[opensc-devel] Need pam_pkcs11 answers

Mon, 20 Mar 2006 05:21:32 -0800

I hope, this is the right list also for pam_pkcs11

When trying to login with pam_pkcs11 on gdm (testing with it) all goes fine, but fails to login...Debug shows:

Mar 20 21:52:57 pceddyn gdm[3479]: verifying crl
Mar 20 21:52:57 pceddyn gdm[3479]: certificate has not been revoked
Mar 20 21:52:57 pceddyn gdm[3479]: Empty login: try to deduce from certificate
Mar 20 21:52:57 pceddyn gdm[3479]: certificate is valid and matches user root
Mar 20 21:52:57 pceddyn gdm[3479]: login as user CKU_USER
Mar 20 21:52:57 pceddyn gdm[3479]: open_pkcs11_login() failed: C_Login() failed: 102
Mar 20 21:52:57 pceddyn gdm[3479]: open_pkcs11_login() failed: C_Login() failed: 102
Mar 20 21:52:57 pceddyn gdm[3479]: unloading mapper module list

The only reference to open_pkcs11_login is at pam_pkcs11.c:

  /* call pkcs#11 login to ensure that the user is the real owner of the card */
  rv = pkcs11_login(&ph, password);

  /* erase and free in-memory password data asap */
  memset(password, 0, strlen(password));
  free(password); 
  if (rv != 0) {
    DBG1("open_pkcs11_login() failed: %s", get_error());
    syslog(LOG_ERR, "open_pkcs11_login() failed: %s", get_error());
    goto auth_failed_nopw;
  }


Interestingly I see a little bit above:

Mar 20 21:52:17 pceddyn gdm[3479]: using the first slot with an available token
Mar 20 21:52:17 pceddyn gdm[3479]: opening a new PKCS #11 session for slot 1
Mar 20 21:52:27 pceddyn gdm[3479]: password = [xxxxxxx]
Mar 20 21:52:27 pceddyn gdm[3479]: Saving Certificate #1:
Mar 20 21:52:27 pceddyn gdm[3479]: - type: 00
Mar 20 21:52:27 pceddyn gdm[3479]: - id:   45
Mar 20 21:52:27 pceddyn gdm[3479]: Found 1 certificates in token

Here it found the password, but than it continues with the CRL verification:

Mar 20 21:52:27 pceddyn gdm[3479]: certificate is valid
Mar 20 21:52:27 pceddyn gdm[3479]: crl policy: 1
Mar 20 21:52:27 pceddyn gdm[3479]: extracting crl distribution points
Mar 20 21:52:27 pceddyn gdm[3479]: downloading crl from http://cert.startcom.org/dc1-crl.crl
Mar 20 21:52:27 pceddyn gdm[3479]: parsing uri:
Mar 20 21:52:27 pceddyn gdm[3479]: protocol = [http]
Mar 20 21:52:27 pceddyn gdm[3479]: user = [(null)]
Mar 20 21:52:27 pceddyn gdm[3479]: password = [(null)]
Mar 20 21:52:27 pceddyn gdm[3479]: host = [cert.startcom.org]
Mar 20 21:52:27 pceddyn gdm[3479]: port = [(null)]
Mar 20 21:52:27 pceddyn gdm[3479]: path = [/dc1-crl.crl]


Does it reset the user and password here? Of what else is CKU_USER??

I find it in pkcs11_lib.c :

int pkcs11_login(pkcs11_handle_t *h, char *password)
{
  int rv;

  DBG("login as user CKU_USER");
  rv = h->fl->C_Login(h->session, CKU_USER, (unsigned char*)password, strlen(password));
  if (rv != CKR_OK) {
    set_error("C_Login() failed: %x", rv);
    return -1;
  }
  return 0;
}

Any suggestions?
--
Regards
 
Signer:      Eddy Nigg
Company: StartCom Linux at www.startcom.org
                MediaHost™ at www.mediahost.org
                StartCom Certification Authority at cert.startcom.org
Skype:      startcom
Phone:      +1.213.341.0390
 

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to