Hello! On Aug 27, 2010, at 2:37 PM, Patrik Martinsson wrote: > Cardreader, OmniKey 3121, driver by their homepage. (tried with the one that > comes with rhel too, but same issue) Better use the open source CCID driver. Just to be sure.
> $ opensc-tool -i > Using reader with a card: OMNIKEY CardMan 3x21 00 00 > SetCOS The same command produces different output on my computer: $ opensc-tool -i opensc 0.12.0-svn [gcc 4.2.1 (Apple Inc. build 5646) (dot 1)] Enabled features: zlib readline iconv openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC) > $ opensc-tool -D > Configured card drivers: > cardos Siemens CardOS > cardos Siemens CardOS Ah, the double entry got removed, thanks for sending this! > $ /usr/bin/modutil -list -dbdir /etc/pki/nssdb/ (I've previoslu added opensc > module like with this, /usr/bin/modutil -force -dbdir /etc/pki/nssdb -add > OpenSC -libfile /usr/local/lib/opensc-pkcs11.so) AFAIK the shared NSS db has nothing to do with pam_pkcs11. > So.. to me everything seems to work quite well, however I've one problem left > and that's the pkcs11_eventmgr. > > $ pkcs11_eventmgr debug nodaemon (card in reader) > DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ... > DEBUG:pkcs11_eventmgr.c:395: loading the module ... > DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, > moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so" name="SmartCard"> > module=/usr/local/lib/opensc-pkcs11.so > DEBUG:pkcs11_eventmgr.c:453: Waiting for Events > DEBUG:pkcs11_eventmgr.c:601: Exited from main loop > DEBUG:pkcs11_eventmgr.c:91: Exitting Strange, the same on my Debian: mar...@debian:~/projects/pam_pkcs11-trunk/src$ pkcs11_eventmgr nodaemon debug DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ... DEBUG:pkcs11_eventmgr.c:395: loading the module ... DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, moduleSpec=<library="/usr/lib/opensc-pkcs11.so" name="SmartCard"> module=/usr/lib/opensc-pkcs11.so DEBUG:pkcs11_eventmgr.c:453: Waiting for Events DEBUG:pkcs11_eventmgr.c:484: Card inserted, DEBUG:pkcs11_eventmgr.c:169: Onerror is set to: 'ignore' DEBUG:pkcs11_eventmgr.c:173: Executiong action: 'echo foo ' foo DEBUG:pkcs11_eventmgr.c:182: Action 'echo foo ' returns 0 DEBUG:pkcs11_eventmgr.c:484: Card inserted, DEBUG:pkcs11_eventmgr.c:169: Onerror is set to: 'ignore' DEBUG:pkcs11_eventmgr.c:173: Executiong action: 'echo foo ' foo DEBUG:pkcs11_eventmgr.c:182: Action 'echo foo ' returns 0 The first event when a card is removed from the reader is lost, but that is a bug of OpenSC and should not result in behavior as you experience. Looking at pam_pkcs11 source, I can only see that the loop breaks only if C_WaitForSlotEvent (the SECMOD_ wrapper of it in NSS) returns NULL. Here the relevant error code is SC_ERROR_EVENT_TIMEOUT > > $ pkcs11_eventmgr debug nodaemon (card NOT in reader) > > DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ... > DEBUG:pkcs11_eventmgr.c:395: loading the module ... > DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, > moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so" name="SmartCard"> > module=/usr/local/lib/opensc-pkcs11.so > DEBUG:pkcs11_eventmgr.c:453: Waiting for Events > DEBUG:pkcs11_eventmgr.c:601: Exited from main loop > DEBUG:pkcs11_eventmgr.c:91: Exitting > > > > > > > All the verbose logs are attached, the verbosity level is set to 2. Tell me > if i need to increase it, however I'm a bit concerned about mailing out my > certificate and username and that kind of stuff (which is included in level > 3), doesn't feel quite right, but maybe I'm wrong ? If you have so sensitive data in your public information (certificates are usually "public", at least in your 100+ computer PKI system), don't send out *anything* from your computer system. If not, the only sensitive information in the log file is your PIN code (if you don't use a pinpad) If that is the case, either edit the log file and remove the lines with the PIN code (you can grep for it) or change it to a dummy value (0000/1234) before generating the test log. Usually the best is to set the debug to "very high" so that all bits and pieces would get logged. For pkcs11_eventmgr, nothing about certificates should get logged. Plase send a full log file (set debug to 9 in opensc.conf and set an output file to some value) with the failing case "pkcs11_eventmgr debug nodaemon (card NOT in reader)" Finally, I don't think you *have* to use NSS with pam_pkcs11, only because GDM uses NSS. But the issue should be fixed nevertheless. -- Martin Paljak @martinpaljak.net +3725156495 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
