5:06 p.m.
Hi,
I'm trying to set up smart card logins on Linux using a clean Fedora 21 install
following the instructions at [1]. My main objective is to use my USDA-issued LincPass
(the USDA brand of the USAccess card) for login to local accounts on linux machines that
are not joined to the domain and which are outside the firewall. Essentially, I have
control over a handful of machines, but no control over issuing the smart cards.
I'll try to get you relevant debugging info, but I don't know much about smart
card internals. My setup (card info from ActivClient on Windows):
Card Reader: SCR3310 v2.0 "smartOS powered"
Smart Card Mfr: Oberthur Technologies
Smart Card Model: ID-One Cosmo v7.0 with Oberthur PIV Applet Suite 2.3.2
The problem: following instructions at [1], "pkcs11_inspect debug" results in
"no token available" and the light on the reader never comes on. Googling, I saw
that US government cards may require CACKey instead of coolkey, so I
downloaded/compiled/installed the version at [2] and modified the pam_pkcs11.conf file.
Reboot. Improvement. The light comes on. Repeating the "pkcs11_inspect debug"
prompts for a PIN for token, and fails immediately afterward with
"pkcs11_pass_login() failed: pkcs11_login() failed". I entered the PIN I enter
on Windows.
Any insights are appreciated.
Thanks,
Bryce
[1]
https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sect-S...
[2] https://github.com/Conservatory/CACKey
5:33 p.m.
The coolkey pkcs#11 module should provide enough functionality for smart card login with
CAC cards.
I know there is plenty of code in the coolkey driver to handle CACs. Of course your
particular card
could be some special case I'm not aware of.
There are a few things that could be wrong.
1. Check to make sure the "psc-lite" daemon is running.
2. There might be an issue with your reader. For instance the ccid driver sometimes
needs to be configured to allow for readers that require a higher voltage such as the
omnikey.
One thing to try, with coolkey and your card and reader.
1. Kill pcscd as root.
2. run it manually such that it throws log messages to the console
/usr/sbin/pcscd -f -d -a.
3. Insert the card , watch the logs for any suspicious messages which might provide a
clue.
If the log says the card is being recognized, then we could possible get some coolkey logs
when
you attempt that pkcs11 command mentioned earlier.
thanks,
jack
----- Original Message -----
From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
To: pki-users(a)redhat.com
Sent: Monday, April 27, 2015 3:06:48 PM
Subject: [Pki-users] US Government SmartCard question
Hi,
I’m trying to set up smart card logins on Linux using a clean Fedora 21
install following the instructions at [1]. My main objective is to use my
USDA-issued LincPass (the USDA brand of the USAccess card) for login to
local accounts on linux machines that are not joined to the domain and which
are outside the firewall. Essentially, I have control over a handful of
machines, but no control over issuing the smart cards.
I’ll try to get you relevant debugging info, but I don’t know much about
smart card internals. My setup (card info from ActivClient on Windows):
Card Reader: SCR3310 v2.0 “smartOS powered”
Smart Card Mfr: Oberthur Technologies
Smart Card Model: ID-One Cosmo v7.0 with Oberthur PIV Applet Suite 2.3.2
The problem: following instructions at [1], “pkcs11_inspect debug” results in
“no token available” and the light on the reader never comes on. Googling, I
saw that US government cards may require CACKey instead of coolkey, so I
downloaded/compiled/installed the version at [2] and modified the
pam_pkcs11.conf file. Reboot. Improvement. The light comes on. Repeating the
“pkcs11_inspect debug” prompts for a PIN for token, and fails immediately
afterward with “pkcs11_pass_login() failed: pkcs11_login() failed”. I
entered the PIN I enter on Windows.
Any insights are appreciated.
Thanks,
Bryce
[1]
https://docs.fedoraproject.org/en-US/Fedora/19/html/Security_Guide/sect-S...
[2] https://github.com/Conservatory/CACKey
_______________________________________________
Pki-users mailing list
Pki-users(a)redhat.com
https://www.redhat.com/mailman/listinfo/pki-users
5:22 p.m.
Hi Jack, thanks for the reply!
AFAIK, my card is the same as all other cards issued by USDA, and I suspect the same as
all other cards issued by the US Government. It's not a test card or anything.
