[Pki-users] US Government SmartCard question

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Mon Apr 27 22:06:48 UTC 2015


Hi,

I'm trying to set up smart card logins on Linux using a clean Fedora 21 install following the instructions at [1]. My main objective is to use my USDA-issued LincPass (the USDA brand of the USAccess card) for login to local accounts on linux machines that are not joined to the domain and which are outside the firewall. Essentially, I have control over a handful of machines, but no control over issuing the smart cards.

I'll try to get you relevant debugging info, but I don't know much about smart card internals. My setup (card info from ActivClient on Windows):

Card Reader: SCR3310 v2.0 "smartOS powered"
Smart Card Mfr: Oberthur Technologies
Smart Card Model:  ID-One Cosmo v7.0 with Oberthur PIV Applet Suite 2.3.2

The problem: following instructions at [1], "pkcs11_inspect debug" results in "no token available" and the light on the reader never comes on. Googling, I saw that US government cards may require CACKey instead of coolkey, so I downloaded/compiled/installed the version at [2] and modified the pam_pkcs11.conf file. Reboot. Improvement. The light comes on. Repeating the "pkcs11_inspect debug" prompts for a PIN for token, and fails immediately afterward with "pkcs11_pass_login() failed: pkcs11_login() failed". I entered the PIN I enter on Windows.

Any insights are appreciated.

Thanks,
Bryce


[1] https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card.html
[2] https://github.com/Conservatory/CACKey
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150427/9d2fbdd9/attachment.htm>


More information about the Pki-users mailing list