[Pki-users] US Government SmartCard question

John Magne jmagne at redhat.com
Fri May 1 01:27:25 UTC 2015 

Thanks for the logs Brian:

It might help us to see what coolkey itself is doing, (if anything) when you insert the card.


In the same window that you are running the pkcs11_inspect run this:

export COOL_KEY_LOG_FILE=/tmp/fileName


Hopefully coolkey will write some useful stuff for us there to diagnose.


thanks,
jack

----- Original Message -----
From: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
To: "John Magne" <jmagne at redhat.com>
Cc: pki-users at redhat.com
Sent: Thursday, April 30, 2015 3:22:50 PM
Subject: RE: [Pki-users] US Government SmartCard question

Hi Jack, thanks for the reply! 

AFAIK, my card is the same as all other cards issued by USDA, and I suspect the same as all other cards issued by the US Government. It's not a test card or anything.

I killed pcscd and ran it on the command line to capture logs (attached). I didn't see anything which set off red flags for me. It looks like it's detecting card insertion and removal events.  I'm including the output of "pkcs11_inspect debug", run both as my user account and as root via sudo. All of this was done with coolkey. The cackey module in /etc/pam_pkcs11/pam_pkcs11.conf was commented out. The only real difference between now and previously is that now the light comes on. (Still fails with no token available, tho.)

I'm just not seeing anything that points me at a solution. Hope you can intuit more from this.

Bryce

> -----Original Message-----
> From: John Magne [mailto:jmagne at redhat.com]
> Sent: Monday, April 27, 2015 4:33 PM
> To: Nordgren, Bryce L -FS
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] US Government SmartCard question
> 
> The coolkey pkcs#11 module should provide enough functionality for smart
> card login with CAC cards.
> I know there is plenty of code in the coolkey driver to handle CACs. Of course
> your particular card could be some special case I'm not aware of.
> 
> There are a few things that could be wrong.
> 
> 1. Check to make sure the "psc-lite" daemon is running.
> 
> 2. There might be an issue with your reader. For instance the ccid driver
> sometimes needs to be configured to allow for readers that require a higher
> voltage such as the omnikey.
> 
> 
> One thing to try, with coolkey and your card and reader.
> 
> 1. Kill pcscd as root.
> 
> 2. run it manually such that it throws log messages to the console
> 
> /usr/sbin/pcscd -f -d -a.
> 
> 3. Insert the card , watch the logs for any suspicious messages which might
> provide a clue.
> 
> If the log says the card is being recognized, then we could possible get some
> coolkey logs when you attempt that pkcs11 command mentioned earlier.
> 
> thanks,
> jack
> 
> 
> 
> ----- Original Message -----
> > From: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
> > To: pki-users at redhat.com
> > Sent: Monday, April 27, 2015 3:06:48 PM
> > Subject: [Pki-users] US Government SmartCard question
> >
> >
> >
> > Hi,
> >
> >
> >
> > I’m trying to set up smart card logins on Linux using a clean Fedora
> > 21 install following the instructions at [1]. My main objective is to
> > use my USDA-issued LincPass (the USDA brand of the USAccess card) for
> > login to local accounts on linux machines that are not joined to the
> > domain and which are outside the firewall. Essentially, I have control
> > over a handful of machines, but no control over issuing the smart cards.
> >
> >
> >
> > I’ll try to get you relevant debugging info, but I don’t know much
> > about smart card internals. My setup (card info from ActivClient on
> Windows):
> >
> >
> >
> > Card Reader: SCR3310 v2.0 “smartOS powered”
> >
> > Smart Card Mfr: Oberthur Technologies
> >
> > Smart Card Model: ID-One Cosmo v7.0 with Oberthur PIV Applet Suite
> > 2.3.2
> >
> >
> >
> > The problem: following instructions at [1], “pkcs11_inspect debug”
> > results in “no token available” and the light on the reader never
> > comes on. Googling, I saw that US government cards may require CACKey
> > instead of coolkey, so I downloaded/compiled/installed the version at
> > [2] and modified the pam_pkcs11.conf file. Reboot. Improvement. The
> > light comes on. Repeating the “pkcs11_inspect debug” prompts for a PIN
> > for token, and fails immediately afterward with “pkcs11_pass_login()
> > failed: pkcs11_login() failed”. I entered the PIN I enter on Windows.
> >
> >
> >
> > Any insights are appreciated.
> >
> >
> >
> > Thanks,
> >
> > Bryce
> >
> >
> >
> >
> >
> > [1]
> > https://docs.fedoraproject.org/en-
> US/Fedora/19/html/Security_Guide/sec
> > t-Security_Guide-Single_Sign_on_SSO-
> Getting_Started_with_your_new_Smar
> > t_Card.html
> >
> > [2] https://github.com/Conservatory/CACKey
> >
> > _______________________________________________
> > Pki-users mailing list
> > Pki-users at redhat.com
> > https://www.redhat.com/mailman/listinfo/pki-users

More information about the Pki-users mailing list