I killed pcscd and ran it on the command line to capture logs (attached). I didn't see
anything which set off red flags for me. It looks like it's detecting card insertion
and removal events. I'm including the output of "pkcs11_inspect debug", run
both as my user account and as root via sudo. All of this was done with coolkey. The
cackey module in /etc/pam_pkcs11/pam_pkcs11.conf was commented out. The only real
difference between now and previously is that now the light comes on. (Still fails with no
token available, tho.)
I'm just not seeing anything that points me at a solution. Hope you can intuit more
from this.
Bryce
-----Original Message-----
From: John Magne [mailto:jmagne@redhat.com]
Sent: Monday, April 27, 2015 4:33 PM
To: Nordgren, Bryce L -FS
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] US Government SmartCard question
The coolkey pkcs#11 module should provide enough functionality for smart
card login with CAC cards.
I know there is plenty of code in the coolkey driver to handle CACs. Of course
your particular card could be some special case I'm not aware of.
There are a few things that could be wrong.
1. Check to make sure the "psc-lite" daemon is running.
2. There might be an issue with your reader. For instance the ccid driver
sometimes needs to be configured to allow for readers that require a higher
voltage such as the omnikey.
One thing to try, with coolkey and your card and reader.
1. Kill pcscd as root.
2. run it manually such that it throws log messages to the console
/usr/sbin/pcscd -f -d -a.
3. Insert the card , watch the logs for any suspicious messages which might
provide a clue.
If the log says the card is being recognized, then we could possible get some
coolkey logs when you attempt that pkcs11 command mentioned earlier.
thanks,
jack
----- Original Message -----
> From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
> To: pki-users(a)redhat.com
> Sent: Monday, April 27, 2015 3:06:48 PM
> Subject: [Pki-users] US Government SmartCard question
>
>
>
> Hi,
>
>
>
> I’m trying to set up smart card logins on Linux using a clean Fedora
> 21 install following the instructions at [1]. My main objective is to
> use my USDA-issued LincPass (the USDA brand of the USAccess card) for
> login to local accounts on linux machines that are not joined to the
> domain and which are outside the firewall. Essentially, I have control
> over a handful of machines, but no control over issuing the smart cards.
>
>
>
> I’ll try to get you relevant debugging info, but I don’t know much
> about smart card internals. My setup (card info from ActivClient on
Windows):
>
>
>
> Card Reader: SCR3310 v2.0 “smartOS powered”
>
> Smart Card Mfr: Oberthur Technologies
>
> Smart Card Model: ID-One Cosmo v7.0 with Oberthur PIV Applet Suite
> 2.3.2
>
>
>
> The problem: following instructions at [1], “pkcs11_inspect debug”
> results in “no token available” and the light on the reader never
> comes on. Googling, I saw that US government cards may require CACKey
> instead of coolkey, so I downloaded/compiled/installed the version at
> [2] and modified the pam_pkcs11.conf file. Reboot. Improvement. The
> light comes on. Repeating the “pkcs11_inspect debug” prompts for a PIN
> for token, and fails immediately afterward with “pkcs11_pass_login()
> failed: pkcs11_login() failed”. I entered the PIN I enter on Windows.
>
>
>
> Any insights are appreciated.
>
>
>
> Thanks,
>
> Bryce
>
>
>
>
>
> [1]
> https://docs.fedoraproject.org/en-
US/Fedora/19/html/Security_Guide/sec
> t-Security_Guide-Single_Sign_on_SSO-
Getting_Started_with_your_new_Smar
> t_Card.html
>
> [2] https://github.com/Conservatory/CACKey
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
8:27 p.m.
Thanks for the logs Brian:
It might help us to see what coolkey itself is doing, (if anything) when you insert the
card.
In the same window that you are running the pkcs11_inspect run this:
export COOL_KEY_LOG_FILE=/tmp/fileName
Hopefully coolkey will write some useful stuff for us there to diagnose.
thanks,
jack
----- Original Message -----
From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
To: "John Magne" <jmagne(a)redhat.com>
Cc: pki-users(a)redhat.com
Sent: Thursday, April 30, 2015 3:22:50 PM
Subject: RE: [Pki-users] US Government SmartCard question
Hi Jack, thanks for the reply!
AFAIK, my card is the same as all other cards issued by USDA, and I suspect the same as
all other cards issued by the US Government. It's not a test card or anything.
