Thanks for the logs Brian:
It might help us to see what coolkey itself is doing, (if anything) when you insert the
card.
In the same window that you are running the pkcs11_inspect run this:
export COOL_KEY_LOG_FILE=/tmp/fileName
Hopefully coolkey will write some useful stuff for us there to diagnose.
thanks,
jack
----- Original Message -----
From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
To: "John Magne" <jmagne(a)redhat.com>
Cc: pki-users(a)redhat.com
Sent: Thursday, April 30, 2015 3:22:50 PM
Subject: RE: [Pki-users] US Government SmartCard question
Hi Jack, thanks for the reply!
AFAIK, my card is the same as all other cards issued by USDA, and I suspect the same as
all other cards issued by the US Government. It's not a test card or anything.
I killed pcscd and ran it on the command line to capture logs (attached). I didn't see
anything which set off red flags for me. It looks like it's detecting card insertion
and removal events. I'm including the output of "pkcs11_inspect debug", run
both as my user account and as root via sudo. All of this was done with coolkey. The
cackey module in /etc/pam_pkcs11/pam_pkcs11.conf was commented out. The only real
difference between now and previously is that now the light comes on. (Still fails with no
token available, tho.)
I'm just not seeing anything that points me at a solution. Hope you can intuit more
from this.
Bryce
-----Original Message-----
From: John Magne [mailto:jmagne@redhat.com]
Sent: Monday, April 27, 2015 4:33 PM
To: Nordgren, Bryce L -FS
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] US Government SmartCard question
The coolkey pkcs#11 module should provide enough functionality for smart
card login with CAC cards.
I know there is plenty of code in the coolkey driver to handle CACs. Of course
your particular card could be some special case I'm not aware of.
There are a few things that could be wrong.
1. Check to make sure the "psc-lite" daemon is running.
2. There might be an issue with your reader. For instance the ccid driver
sometimes needs to be configured to allow for readers that require a higher
voltage such as the omnikey.
One thing to try, with coolkey and your card and reader.
1. Kill pcscd as root.
2. run it manually such that it throws log messages to the console
/usr/sbin/pcscd -f -d -a.
3. Insert the card , watch the logs for any suspicious messages which might
provide a clue.
If the log says the card is being recognized, then we could possible get some
coolkey logs when you attempt that pkcs11 command mentioned earlier.
thanks,
jack
----- Original Message -----
> From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
> To: pki-users(a)redhat.com
> Sent: Monday, April 27, 2015 3:06:48 PM
> Subject: [Pki-users] US Government SmartCard question
>
>
>
> Hi,
>
>
>
> I’m trying to set up smart card logins on Linux using a clean Fedora
> 21 install following the instructions at [1]. My main objective is to
> use my USDA-issued LincPass (the USDA brand of the USAccess card) for
> login to local accounts on linux machines that are not joined to the
> domain and which are outside the firewall. Essentially, I have control
> over a handful of machines, but no control over issuing the smart cards.
>
>
>
> I’ll try to get you relevant debugging info, but I don’t know much
> about smart card internals. My setup (card info from ActivClient on
Windows):
>
>
>
> Card Reader: SCR3310 v2.0 “smartOS powered”
>
> Smart Card Mfr: Oberthur Technologies
>
> Smart Card Model: ID-One Cosmo v7.0 with Oberthur PIV Applet Suite
> 2.3.2
>
>
>
> The problem: following instructions at [1], “pkcs11_inspect debug”
> results in “no token available” and the light on the reader never
> comes on. Googling, I saw that US government cards may require CACKey
> instead of coolkey, so I downloaded/compiled/installed the version at
> [2] and modified the pam_pkcs11.conf file. Reboot. Improvement. The
> light comes on. Repeating the “pkcs11_inspect debug” prompts for a PIN
> for token, and fails immediately afterward with “pkcs11_pass_login()
> failed: pkcs11_login() failed”. I entered the PIN I enter on Windows.
>
>
>
> Any insights are appreciated.
>
>
>
> Thanks,
>
> Bryce
>
>
>
>
>
> [1]
>
https://docs.fedoraproject.org/en-
US/Fedora/19/html/Security_Guide/sec
> t-Security_Guide-Single_Sign_on_SSO-
Getting_Started_with_your_new_Smar
> t_Card.html
>
> [2]
https://github.com/Conservatory/CACKey
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
>
https://www.redhat.com/mailman/listinfo/pki-users