Re: [Pki-users] US Government SmartCard question
Jack,
I don't know the process or if it's possible yet, but would it help if I could get
you guys a dummy LincPass (USDA-issued PIV smart card) with a throwaway PIN to debug with?
I've often found that eliminating ignorant middlemen (me) speeds solutions along.
Ideally, the card would be usable for console logins as well as our public facing SAML IdP
[1]. Is there an extra step to making the card usable with a browser or would a coolkey
fix apply to both pam_pkcs11 and the browser?
Thanks,
Bryce
[1] https://www.eauth.usda.gov/Login/login.aspx
-----Original Message-----
From: John Magne [mailto:jmagne@redhat.com]
Sent: Friday, May 01, 2015 12:34 PM
To: Nordgren, Bryce L -FS
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] US Government SmartCard question
Bryce:
Yes, that helps.
I can take a look at the code when I get a moment.
Also we might bring in Bob Relyea rrelyea(a)redhat.com since he is the
coolkey and coolkey/CAC guru.
----- Original Message -----
From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
To: "John Magne" <jmagne(a)redhat.com>
Cc: pki-users(a)redhat.com
Sent: Friday, May 1, 2015 11:13:01 AM
Subject: RE: [Pki-users] US Government SmartCard question
Hi Jack,
I wasn't quite sure how to capture an insertion event with pkcs11_inspect. It
seems to fail right away if nothing's in the reader. So I ran "pkcs11_eventmgr
debug nodaemon" in the terminal that had the COOL_KEY_LOG_FILE variable
set. I also ran a pkcs11_inspect with a card already inserted. Log files for both
runs are attached.
It's not super verbose, but the root cause seems to be "CAC Select
failed".
Does this shed any light on the problem?
Thanks,
Bryce