Hi,
I am trying to configure Smart Card authentication on CentOS7 using sssd version 2.2.2 (re-compiled from source, as the official repo for CentOS7 only has sssd 1.16.x, but we need the certmap features of sssd 2.x).
We use special smart card hardware (Gemalto PrimeID) which requires a custom library (provided to us from the vendor as RPM and DEB packages). The actual library gets installed to /usr/lib64/libeTPkcs11.so
If I create a *.module file under either /usr/share/p11-kit/modules or /etc/pkcs11/modules pointing to /usr/lib64/libeTPkcs11.so, then the command 'p11tool --list-tokens' properly reads the smartCard and lists the tokens on it.
However, running 'p11_child --pre' (per various other threads from Sumit Bose) does not even list our custom library (the libeTPkcs11.so) in the Default Module List, so it fails to read the SmartCard. The only modules listed are '[NSS Internal PKCS #11 Module]' and '[CoolKey PKCS #11 Module]'
Is there some command I need to run in order to register our custom SmartCard library with NSS or P11-kit such that sssd's p11_child knows how to use it? How does p11_child locate the available smartCard libraries?
Sorry to spam the mailing list, I just figured out my problem.
I was able to use the 'modutil' command to add my custom library into the nssdb at /etc/pki/nssdb/. Then p11_child was able to locate and use the library to read my Smart Cards.
Perhaps there is a smarter way to do this via the update-ca-trust command, but I am OK with just running modutil after installing our custom SmartCard library.
On Tue, Dec 03, 2019 at 10:57:55PM -0000, Jeff Thornsen wrote:
Sorry to spam the mailing list, I just figured out my problem.
I was able to use the 'modutil' command to add my custom library into the nssdb at /etc/pki/nssdb/. Then p11_child was able to locate and use the library to read my Smart Cards.
Perhaps there is a smarter way to do this via the update-ca-trust command, but I am OK with just running modutil after installing our custom SmartCard library.
Hi,
using 'modutil' is the expected way to add a PKCS#11 module to an NSS database. There is a helper script 'pkcs11-switch' in the opensc package which makes it easy to switch between the two PKCS#11 modules provided by RHEL coolkey and opensc. If you take a look at the script you will see that 'modutil' is used internally.
When SSSD is using p11-kit, e.g. on RHEL-8, you have to create a pkcs11.conf file to make p11-kit aware of your PKCS#11 module. See man pkcs11.conf and e.g. /usr/share/p11-kit/modules/opensc.module for details.
bye, Sumit
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users@lists.fedorahosted.org