>> (x86_64) to login with it without the need to type uid/password without
>> much success!
>>
> AFAIK you will not succeed, as you will need to type/select at least
> the user, the "detect my user when I plug in my card" does not work
> [1]
>
Could you elaborate please? I have succeeded insofar recognising the
user/etoken card with both pkcs11_inspect and pklogin_finder.
>> Inserting token (openct and pcscd services running):
>>
> Ideally you should not have two services, but as your token is not
> CCID/ICCD you need OpenCT. OK. You should remove only one.
>
What do you mean?! If I remove/stop openct pcscd won't run properly - I
tried this already, it does not work.
>> The above errors seems to be from the openct driver. After disabling it
>> in /etc/opensc.conf ("reader_drivers = pcsc, ctapi;" instead of
>> "reader_drivers = openct, pcsc, ctapi;") I get this:
>>
>
> This should be filed as a bug report for OpenCT. Unfortunately I don't
> use/know OpenCT.
>
> So here the reader problem stops.
> 1) figure out why OpenCT is not working as expected (and then
> uninstall pcscd and only set openct as a reader driver in opensc.conf)
> 2) leave it as it is, remove ctapi and openct as reader drivers in opensc.conf
>
Done option 2 as option 1 at present is not possible (don't know why it
does not recognise the driver).
>> Everything seems to be OK. Any ideas on what am I doing wrong?
>>
> - Try to figure out what is wrong with OpenCT (but as the wrapper
> works, this is not critical)
> - Don't mix up Coolkey and OpenSC PKCS#11 modules. You probably only
> need one (the one that works with your token - OpenSC)
> - Don't mix up the location of the NSS database (where certificates
> are) - either use the system wide /etc/pki/nssdb or make sure you
> create a new database at the location you specify in pam_pkcs11
> configuration.
>
1 - I don't have enough knowledge of OpenCT to know where to begin, so
I'll have to leave this for the time being unfortunately.
2 - Will follow this recommendation as I don't need coolkey - it does
not work anyway.
3 - This is caused by absent option in the "opensc" section in default
pam_pkcs11.conf file supplied with the distribution - see my previous
post to Ludovic. Perhaps you could fix this and add the relevant option
as this is the way it should have been done in the first place!
I have another - bigger - problem though:
When I try to configure "/etc/pam.d/login", "/etc/pam.d/gdm" to login
with my smart card (via the console and gtk/gdm) I can't make it work.
I have tried two variants:
1) Inserting "auth sufficient pam_pkcs11.so" in /etc/pam.d/login and
then trying to login from the console (Alt-F2/F3 etc) - I don't get
anywhere!
2) Inserting "auth [success=done authinfo_unavail=ignore ignore=ignore
default=die] pam_pkcs11.so" in /etc/pam.d/login and then trying to login
from the console (Alt-F2/F3 etc) I am getting this:
=syslog=======================
Oct 15 00:18:51 test1 login: FAILED LOGIN SESSION FROM (null) FOR zeek,
Module is unknown
Oct 15 00:18:53 test1 login: PAM unable to
dlopen(/lib64/security/pam_pkcs11.so): /lib64/security/pam_pkcs11.so:
undefined symbol: get_slot_login_required
Oct 15 00:18:53 test1 login: PAM adding faulty module:
/lib64/security/pam_pkcs11.so
Oct 15 00:18:53 test1 login: PAM unable to
dlopen(/lib64/security/pam_fprintd.so): /lib64/security/pam_fprintd.so:
cannot open shared object file: No such file or directory
Oct 15 00:18:53 test1 login: PAM adding faulty module:
/lib64/security/pam_fprintd.so
=============================
From this I can see two problems:-
1. pam_fprintd.so relates to another set of packages/dependancies
(libfprint-0.2.0-1.fc13.x86_64, fprintd-0.2.0-1.fc13.x86_64 and
fprintd-pam-0.2.0-1.fc13.x86_64) which are not picked up and specified
as required when installing pam_pkcs11, so I presume this is a bug
developers should be aware of (hence including this entire post in the
opensc-devel list).
2. /lib64/security/pam_pkcs11.so: undefined symbol:
get_slot_login_required seems to be related to a long-standing bug (Bug
#597501) carried from FC12 and, from what I gather, is still NOT fixed.