I killed pcscd and ran it on the command line to capture logs (attached). I didn't see
anything which set off red flags for me. It looks like it's detecting card insertion
and removal events. I'm including the output of "pkcs11_inspect debug", run
both as my user account and as root via sudo. All of this was done with coolkey. The
cackey module in /etc/pam_pkcs11/pam_pkcs11.conf was commented out. The only real
difference between now and previously is that now the light comes on. (Still fails with no
token available, tho.)
I'm just not seeing anything that points me at a solution. Hope you can intuit more
from this.
Bryce
-----Original Message-----
From: John Magne [mailto:jmagne@redhat.com]
Sent: Monday, April 27, 2015 4:33 PM
To: Nordgren, Bryce L -FS
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] US Government SmartCard question
The coolkey pkcs#11 module should provide enough functionality for smart
card login with CAC cards.
I know there is plenty of code in the coolkey driver to handle CACs. Of course
your particular card could be some special case I'm not aware of.
There are a few things that could be wrong.
1. Check to make sure the "psc-lite" daemon is running.
2. There might be an issue with your reader. For instance the ccid driver
sometimes needs to be configured to allow for readers that require a higher
voltage such as the omnikey.
One thing to try, with coolkey and your card and reader.
1. Kill pcscd as root.
2. run it manually such that it throws log messages to the console
/usr/sbin/pcscd -f -d -a.
3. Insert the card , watch the logs for any suspicious messages which might
provide a clue.
If the log says the card is being recognized, then we could possible get some
coolkey logs when you attempt that pkcs11 command mentioned earlier.
thanks,
jack
----- Original Message -----
> From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
> To: pki-users(a)redhat.com
> Sent: Monday, April 27, 2015 3:06:48 PM
> Subject: [Pki-users] US Government SmartCard question
>
>
>
> Hi,
>
>
>
> I’m trying to set up smart card logins on Linux using a clean Fedora
> 21 install following the instructions at [1]. My main objective is to
> use my USDA-issued LincPass (the USDA brand of the USAccess card) for
> login to local accounts on linux machines that are not joined to the
> domain and which are outside the firewall. Essentially, I have control
> over a handful of machines, but no control over issuing the smart cards.
>
>
>
> I’ll try to get you relevant debugging info, but I don’t know much
> about smart card internals. My setup (card info from ActivClient on
Windows):
>
>
>
> Card Reader: SCR3310 v2.0 “smartOS powered”
>
> Smart Card Mfr: Oberthur Technologies
>
> Smart Card Model: ID-One Cosmo v7.0 with Oberthur PIV Applet Suite
> 2.3.2
>
>
>
> The problem: following instructions at [1], “pkcs11_inspect debug”
> results in “no token available” and the light on the reader never
> comes on. Googling, I saw that US government cards may require CACKey
> instead of coolkey, so I downloaded/compiled/installed the version at
> [2] and modified the pam_pkcs11.conf file. Reboot. Improvement. The
> light comes on. Repeating the “pkcs11_inspect debug” prompts for a PIN
> for token, and fails immediately afterward with “pkcs11_pass_login()
> failed: pkcs11_login() failed”. I entered the PIN I enter on Windows.
>
>
>
> Any insights are appreciated.
>
>
>
> Thanks,
>
> Bryce
>
>
>
>
>
> [1]
> https://docs.fedoraproject.org/en-
US/Fedora/19/html/Security_Guide/sec
> t-Security_Guide-Single_Sign_on_SSO-
Getting_Started_with_your_new_Smar
> t_Card.html
>
> [2] https://github.com/Conservatory/CACKey
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
8:28 p.m.
All of that I sent goes, except using the wrong name Bryce! :)
----- Original Message -----
From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
To: "John Magne" <jmagne(a)redhat.com>
Cc: pki-users(a)redhat.com
Sent: Thursday, April 30, 2015 3:22:50 PM
Subject: RE: [Pki-users] US Government SmartCard question
Hi Jack, thanks for the reply!
AFAIK, my card is the same as all other cards issued by USDA, and I suspect the same as
all other cards issued by the US Government. It's not a test card or anything.
I killed pcscd and ran it on the command line to capture logs (attached). I didn't see
anything which set off red flags for me. It looks like it's detecting card insertion
and removal events. I'm including the output of "pkcs11_inspect debug", run
both as my user account and as root via sudo. All of this was done with coolkey. The
cackey module in /etc/pam_pkcs11/pam_pkcs11.conf was commented out. The only real
difference between now and previously is that now the light comes on. (Still fails with no
token available, tho.)
