[Pki-users] US Government SmartCard question

John Magne jmagne at redhat.com
Mon Apr 27 22:33:03 UTC 2015 

The coolkey pkcs#11 module should provide enough functionality for smart card login with CAC cards.
I know there is plenty of code in the coolkey driver to handle CACs. Of course your particular card
could be some special case I'm not aware of.

There are a few things that could be wrong.

1. Check to make sure the "psc-lite" daemon is running.

2. There might be an issue with your reader. For instance the ccid driver sometimes
needs to be configured to allow for readers that require a higher voltage such as the omnikey.


One thing to try, with coolkey and your card and reader.

1. Kill pcscd as root.

2. run it manually such that it throws log messages to the console

/usr/sbin/pcscd -f -d -a.

3. Insert the card , watch the logs for any suspicious messages which might provide a clue.

If the log says the card is being recognized, then we could possible get some coolkey logs when
you attempt that pkcs11 command mentioned earlier.

thanks,
jack



----- Original Message -----
> From: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
> To: pki-users at redhat.com
> Sent: Monday, April 27, 2015 3:06:48 PM
> Subject: [Pki-users] US Government SmartCard question
> 
> 
> 
> Hi,
> 
> 
> 
> I’m trying to set up smart card logins on Linux using a clean Fedora 21
> install following the instructions at [1]. My main objective is to use my
> USDA-issued LincPass (the USDA brand of the USAccess card) for login to
> local accounts on linux machines that are not joined to the domain and which
> are outside the firewall. Essentially, I have control over a handful of
> machines, but no control over issuing the smart cards.
> 
> 
> 
> I’ll try to get you relevant debugging info, but I don’t know much about
> smart card internals. My setup (card info from ActivClient on Windows):
> 
> 
> 
> Card Reader: SCR3310 v2.0 “smartOS powered”
> 
> Smart Card Mfr: Oberthur Technologies
> 
> Smart Card Model: ID-One Cosmo v7.0 with Oberthur PIV Applet Suite 2.3.2
> 
> 
> 
> The problem: following instructions at [1], “pkcs11_inspect debug” results in
> “no token available” and the light on the reader never comes on. Googling, I
> saw that US government cards may require CACKey instead of coolkey, so I
> downloaded/compiled/installed the version at [2] and modified the
> pam_pkcs11.conf file. Reboot. Improvement. The light comes on. Repeating the
> “pkcs11_inspect debug” prompts for a PIN for token, and fails immediately
> afterward with “pkcs11_pass_login() failed: pkcs11_login() failed”. I
> entered the PIN I enter on Windows.
> 
> 
> 
> Any insights are appreciated.
> 
> 
> 
> Thanks,
> 
> Bryce
> 
> 
> 
> 
> 
> [1]
> https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sect-Security_Guide-Single_Sign_on_SSO-Getting_Started_with_your_new_Smart_Card.html
> 
> [2] https://github.com/Conservatory/CACKey
> 
> _______________________________________________
> Pki-users mailing list
> Pki-users at redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list