[Pki-users] US Government SmartCard question
Nordgren, Bryce L -FS
bnordgren at fs.fed.us
Fri May 1 19:26:12 UTC 2015
Jack,
I don't know the process or if it's possible yet, but would it help if I could get you guys a dummy LincPass (USDA-issued PIV smart card) with a throwaway PIN to debug with? I've often found that eliminating ignorant middlemen (me) speeds solutions along.
Ideally, the card would be usable for console logins as well as our public facing SAML IdP [1]. Is there an extra step to making the card usable with a browser or would a coolkey fix apply to both pam_pkcs11 and the browser?
Thanks,
Bryce
[1] https://www.eauth.usda.gov/Login/login.aspx
> -----Original Message-----
> From: John Magne [mailto:jmagne at redhat.com]
> Sent: Friday, May 01, 2015 12:34 PM
> To: Nordgren, Bryce L -FS
> Cc: pki-users at redhat.com
> Subject: Re: [Pki-users] US Government SmartCard question
>
> Bryce:
>
> Yes, that helps.
> I can take a look at the code when I get a moment.
> Also we might bring in Bob Relyea rrelyea at redhat.com since he is the
> coolkey and coolkey/CAC guru.
>
>
> ----- Original Message -----
> From: "Bryce L Nordgren -FS" <bnordgren at fs.fed.us>
> To: "John Magne" <jmagne at redhat.com>
> Cc: pki-users at redhat.com
> Sent: Friday, May 1, 2015 11:13:01 AM
> Subject: RE: [Pki-users] US Government SmartCard question
>
> Hi Jack,
>
> I wasn't quite sure how to capture an insertion event with pkcs11_inspect. It
> seems to fail right away if nothing's in the reader. So I ran "pkcs11_eventmgr
> debug nodaemon" in the terminal that had the COOL_KEY_LOG_FILE variable
> set. I also ran a pkcs11_inspect with a card already inserted. Log files for both
> runs are attached.
>
> It's not super verbose, but the root cause seems to be "CAC Select failed".
>
> Does this shed any light on the problem?
>
> Thanks,
> Bryce
More information about the Pki-users
mailing list