Older versions of pam_pkcs11 (0.5.3-29) seem to work, though I have not
yet tried this route.
What I did next is to install the 3 failed dependencies
(libfprint-0.2.0-1.fc13.x86_64, fprintd-0.2.0-1.fc13.x86_64 and
fprintd-pam-0.2.0-1.fc13.x86_64) and when I tried to log in again (by
both hitting space - " " - and pressing Enter and by typing my user
name) I've only got the second error above:
=syslog=======================
Oct 15 00:29:48 test1 login: FAILED LOGIN SESSION FROM (null) FOR ,
Module is unknown
Oct 15 00:29:49 test1 login: PAM unable to
dlopen(/lib64/security/pam_pkcs11.so): /lib64/security/pam_pkcs11.so:
undefined symbol: get_slot_login_required
Oct 15 00:29:49 test1 login: PAM adding faulty module:
/lib64/security/pam_pkcs11.so
=============================
Next, I tried to download, compile and install the latest version -
pam_pkcs11-0.6.3 (downloaded
http://www.opensc-project.org/files/pam_pkcs11/pam_pkcs11-0.6.3.tar.gz).
I successfully ran "./configure":
=============================
PAM-PKCS#11 has been configured with the following options
Version: 0.6.3
User binaries: /usr/bin
Configuration files: /etc
Host: x86_64-unknown-linux-gnu
Compiler: gcc
Compiler flags: -O2 -g -pipe -Wall -Wp,-D_FORTIFY_SOURCE=2
-fexceptions -fstack-protector --param=ssp-buffer-size=4 -m64 -mtune=generic
Preprocessor flags:
Linker flags:
Libraries: -lpam
Debugging: yes
DocBook support: yes
PC/SC support: yes
CURL support: no
LDAP support: no
NSS support: yes
OPENSSL support: no
confdir: /etc/pam_pkcs11
=============================
Though during "make" I've got this:
=============================
make[4]: Entering directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/common'
/bin/sh ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I.
-I../.. -I/usr/include/nss3 -I/usr/include/nspr4 -DHAVE_NSS -O2 -g
-pipe -Wall -Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -O0 -ggdb3 -c -o
libcommon_la-algorithm.lo `test -f 'algorithm.c' || echo './'`algorithm.c
libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I/usr/include/nss3
-I/usr/include/nspr4 -DHAVE_NSS -O2 -g -pipe -Wall
-Wp,-D_FORTIFY_SOURCE=2 -fexceptions -fstack-protector
--param=ssp-buffer-size=4 -m64 -mtune=generic -O0 -ggdb3 -c algorithm.c
-fPIC -DPIC -o .libs/libcommon_la-algorithm.o
algorithm.c:54: error: conflicting types for 'Alg_get_digest_by_name'
./alg_st.h:50: note: previous declaration of 'Alg_get_digest_by_name'
was here
algorithm.c: In function 'Alg_get_digest_by_name':
algorithm.c:56: warning: return discards qualifiers from pointer target type
make[4]: *** [libcommon_la-algorithm.lo] Error 1
make[4]: Leaving directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/common'
Making all in rsaref
make[4]: Entering directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/common/rsaref'
make[4]: Nothing to be done for `all'.
make[4]: Leaving directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/common/rsaref'
make[3]: *** [all-recursive] Error 1
make[3]: Leaving directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/common'
[...]
libtool: link: cannot find the library `../common/libcommon.la' or
unhandled argument `../common/libcommon.la'
make[3]: *** [libmappers.la] Error 1
make[3]: Leaving directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/mappers'
[...]
make[3]: *** No rule to make target `../common/libcommon.la', needed by
`card_eventmgr'. Stop.
make[3]: Leaving directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src/tools'
make[3]: Entering directory `/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src'
make[3]: Nothing to be done for `all-am'.
make[3]: Leaving directory `/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src'
make[2]: *** [all-recursive] Error 1
make[2]: Leaving directory `/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/src'
Making all in tools
make[2]: Entering directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/tools'
make[2]: Nothing to be done for `all'.
make[2]: Leaving directory
`/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3/tools'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/home/zeek/rpmbuild/BUILD/pam_pkcs11-0.6.3'
make: *** [all] Error 2
=============================
So, in other words pam_pkcs11-0.6.3 will NOT COMPILE! Any ideas?
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