I'm just not seeing anything that points me at a solution. Hope you can intuit more
from this.
Bryce
-----Original Message-----
From: John Magne [mailto:jmagne@redhat.com]
Sent: Monday, April 27, 2015 4:33 PM
To: Nordgren, Bryce L -FS
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] US Government SmartCard question
The coolkey pkcs#11 module should provide enough functionality for smart
card login with CAC cards.
I know there is plenty of code in the coolkey driver to handle CACs. Of course
your particular card could be some special case I'm not aware of.
There are a few things that could be wrong.
1. Check to make sure the "psc-lite" daemon is running.
2. There might be an issue with your reader. For instance the ccid driver
sometimes needs to be configured to allow for readers that require a higher
voltage such as the omnikey.
One thing to try, with coolkey and your card and reader.
1. Kill pcscd as root.
2. run it manually such that it throws log messages to the console
/usr/sbin/pcscd -f -d -a.
3. Insert the card , watch the logs for any suspicious messages which might
provide a clue.
If the log says the card is being recognized, then we could possible get some
coolkey logs when you attempt that pkcs11 command mentioned earlier.
thanks,
jack
----- Original Message -----
> From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
> To: pki-users(a)redhat.com
> Sent: Monday, April 27, 2015 3:06:48 PM
> Subject: [Pki-users] US Government SmartCard question
>
>
>
> Hi,
>
>
>
> I’m trying to set up smart card logins on Linux using a clean Fedora
> 21 install following the instructions at [1]. My main objective is to
> use my USDA-issued LincPass (the USDA brand of the USAccess card) for
> login to local accounts on linux machines that are not joined to the
> domain and which are outside the firewall. Essentially, I have control
> over a handful of machines, but no control over issuing the smart cards.
>
>
>
> I’ll try to get you relevant debugging info, but I don’t know much
> about smart card internals. My setup (card info from ActivClient on
Windows):
>
>
>
> Card Reader: SCR3310 v2.0 “smartOS powered”
>
> Smart Card Mfr: Oberthur Technologies
>
> Smart Card Model: ID-One Cosmo v7.0 with Oberthur PIV Applet Suite
> 2.3.2
>
>
>
> The problem: following instructions at [1], “pkcs11_inspect debug”
> results in “no token available” and the light on the reader never
> comes on. Googling, I saw that US government cards may require CACKey
> instead of coolkey, so I downloaded/compiled/installed the version at
> [2] and modified the pam_pkcs11.conf file. Reboot. Improvement. The
> light comes on. Repeating the “pkcs11_inspect debug” prompts for a PIN
> for token, and fails immediately afterward with “pkcs11_pass_login()
> failed: pkcs11_login() failed”. I entered the PIN I enter on Windows.
>
>
>
> Any insights are appreciated.
>
>
>
> Thanks,
>
> Bryce
>
>
>
>
>
> [1]
> https://docs.fedoraproject.org/en-
US/Fedora/19/html/Security_Guide/sec
> t-Security_Guide-Single_Sign_on_SSO-
Getting_Started_with_your_new_Smar
> t_Card.html
>
> [2] https://github.com/Conservatory/CACKey
>
> _______________________________________________
> Pki-users mailing list
> Pki-users(a)redhat.com
> https://www.redhat.com/mailman/listinfo/pki-users
1:13 p.m.
Hi Jack,
I wasn't quite sure how to capture an insertion event with pkcs11_inspect. It seems to
fail right away if nothing's in the reader. So I ran "pkcs11_eventmgr debug
nodaemon" in the terminal that had the COOL_KEY_LOG_FILE variable set. I also ran a
pkcs11_inspect with a card already inserted. Log files for both runs are attached.
It's not super verbose, but the root cause seems to be "CAC Select
failed".
Does this shed any light on the problem?
Thanks,
Bryce
1:33 p.m.
Bryce:
Yes, that helps.
I can take a look at the code when I get a moment.
Also we might bring in Bob Relyea rrelyea(a)redhat.com since he is the coolkey and
coolkey/CAC guru.
----- Original Message -----
From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
To: "John Magne" <jmagne(a)redhat.com>
Cc: pki-users(a)redhat.com
Sent: Friday, May 1, 2015 11:13:01 AM
Subject: RE: [Pki-users] US Government SmartCard question
Hi Jack,
I wasn't quite sure how to capture an insertion event with pkcs11_inspect. It seems to
fail right away if nothing's in the reader. So I ran "pkcs11_eventmgr debug
nodaemon" in the terminal that had the COOL_KEY_LOG_FILE variable set. I also ran a
pkcs11_inspect with a card already inserted. Log files for both runs are attached.
It's not super verbose, but the root cause seems to be "CAC Select failed".
Does this shed any light on the problem?
Thanks,
Bryce
2:26 p.m.
Jack,
I don't know the process or if it's possible yet, but would it help if I could get
you guys a dummy LincPass (USDA-issued PIV smart card) with a throwaway PIN to debug with?
I've often found that eliminating ignorant middlemen (me) speeds solutions along.
Ideally, the card would be usable for console logins as well as our public facing SAML IdP
[1]. Is there an extra step to making the card usable with a browser or would a coolkey
fix apply to both pam_pkcs11 and the browser?
Thanks,
Bryce
[1] https://www.eauth.usda.gov/Login/login.aspx
-----Original Message-----
From: John Magne [mailto:jmagne@redhat.com]
Sent: Friday, May 01, 2015 12:34 PM
To: Nordgren, Bryce L -FS
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] US Government SmartCard question
Bryce:
Yes, that helps.
I can take a look at the code when I get a moment.
Also we might bring in Bob Relyea rrelyea(a)redhat.com since he is the
coolkey and coolkey/CAC guru.
----- Original Message -----
From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
To: "John Magne" <jmagne(a)redhat.com>
Cc: pki-users(a)redhat.com
Sent: Friday, May 1, 2015 11:13:01 AM
Subject: RE: [Pki-users] US Government SmartCard question
Hi Jack,
I wasn't quite sure how to capture an insertion event with pkcs11_inspect. It
seems to fail right away if nothing's in the reader. So I ran "pkcs11_eventmgr
debug nodaemon" in the terminal that had the COOL_KEY_LOG_FILE variable
set. I also ran a pkcs11_inspect with a card already inserted. Log files for both
runs are attached.
It's not super verbose, but the root cause seems to be "CAC Select
failed".
Does this shed any light on the problem?
Thanks,
Bryce
4:01 p.m.
Bryce:
We would most welcome a chance to try a dummy card.
I think we should copy Bob first to make sure there is not something
obvious wrong on the coolkey end.
----- Original Message -----
From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
To: "John Magne" <jmagne(a)redhat.com>, rrelyea(a)redhat.com
Cc: pki-users(a)redhat.com
Sent: Friday, May 1, 2015 12:26:12 PM
Subject: RE: [Pki-users] US Government SmartCard question
Jack,
I don't know the process or if it's possible yet, but would it help if I
could get you guys a dummy LincPass (USDA-issued PIV smart card) with a
throwaway PIN to debug with? I've often found that eliminating ignorant
middlemen (me) speeds solutions along.
Ideally, the card would be usable for console logins as well as our public
facing SAML IdP [1]. Is there an extra step to making the card usable with a
browser or would a coolkey fix apply to both pam_pkcs11 and the browser?
Thanks,
Bryce
[1] https://www.eauth.usda.gov/Login/login.aspx
> -----Original Message-----
> From: John Magne [mailto:jmagne@redhat.com]
> Sent: Friday, May 01, 2015 12:34 PM
> To: Nordgren, Bryce L -FS
> Cc: pki-users(a)redhat.com
> Subject: Re: [Pki-users] US Government SmartCard question
>
> Bryce:
>
> Yes, that helps.
> I can take a look at the code when I get a moment.
> Also we might bring in Bob Relyea rrelyea(a)redhat.com since he is the
> coolkey and coolkey/CAC guru.
>
>
> ----- Original Message -----
> From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
> To: "John Magne" <jmagne(a)redhat.com>
> Cc: pki-users(a)redhat.com
> Sent: Friday, May 1, 2015 11:13:01 AM
> Subject: RE: [Pki-users] US Government SmartCard question
>
> Hi Jack,
>
> I wasn't quite sure how to capture an insertion event with pkcs11_inspect.
> It
> seems to fail right away if nothing's in the reader. So I ran
> "pkcs11_eventmgr
> debug nodaemon" in the terminal that had the COOL_KEY_LOG_FILE variable
> set. I also ran a pkcs11_inspect with a card already inserted. Log files
> for both
> runs are attached.
