Hey, >> Better use the open source CCID driver. Just to be sure. Understood, will do that.
>> $ opensc-tool -i Sorry, i meant opensc -n >> $ opensc-tool -D >> Ah, the double entry got removed, thanks for sending this! Didn't notice it myself actually, just thought it would be useful as background info on my problem :) >> AFAIK the shared NSS db has nothing to do with pam_pkcs11. If that's true, why do i have the option of choosing to compile pam_pkcs11 with nss ? ./configure --help | grep nss --with-nss use NSS instead of openSSL and raw PKCS 11 That's the default package when it comes with Red Hat. >> The first event when a card is removed from the reader is lost, but that is >> a bug of OpenSC and should not result in behavior as you experience. >> Looking at pam_pkcs11 source, I can only see that the loop breaks only if >> C_WaitForSlotEvent (the SECMOD_ wrapper of it in NSS) returns NULL. Here the >> relevant error code is SC_ERROR_EVENT_TIMEOUT Yeah, i hear you, Ive looked at the part too, question is why do i get SC_ERROR_EVENT_TIMEOUT. >> If you have so sensitive data in your public information (certificates are >> usually "public", at least in your 100+ computer PKI system), don't send out >> *anything* from your computer system. >> If not, the only sensitive information in the log file is your PIN code (if >> you don't use a pinpad) If that is the case, either edit the log file and >> remove the lines with the PIN code (you can grep for it) or change it to a >> dummy value (0000/1234) before generating the test log. >> Usually the best is to set the debug to "very high" so that all bits and >> pieces would get logged. For pkcs11_eventmgr, nothing about certificates >> should get logged. Plase send a full log file (set debug to 9 in opensc.conf >> and set an output file to some value) with the failing case "pkcs11_eventmgr >> debug nodaemon (card NOT in reader)" Ok, I understand. AFAIK we don't story anything else then the public certificate so maybe it's alright, however my knowledge around this is limited so i need to check it on Monday with the security expert. >> Finally, I don't think you *have* to use NSS with pam_pkcs11, only because >> GDM uses NSS. I think that both pam_pkcs11 and gdm uses nss as default when they come packaged with Red Hat. So if I get one working i think the other one will too(if pam_eventmgr with nss = OK, i think gdm will work too, because they use the same method of detecting insertions/removals). But maybe I'm wrong. Thanks for your help and let me get back next week with some more info. /Patrik Martinsson, Sweden. On 08/27/2010 04:21 PM, Martin Paljak wrote: > Hello! > > On Aug 27, 2010, at 2:37 PM, Patrik Martinsson wrote: > >> Cardreader, OmniKey 3121, driver by their homepage. (tried with the one that >> comes with rhel too, but same issue) >> > Better use the open source CCID driver. Just to be sure. > > > >> $ opensc-tool -i >> Using reader with a card: OMNIKEY CardMan 3x21 00 00 >> SetCOS >> > The same command produces different output on my computer: > > $ opensc-tool -i > opensc 0.12.0-svn [gcc 4.2.1 (Apple Inc. build 5646) (dot 1)] > Enabled features: zlib readline iconv openssl > pcsc(/System/Library/Frameworks/PCSC.framework/PCSC) > > > >> $ opensc-tool -D >> Configured card drivers: >> cardos Siemens CardOS >> cardos Siemens CardOS >> > Ah, the double entry got removed, thanks for sending this! > > >> $ /usr/bin/modutil -list -dbdir /etc/pki/nssdb/ (I've previoslu added opensc >> module like with this, /usr/bin/modutil -force -dbdir /etc/pki/nssdb -add >> OpenSC -libfile /usr/local/lib/opensc-pkcs11.so) >> > AFAIK the shared NSS db has nothing to do with pam_pkcs11. > > > >> So.. to me everything seems to work quite well, however I've one problem >> left and that's the pkcs11_eventmgr. >> >> $ pkcs11_eventmgr debug nodaemon (card in reader) >> DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ... >> DEBUG:pkcs11_eventmgr.c:395: loading the module ... >> DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, >> moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so" name="SmartCard"> >> module=/usr/local/lib/opensc-pkcs11.so >> DEBUG:pkcs11_eventmgr.c:453: Waiting for Events >> DEBUG:pkcs11_eventmgr.c:601: Exited from main loop >> DEBUG:pkcs11_eventmgr.c:91: Exitting >> > Strange, the same on my Debian: > > > mar...@debian:~/projects/pam_pkcs11-trunk/src$ pkcs11_eventmgr nodaemon debug > DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ... > DEBUG:pkcs11_eventmgr.c:395: loading the module ... > DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, > moduleSpec=<library="/usr/lib/opensc-pkcs11.so" name="SmartCard"> > module=/usr/lib/opensc-pkcs11.so > > DEBUG:pkcs11_eventmgr.c:453: Waiting for Events > DEBUG:pkcs11_eventmgr.c:484: Card inserted, > DEBUG:pkcs11_eventmgr.c:169: Onerror is set to: 'ignore' > DEBUG:pkcs11_eventmgr.c:173: Executiong action: 'echo foo ' > foo > DEBUG:pkcs11_eventmgr.c:182: Action 'echo foo ' returns 0 > DEBUG:pkcs11_eventmgr.c:484: Card inserted, > DEBUG:pkcs11_eventmgr.c:169: Onerror is set to: 'ignore' > DEBUG:pkcs11_eventmgr.c:173: Executiong action: 'echo foo ' > foo > DEBUG:pkcs11_eventmgr.c:182: Action 'echo foo ' returns 0 > > > The first event when a card is removed from the reader is lost, but that is a > bug of OpenSC and should not result in behavior as you experience. > Looking at pam_pkcs11 source, I can only see that the loop breaks only if > C_WaitForSlotEvent (the SECMOD_ wrapper of it in NSS) returns NULL. Here the > relevant error code is SC_ERROR_EVENT_TIMEOUT > >> $ pkcs11_eventmgr debug nodaemon (card NOT in reader) >> >> DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ... >> DEBUG:pkcs11_eventmgr.c:395: loading the module ... >> DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, >> moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so" name="SmartCard"> >> module=/usr/local/lib/opensc-pkcs11.so >> DEBUG:pkcs11_eventmgr.c:453: Waiting for Events >> DEBUG:pkcs11_eventmgr.c:601: Exited from main loop >> DEBUG:pkcs11_eventmgr.c:91: Exitting >> >> >> >> >> >> >> All the verbose logs are attached, the verbosity level is set to 2. Tell me >> if i need to increase it, however I'm a bit concerned about mailing out my >> certificate and username and that kind of stuff (which is included in level >> 3), doesn't feel quite right, but maybe I'm wrong ? >> > If you have so sensitive data in your public information (certificates are > usually "public", at least in your 100+ computer PKI system), don't send out > *anything* from your computer system. > > If not, the only sensitive information in the log file is your PIN code (if > you don't use a pinpad) If that is the case, either edit the log file and > remove the lines with the PIN code (you can grep for it) or change it to a > dummy value (0000/1234) before generating the test log. > > Usually the best is to set the debug to "very high" so that all bits and > pieces would get logged. For pkcs11_eventmgr, nothing about certificates > should get logged. Plase send a full log file (set debug to 9 in opensc.conf > and set an output file to some value) with the failing case "pkcs11_eventmgr > debug nodaemon (card NOT in reader)" > > Finally, I don't think you *have* to use NSS with pam_pkcs11, only because > GDM uses NSS. > > But the issue should be fixed nevertheless. > > > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel