hi,
trying to get smart card authentication using a yubikey.
I follow the
$ opensc-tool --list-readers # Detected readers (pcsc) Nr. Card Features Name 0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
I managed to import a key and certificate (generated by openssl):
$ yubico-piv-tool -a status -v trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'. Action 'status' does not need authentication. Now processing for action 'status'. CHUID: No data available CCC: No data available Slot 9a: Algorithm: RSA2048 Subject DN: O=UNIX.ASENJO.NL, CN=user50 Issuer DN: O=UNIX.ASENJO.NL, CN=Certificate Authority Fingerprint: dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9 Not Before: Nov 8 22:40:02 2018 GMT Not After: Nov 8 22:40:02 2020 GMT PIN tries left: 3
And this user50 has this certificate in ipa.
My trouble starts when running this step on the client:
# modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so -force ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 error."
I have tried using full paths (/usr/lib64/opensc-pkcs11.so, /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.
So, basically, I'm stuck now :(, because without this piece opensc cannot work apparently.
This is a fedora 29 host, by the way.
Any clues?
On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users wrote:
hi,
trying to get smart card authentication using a yubikey.
I follow the
$ opensc-tool --list-readers # Detected readers (pcsc) Nr. Card Features Name 0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
I managed to import a key and certificate (generated by openssl):
$ yubico-piv-tool -a status -v trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'. Action 'status' does not need authentication. Now processing for action 'status'. CHUID: No data available CCC: No data available Slot 9a: Algorithm: RSA2048 Subject DN: O=UNIX.ASENJO.NL, CN=user50 Issuer DN: O=UNIX.ASENJO.NL, CN=Certificate Authority Fingerprint: dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9 Not Before: Nov 8 22:40:02 2018 GMT Not After: Nov 8 22:40:02 2020 GMT PIN tries left: 3
And this user50 has this certificate in ipa.
My trouble starts when running this step on the client:
# modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so -force ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 error."
I have tried using full paths (/usr/lib64/opensc-pkcs11.so, /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.
So, basically, I'm stuck now :(, because without this piece opensc cannot work apparently.
This is a fedora 29 host, by the way.
Any clues?
Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that p11-kit-proxy is added by default to the NSS databases and the PKCS#11 modules only register with p11-kit.
HTH
bye, Sumit
-- regards, Natxo -- Groeten, natxo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Fri, Nov 9, 2018 at 9:29 AM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users wrote:
hi,
trying to get smart card authentication using a yubikey.
I follow the
$ opensc-tool --list-readers # Detected readers (pcsc) Nr. Card Features Name 0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
I managed to import a key and certificate (generated by openssl):
$ yubico-piv-tool -a status -v trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'. Action 'status' does not need authentication. Now processing for action 'status'. CHUID: No data available CCC: No data available Slot 9a: Algorithm: RSA2048 Subject DN: O=UNIX.ASENJO.NL, CN=user50 Issuer DN: O=UNIX.ASENJO.NL, CN=Certificate Authority Fingerprint: dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9 Not Before: Nov 8 22:40:02 2018 GMT Not After: Nov 8 22:40:02 2020 GMT PIN tries left: 3
And this user50 has this certificate in ipa.
My trouble starts when running this step on the client:
# modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so -force ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 error."
I have tried using full paths (/usr/lib64/opensc-pkcs11.so, /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.
So, basically, I'm stuck now :(, because without this piece opensc cannot work apparently.
This is a fedora 29 host, by the way.
Any clues?
Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that p11-kit-proxy is added by default to the NSS databases and the PKCS#11 modules only register with p11-kit.
It definitely does: 2. p11-kit-proxy library name: p11-kit-proxy.so uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1 slots: 1 slot attached status: loaded
slot: Yubico Yubikey NEO OTP+U2F+CCID 00 00 token: user50 uri: pkcs11:token=user50;manufacturer=piv_II;serial=00000000;model=PKCS%2315%20emulated
so what should I do to enable smartcard auth then? When I try logging in as this user in gdm it never prompts me for a pin:
I have [pam] pam_cert_auth = True
in /etc/sssd/sssd.conf
-- Groeten, natxo
On Fri, Nov 09, 2018 at 10:56:31AM +0100, Natxo Asenjo via FreeIPA-users wrote:
On Fri, Nov 9, 2018 at 9:29 AM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users wrote:
hi,
trying to get smart card authentication using a yubikey.
I follow the
$ opensc-tool --list-readers # Detected readers (pcsc) Nr. Card Features Name 0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
I managed to import a key and certificate (generated by openssl):
$ yubico-piv-tool -a status -v trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'. Action 'status' does not need authentication. Now processing for action 'status'. CHUID: No data available CCC: No data available Slot 9a: Algorithm: RSA2048 Subject DN: O=UNIX.ASENJO.NL, CN=user50 Issuer DN: O=UNIX.ASENJO.NL, CN=Certificate Authority Fingerprint: dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9 Not Before: Nov 8 22:40:02 2018 GMT Not After: Nov 8 22:40:02 2020 GMT PIN tries left: 3
And this user50 has this certificate in ipa.
My trouble starts when running this step on the client:
# modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so -force ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 error."
I have tried using full paths (/usr/lib64/opensc-pkcs11.so, /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.
So, basically, I'm stuck now :(, because without this piece opensc cannot work apparently.
This is a fedora 29 host, by the way.
Any clues?
Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that p11-kit-proxy is added by default to the NSS databases and the PKCS#11 modules only register with p11-kit.