>
> It's not super verbose, but the root cause seems to be "CAC Select
failed".
>
> Does this shed any light on the problem?
>
> Thanks,
> Bryce
4:25 p.m.
On 05/01/2015 02:01 PM, John Magne wrote:
Bryce:
We would most welcome a chance to try a dummy card.
I think we should copy Bob first to make sure there is not something
obvious wrong on the coolkey end.
I usually insist on a dummy card because we are always making changes to
coolkey and if I have a dummy card, I can test against that card when I
add additional card support.
BTW is this a PIV or CAC card? You meantion PIV here, but Jack was
speaking as if this were a CAC card.
bob
----- Original Message -----
> From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
> To: "John Magne" <jmagne(a)redhat.com>, rrelyea(a)redhat.com
> Cc: pki-users(a)redhat.com
> Sent: Friday, May 1, 2015 12:26:12 PM
> Subject: RE: [Pki-users] US Government SmartCard question
>
> Jack,
>
> I don't know the process or if it's possible yet, but would it help if I
> could get you guys a dummy LincPass (USDA-issued PIV smart card) with a
> throwaway PIN to debug with? I've often found that eliminating ignorant
> middlemen (me) speeds solutions along.
>
> Ideally, the card would be usable for console logins as well as our public
> facing SAML IdP [1]. Is there an extra step to making the card usable with a
> browser or would a coolkey fix apply to both pam_pkcs11 and the browser?
>
> Thanks,
> Bryce
>
> [1] https://www.eauth.usda.gov/Login/login.aspx
>
>> -----Original Message-----
>> From: John Magne [mailto:jmagne@redhat.com]
>> Sent: Friday, May 01, 2015 12:34 PM
>> To: Nordgren, Bryce L -FS
>> Cc: pki-users(a)redhat.com
>> Subject: Re: [Pki-users] US Government SmartCard question
>>
>> Bryce:
>>
>> Yes, that helps.
>> I can take a look at the code when I get a moment.
>> Also we might bring in Bob Relyea rrelyea(a)redhat.com since he is the
>> coolkey and coolkey/CAC guru.
>>
>>
>> ----- Original Message -----
>> From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
>> To: "John Magne" <jmagne(a)redhat.com>
>> Cc: pki-users(a)redhat.com
>> Sent: Friday, May 1, 2015 11:13:01 AM
>> Subject: RE: [Pki-users] US Government SmartCard question
>>
>> Hi Jack,
>>
>> I wasn't quite sure how to capture an insertion event with pkcs11_inspect.
>> It
>> seems to fail right away if nothing's in the reader. So I ran
>> "pkcs11_eventmgr
>> debug nodaemon" in the terminal that had the COOL_KEY_LOG_FILE variable
>> set. I also ran a pkcs11_inspect with a card already inserted. Log files
>> for both
>> runs are attached.
>>
>> It's not super verbose, but the root cause seems to be "CAC Select
failed".
>>
>> Does this shed any light on the problem?
>>
>> Thanks,
>> Bryce
4:49 p.m.
I will start poking around to see if I can't get a dummy card. Since I'm just a
lowly user it may take some wheedling.
Honestly, anything I tell you would be guesswork and hearsay. Our SAML IdP [1] talks about
it like it's a PIV. The General Services Administration operates the centers where we
go get them issued, and across the civilian agencies, they are known as
"USAccess" credentials. [2] I really couldn't tell you whether we're
compatible with DoD cards (which guesswork and hearsay leads me to believe is the source
of the CAC acronym).
[1] https://www.eauth.usda.gov/Login/login.aspx
[2] http://www.gsa.gov/portal/category/27240
-----Original Message-----
From: Robert Relyea [mailto:rrelyea@redhat.com]
Sent: Friday, May 01, 2015 3:26 PM
To: John Magne; Nordgren, Bryce L -FS
Cc: pki-users(a)redhat.com
Subject: Re: [Pki-users] US Government SmartCard question
On 05/01/2015 02:01 PM, John Magne wrote:
> Bryce:
>
> We would most welcome a chance to try a dummy card.
> I think we should copy Bob first to make sure there is not something
> obvious wrong on the coolkey end.
I usually insist on a dummy card because we are always making changes to
coolkey and if I have a dummy card, I can test against that card when I
add additional card support.
