32: Verifying Cert: Guy Zelck:CAC ID Certificate (E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company) DEBUG:pkcs11_listcerts.c:147: releasing pkcs #11 module... DEBUG:pkcs11_listcerts.c:150: Process completedOK, my guess is you are running into a bug in coolkey that expects 3 certs, not one. It was fixed at one point in time, but appears to have regressed. It would be good to add that info to the bug.First I discovered I made a silly typo in pam_pkcs11.conf in specifying the slot description : slot_description="Activekey Sim 00 00" when it should have been "Activkey Sim 00 00" (without the "e")! Once cleared the PIN prompt appeared 8-; But then, as Lyall pointed out, it was nearly impossible to get a succesful login and the msg "no token available" still crept in the debug output. Then I recompiled coolkey without the CAC-1 patch and bingo, logging in was simple. Even with a better average than 1 in 2. I tested logging in on a hard-console (ctrl-alt-F2), with su and with kdm, it all works. Here's the output of pkcs11_inspect : # pkcs11_inspect debug DEBUG:pam_config.c:245: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_lib.c:187: Initializing NSS ... DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pki/nssdb DEBUG:pkcs11_lib.c:215: ... NSS Complete DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:227: Looking up module in list DEBUG:pkcs11_lib.c:230: modList = 0x806c850 next = 0x807b720 DEBUG:pkcs11_lib.c:231: dllName= <null> DEBUG:pkcs11_lib.c:230: modList = 0x807b720 next = 0x0 DEBUG:pkcs11_lib.c:231: dllName= /usr/lib/libcoolkeypk11.so DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module... PIN for token: DEBUG:pkcs11_lib.c:760: cert 0: found (Guy Zelck:CAC ID Certificate), "E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company" DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'mail' DEBUG:mapper_mgr.c:196: Inserting mapper [mail] into list DEBUG:pkcs11_inspect.c:128: Found '1' certificate(s) DEBUG:pkcs11_inspect.c:132: verifing the certificate #1 DEBUG:cert_vfy.c:34: Verifying Cert: Guy Zelck:CAC ID Certificate (E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company) DEBUG:pkcs11_inspect.c:146: Inspecting certificate #1 Printing data for mapper mail: guy.zelck@xxxxxx DEBUG:mapper_mgr.c:213: unloading mapper module list DEBUG:mapper_mgr.c:137: calling mapper_module_end() mail DEBUG:mapper_mgr.c:148: Module mail is static: don't remove DEBUG:pkcs11_inspect.c:163: releasing pkcs #11 module... DEBUG:pkcs11_inspect.c:166: Process completed Who's going to file the bug? I have no idea where or how. Lyall, are you in for this?
The previous output came from my Opensuse 11.3 system. I just now finished trying things on the stock Fedora 14 and the results are fine once coolkey was recompiled without the CAC-1 patch : [guy@gz ~]$ pkcs11_listcerts PIN for token: Found '1' certificate(s) Certificate #1: - Subject: E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company - Issuer: CN=Hewlett-Packard Primary Class 2 Certification Authority,O=Hewlett-Packard Company,C=US,OU=IT Infrastructure,O=hp.com - Algorithm: PKCS #1 RSA Encryption [guy@gz ~]$ pkcs11_inspect PIN for token: Printing data for mapper mail: guy.zelck@xxxxxx [guy@gz ~]$ pklogin_finder PIN for token: guy Gtz, Guy. _______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel
[Home] [Fedora Legacy List] [Fedora Maintainers] [Fedora Desktop] [Red Hat 9 Bible] [Fedora Bible] [Fedora SELinux] [Big List of Linux Books] [Yosemite News] [Yosemite Photos] [KDE Users] [Fedora Tools]