On Fri, Nov 09, 2018 at 10:56:31AM +0100, Natxo Asenjo via FreeIPA-users wrote:
On Fri, Nov 9, 2018 at 9:29 AM Sumit Bose via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
> On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users
> wrote:
> > hi,
> >
> > trying to get smart card authentication using a yubikey.
> >
> > I follow the
> >
> > $ opensc-tool --list-readers
> > # Detected readers (pcsc)
> > Nr. Card Features Name
> > 0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
> >
> > I managed to import a key and certificate (generated by openssl):
> >
> > $ yubico-piv-tool -a status -v
> > trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'.
> > Action 'status' does not need authentication.
> > Now processing for action 'status'.
> > CHUID: No data available
> > CCC: No data available
> > Slot 9a:
> > Algorithm: RSA2048
> > Subject DN: O=UNIX.ASENJO.NL, CN=user50
> > Issuer DN: O=UNIX.ASENJO.NL, CN=Certificate Authority
> > Fingerprint:
> > dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9
> > Not Before: Nov 8 22:40:02 2018 GMT
> > Not After: Nov 8 22:40:02 2020 GMT
> > PIN tries left: 3
> >
> > And this user50 has this certificate in ipa.
> >
> > My trouble starts when running this step on the client:
> >
> > # modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile
opensc-pkcs11.so
> > -force
> > ERROR: Failed to add module "OpenSC". Probable cause : "Unknown
PKCS #11
> > error."
> >
> > I have tried using full paths (/usr/lib64/opensc-pkcs11.so,
> > /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors.
> >
> > So, basically, I'm stuck now :(, because without this piece opensc cannot
> > work apparently.
> >
> > This is a fedora 29 host, by the way.
> >
> > Any clues?
>
> Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if
> p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that
> p11-kit-proxy is added by default to the NSS databases and the PKCS#11
> modules only register with p11-kit.
>
>
It definitely does:
2. p11-kit-proxy
library name: p11-kit-proxy.so
uri:
pkcs11:library-manufacturer=PKCS%2311%20Kit;library-description=PKCS%2311%20Kit%20Proxy%20Module;library-version=1.1
slots: 1 slot attached
status: loaded
slot: Yubico Yubikey NEO OTP+U2F+CCID 00 00
token: user50
uri:
pkcs11:token=user50;manufacturer=piv_II;serial=00000000;model=PKCS%2315%20emulated
so what should I do to enable smartcard auth then? When I try logging in as
this user in gdm it never prompts me for a pin:
I have
[pam]
pam_cert_auth = True
in /etc/sssd/sssd.conf
I would suggest to first check if SSSD can see the certificate as well.
For this please call:
/usr/libexec/sssd/p11_child -d 10 --debug-fd=1 --nssdb=/etc/pki/nssdb --pre
At the end you should see the base64 enoded certificate with some other
Smartcard details. If not the debug output might help to figure out why
the certificate was not found.
bye,
Sumit
--
Groeten,
natxo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...