[Pki-users] US Government SmartCard question

Nordgren, Bryce L -FS bnordgren at fs.fed.us
Thu Apr 30 22:22:50 UTC 2015 

Hi Jack, thanks for the reply! 

AFAIK, my card is the same as all other cards issued by USDA, and I suspect the same as all other cards issued by the US Government. It's not a test card or anything.

I killed pcscd and ran it on the command line to capture logs (attached). I didn't see anything which set off red flags for me. It looks like it's detecting card insertion and removal events.  I'm including the output of "pkcs11_inspect debug", run both as my user account and as root via sudo. All of this was done with coolkey. The cackey module in /etc/pam_pkcs11/pam_pkcs11.conf was commented out. The only real difference between now and previously is that now the light comes on. (Still fails with no token available, tho.)

I'm just not seeing anything that points me at a solution. Hope you can intuit more from this.

Bryce

> -----Original Message-----
> From: John Magne [mailto:jmagne at redhat.com]
> Sent: Monday, April 27, 2015 4:33 PM
> To: Nordgren, Bryce L -FS
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] US Government SmartCard question
> 
> The coolkey pkcs#11 module should provide enough functionality for smart
> card login with CAC cards.
> I know there is plenty of code in the coolkey driver to handle CACs. Of course
> your particular card could be some special case I'm not aware of.
> 
> There are a few things that could be wrong.
> 
> 1. Check to make sure the "psc-lite" daemon is running.
> 
> 2. There might be an issue with your reader. For instance the ccid driver
> sometimes needs to be configured to allow for readers that require a higher
> voltage such as the omnikey.
> 
> 
> One thing to try, with coolkey and your card and reader.
> 
> 1. Kill pcscd as root.
> 
> 2. run it manually such that it throws log messages to the console
> 
> /usr/sbin/pcscd -f -d -a.
> 
> 3. Insert the card , watch the logs for any suspicious messages which might
> provide a clue.
> 
> If the log says the card is being recognized, then we could possible get some
> coolkey logs when you attempt that pkcs11 command mentioned earlier.
> 
> thanks,
> jack
> 
> 
> 
> ----- Original Message -----
> > From: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
> > To: pki-users at redhat.com
> > Sent: Monday, April 27, 2015 3:06:48 PM
> > Subject: [Pki-users] US Government SmartCard question
> >
> >
> >
> > Hi,
> >
> >
> >
> > I’m trying to set up smart card logins on Linux using a clean Fedora
> > 21 install following the instructions at [1]. My main objective is to
> > use my USDA-issued LincPass (the USDA brand of the USAccess card) for
> > login to local accounts on linux machines that are not joined to the
> > domain and which are outside the firewall. Essentially, I have control
> > over a handful of machines, but no control over issuing the smart cards.
> >
> >
> >
> > I’ll try to get you relevant debugging info, but I don’t know much
> > about smart card internals. My setup (card info from ActivClient on
> Windows):
> >
> >
> >
> > Card Reader: SCR3310 v2.0 “smartOS powered”
> >
> > Smart Card Mfr: Oberthur Technologies
> >
> > Smart Card Model: ID-One Cosmo v7.0 with Oberthur PIV Applet Suite
> > 2.3.2
> >
> >
> >
> > The problem: following instructions at [1], “pkcs11_inspect debug”
> > results in “no token available” and the light on the reader never
> > comes on. Googling, I saw that US government cards may require CACKey
> > instead of coolkey, so I downloaded/compiled/installed the version at
> > [2] and modified the pam_pkcs11.conf file. Reboot. Improvement. The
> > light comes on. Repeating the “pkcs11_inspect debug” prompts for a PIN
> > for token, and fails immediately afterward with “pkcs11_pass_login()
> > failed: pkcs11_login() failed”. I entered the PIN I enter on Windows.
> >
> >
> >
> > Any insights are appreciated.
> >
> >
> >
> > Thanks,
> >
> > Bryce
> >
> >
> >
> >
> >
> > [1]
> > https://docs.fedoraproject.org/en-
> US/Fedora/19/html/Security_Guide/sec
> > t-Security_Guide-Single_Sign_on_SSO-
> Getting_Started_with_your_new_Smar
> > t_Card.html
> >
> > [2] https://github.com/Conservatory/CACKey
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pcscd.log
Type: application/octet-stream
Size: 14682 bytes
Desc: pcscd.log
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150430/4a2655ad/attachment.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pkcs11_debug.log
Type: application/octet-stream
Size: 1399 bytes
Desc: pkcs11_debug.log
URL: <http://listman.redhat.com/archives/pki-users/attachments/20150430/4a2655ad/attachment-0001.obj>

More information about the Pki-users mailing list