Re: [gdm-list] Cannot get /usr/local/lib/opensc-pkcs11.so to work with gdm-smartcard-worker.

From: Ray Strode <halfline gmail com>
To: Patrik Martinsson <Patrik Martinsson smhi se>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] Cannot get /usr/local/lib/opensc-pkcs11.so to work with gdm-smartcard-worker.
Date: Tue, 24 Aug 2010 10:35:48 -0400

Hi,

> I'm trying to use the opensc-pkcs11 module together with our smart-cards,
> I've successfully managed to use it together with pam_pkcs11. pkcs11_inspect
> and login works. (The login part work with gdm, but that's not the issue)
Ah, I've never tried opensc with pam_pkcs11

> When I insert my card the first time (or if its inserted when gdm starts) I
> successfully get asked about my pin, this is what you would expect. However
> if I remove my smart-card whiteout typing my pin I would assume that gdm
> detects
> this and throws me back to the initial login (where i can choose between
> smartcard&  other), that's the part that doesn't work.
Okay, that should work if you're using the multi-stack branch (which
you must be if insertion is working...)


> I ran gdm-smart-card-worker from the terminal and attaching the log-file.
> You can see at the end of the log that gdm-smart-card-worker is expecting
> slot_id not be 0, which it is in my case, don't really know why (if that is
> normal or if my setup is wrong), I've also posted this on the opensc list
> tosee if they have an idea.
Yea the slot id can't be 0.  Something must have gone awry.

> I added the code if (slot_id == 0) {slot_id = 1}; just to see how
> gdm-smart-card-worker reacted,  it didn't die and actually reported that it
> detected each insert/removal, however gdm didn't do anything different.
> (throw
> me back to the "initial" login screen when card is being removed etc).
That's odd.

> I would really like to have this working. Earlier we used a module from our
> cardvendors together gdm (with a small hack i did myself to get it working),
> however due too theirs negligent and incompetent support, I would like to
> use
> opensc driver instead.
>
> I'm able to test any suggestions/patches or whatever that's necessary to get
> this working as expected.
>
> Two questions directly comes to my mind,
> # 1, Smartcard driver using spec 'library=/foo/' is configured at compile
> time, right ? This should really be configurable at run time, shouldn't it ?
> Not everyone is using the libcoolkeypk11.so that is used as default, or am
> wrong ?
That's only a fallback.  Normally, the procedure is to register the
pkcs11 driver in the secmod database in /etc/pki/nssdb using
pk11install.  Packages should be doing this in their %post scripts.

Then the smartcard worker will automatically pick it up.

> # 2, Wouldn't it be a good idea to remove the smart-card patch (and others
> too) from the huuuge multistack patch ? I'm no programmer so i don't know if
> there is a specific reason for why it's like this, but I find it rather hard
> to work
> with, but again, maybe there is a reason for this.
Well, there's no good way to "upstream" the smartcard work cleanly
without a plugin system.  The multistack patch adds the plugin system.
 We need to merge the multistack work to master, but it's not ready
yet.

It is a bit painful, but it's temporary.

> I don't really know if gdm-plugin-smartcard is a part of gdm or if that is
> something thats been added by Red Hat, however i posted a bug about this on
> their bugzilla, https://bugzilla.redhat.com/show_bug.cgi?id=626744 .
Ah, are you using RHEL 6?

In your log I see this:

[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Instruction code not
supported or invalid
[opensc-pkcs11] card.c:588:sc_get_challenge: returning with:
Unsupported INS byte in APDU
[opensc-pkcs11] misc.c:80:sc_to_cryptoki_error: opensc error:
Unsupported INS byte in APDU (-1204)
[opensc-pkcs11] pkcs11-object.c:237:C_FindObjectsInit:
C_FindObjectsInit(slot = 1)
[opensc-pkcs11] pkcs11-object.c:238:C_FindObjectsInit:
C_FindObjectsInit(): CKA_CLASS = 0xce534354
[opensc-pkcs11] pkcs11-object.c:267:C_FindObjectsInit: Object 1/1:
Private object and not logged in.
[opensc-pkcs11] pkcs11-object.c:267:C_FindObjectsInit: Object 1/2:
Private object and not logged in.
[opensc-pkcs11] pkcs11-object.c:267:C_FindObjectsInit: Object 1/5:
Private object and not logged in.
[opensc-pkcs11] pkcs11-object.c:267:C_FindObjectsInit: Object 1/6:
Private object and not logged in.

That problem could be what's leading to the chain of events that end
in the smartcard worker crashing.

APDU is a protocol for talking to the smartcard.  The INS byte is an
instruction that combined with the CLA byte tells the smartcard what
to do.  It seems like the card is getting fed an instruction it
doesn't understand and from there things are going belly-up.

Do you know if the smartcard worker is crashing as soon as you insert
the card? or is it crashing right after you remove the card?

--Ray

Follow-Ups:
- Re: [gdm-list] Cannot get /usr/local/lib/opensc-pkcs11.so to work with gdm-smartcard-worker.
  - From: Patrik Martinsson

References:
- [gdm-list] Cannot get /usr/local/lib/opensc-pkcs11.so to work with gdm-smartcard-worker.
  - From: Patrik Martinsson

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]