It definitely does: 2. p11-kit-proxy library name: p11-kit-proxy.so uri: pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1 slots: 1 slot attached status: loaded
slot: Yubico Yubikey NEO OTP+U2F+CCID 00 00 token: user50 uri:
pkcs11:token=user50;manufacturer=piv_II;serial=00000000;model=PKCS%2315%20emulated
so what should I do to enable smartcard auth then? When I try logging in as this user in gdm it never prompts me for a pin:
I have [pam] pam_cert_auth = True
in /etc/sssd/sssd.conf
I would suggest to first check if SSSD can see the certificate as well. For this please call:
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
At the end you should see the base64 enoded certificate with some other Smartcard details. If not the debug output might help to figure out why the certificate was not found.
bye, Sumit
-- Groeten, natxo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
hi Sumit,
On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I would suggest to first check if SSSD can see the certificate as well. For this please call:
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
--pre
At the end you should see the base64 enoded certificate with some other Smartcard details. If not the debug output might help to figure out why the certificate was not found.
ok, it does not see anything: $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre (Fri Nov 9 12:58:37:924551 2018) [[sssd[p11_child[6490]]]] [main] (0x0400): p11_child started. (Fri Nov 9 12:58:37:924597 2018) [[sssd[p11_child[6490]]]] [main] (0x2000): Running in [pre-auth] mode. (Fri Nov 9 12:58:37:924612 2018) [[sssd[p11_child[6490]]]] [main] (0x2000): Running with effective IDs: [1000][1000]. (Fri Nov 9 12:58:37:924624 2018) [[sssd[p11_child[6490]]]] [main] (0x2000): Running with real IDs [1000][1000]. (Fri Nov 9 12:58:37:925728 2018) [[sssd[p11_child[6490]]]] [init_verification] (0x0040): X509_LOOKUP_load_file failed [185090184][error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found]. (Fri Nov 9 12:58:37:925742 2018) [[sssd[p11_child[6490]]]] [do_work] (0x0040): init_verification failed. (Fri Nov 9 12:58:37:925753 2018) [[sssd[p11_child[6490]]]] [main] (0x0040): do_work failed. (Fri Nov 9 12:58:37:925762 2018) [[sssd[p11_child[6490]]]] [main] (0x0020): p11_child failed!
but certutil sees it ok, after entering the pin: $ certutil -L -d /etc/pki/nssdb/ -h user10
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "user10": user10:Certificate for PIV Authentication u,u,u
On Fri, Nov 09, 2018 at 01:05:19PM +0100, Natxo Asenjo via FreeIPA-users wrote:
hi Sumit,
On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I would suggest to first check if SSSD can see the certificate as well. For this please call:
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb
--pre
At the end you should see the base64 enoded certificate with some other Smartcard details. If not the debug output might help to figure out why the certificate was not found.
ok, it does not see anything: $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
Ah, sorry, I forgot you use F29. On F29 SSSD does not use NSS anymore. Please add your CA certificates in PEM format to /etc/sssd/pki/sssd_auth_ca_db.pem and call
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --pre
again. Please check man sssd.conf and search for 'openssl' to see the differences between the NSS and OpenSSL version.
HTH
bye, Sumit
(Fri Nov 9 12:58:37:924551 2018) [[sssd[p11_child[6490]]]] [main] (0x0400): p11_child started. (Fri Nov 9 12:58:37:924597 2018) [[sssd[p11_child[6490]]]] [main] (0x2000): Running in [pre-auth] mode. (Fri Nov 9 12:58:37:924612 2018) [[sssd[p11_child[6490]]]] [main] (0x2000): Running with effective IDs: [1000][1000]. (Fri Nov 9 12:58:37:924624 2018) [[sssd[p11_child[6490]]]] [main] (0x2000): Running with real IDs [1000][1000]. (Fri Nov 9 12:58:37:925728 2018) [[sssd[p11_child[6490]]]] [init_verification] (0x0040): X509_LOOKUP_load_file failed [185090184][error:0B084088:x509 certificate routines:X509_load_cert_crl_file:no certificate or crl found]. (Fri Nov 9 12:58:37:925742 2018) [[sssd[p11_child[6490]]]] [do_work] (0x0040): init_verification failed. (Fri Nov 9 12:58:37:925753 2018) [[sssd[p11_child[6490]]]] [main] (0x0040): do_work failed. (Fri Nov 9 12:58:37:925762 2018) [[sssd[p11_child[6490]]]] [main] (0x0020): p11_child failed!
but certutil sees it ok, after entering the pin: $ certutil -L -d /etc/pki/nssdb/ -h user10
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Enter Password or Pin for "user10": user10:Certificate for PIV Authentication u,u,u
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Fri, Nov 9, 2018 at 2:18 PM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On Fri, Nov 09, 2018 at 01:05:19PM +0100, Natxo Asenjo via FreeIPA-users wrote:
hi Sumit,
On Fri, Nov 9, 2018 at 12:53 PM Sumit Bose via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I would suggest to first check if SSSD can see the certificate as well. For this please call:
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1
--nssdb=/etc/pki/nssdb
--pre
At the end you should see the base64 enoded certificate with some other Smartcard details. If not the debug output might help to figure out why the certificate was not found.
ok, it does not see anything: $ /usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
Ah, sorry, I forgot you use F29. On F29 SSSD does not use NSS anymore. Please add your CA certificates in PEM format to /etc/sssd/pki/sssd_auth_ca_db.pem and call
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1
--nssdb=/etc/sssd/pki/sssd_auth_ca_db.pem --pre
again. Please check man sssd.conf and search for 'openssl' to see the differences between the NSS and OpenSSL version.
HTH
it did!
Thanks, working perfectly now, awesome.
freeipa-users@lists.fedorahosted.org