BTW is this a PIV or CAC card? You meantion PIV here, but Jack was
speaking as if this were a CAC card.
bob
>
>
>
> ----- Original Message -----
>> From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
>> To: "John Magne" <jmagne(a)redhat.com>, rrelyea(a)redhat.com
>> Cc: pki-users(a)redhat.com
>> Sent: Friday, May 1, 2015 12:26:12 PM
>> Subject: RE: [Pki-users] US Government SmartCard question
>>
>> Jack,
>>
>> I don't know the process or if it's possible yet, but would it help if
I
>> could get you guys a dummy LincPass (USDA-issued PIV smart card) with a
>> throwaway PIN to debug with? I've often found that eliminating ignorant
>> middlemen (me) speeds solutions along.
>>
>> Ideally, the card would be usable for console logins as well as our public
>> facing SAML IdP [1]. Is there an extra step to making the card usable with
a
>> browser or would a coolkey fix apply to both pam_pkcs11 and the
browser?
>>
>> Thanks,
>> Bryce
>>
>> [1] https://www.eauth.usda.gov/Login/login.aspx
>>
>>> -----Original Message-----
>>> From: John Magne [mailto:jmagne@redhat.com]
>>> Sent: Friday, May 01, 2015 12:34 PM
>>> To: Nordgren, Bryce L -FS
>>> Cc: pki-users(a)redhat.com
>>> Subject: Re: [Pki-users] US Government SmartCard question
>>>
>>> Bryce:
>>>
>>> Yes, that helps.
>>> I can take a look at the code when I get a moment.
>>> Also we might bring in Bob Relyea rrelyea(a)redhat.com since he is the
>>> coolkey and coolkey/CAC guru.
>>>
>>>
>>> ----- Original Message -----
>>> From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
>>> To: "John Magne" <jmagne(a)redhat.com>
>>> Cc: pki-users(a)redhat.com
>>> Sent: Friday, May 1, 2015 11:13:01 AM
>>> Subject: RE: [Pki-users] US Government SmartCard question
>>>
>>> Hi Jack,
>>>
>>> I wasn't quite sure how to capture an insertion event with
pkcs11_inspect.
>>> It
>>> seems to fail right away if nothing's in the reader. So I ran
>>> "pkcs11_eventmgr
>>> debug nodaemon" in the terminal that had the COOL_KEY_LOG_FILE
variable
>>> set. I also ran a pkcs11_inspect with a card already inserted. Log files
>>> for both
>>> runs are attached.
>>>
>>> It's not super verbose, but the root cause seems to be "CAC Select
failed".
>>>
>>> Does this shed any light on the problem?
>>>
>>> Thanks,
>>> Bryce
6:05 p.m.
Bob,
First, I think the standard which applies to my card may be FIPS 201, not CAC. Again with
the hearsay.
Second, I think I found the way to get: a] cards to test; and b] coolkey included on the
GSA list of approved products. Could you take a look at [1] and tell me if this has what
you need? From what I can tell, this may be a lot more official than me mailing you a
card.
Bryce
[1] http://www.idmanagement.gov/ficam-testing-program
4:03 p.m.
Bob here is a cookley trace from Bryce's failed attempt to use his CAC card with
coolkey.
Both coolkeySelect and CACSelect appear to be failing, hopefully you might have thoughts.
thanks,
jack
----- Original Message -----
From: "Bryce L Nordgren -FS" <bnordgren(a)fs.fed.us>
To: "John Magne" <jmagne(a)redhat.com>
Cc: pki-users(a)redhat.com
Sent: Friday, May 1, 2015 11:13:01 AM
Subject: RE: [Pki-users] US Government SmartCard question
Hi Jack,
I wasn't quite sure how to capture an insertion event with pkcs11_inspect. It seems to
fail right away if nothing's in the reader. So I ran "pkcs11_eventmgr debug
nodaemon" in the terminal that had the COOL_KEY_LOG_FILE variable set. I also ran a
pkcs11_inspect with a card already inserted. Log files for both runs are attached.
It's not super verbose, but the root cause seems to be "CAC Select failed".
Does this shed any light on the problem?
Thanks,
Bryce
3836
days inactive
3840
days old
12 comments
3 participants
participants (3)
-
John Magne -
Nordgren, Bryce L -FS -
Robert Relyea