Possible bug in PAM-P11 with OpenSSH style login

[jmpoure]

Dear Friends,

I am writing a tutorial on GNU/Linux single sign-on.

My first article:  http://www.gooze.eu/gnu-linux-smart-card-howto-single-sign-on/gnu-linux-smart-card-logon-using-pam-p11

Unfortunately, pam_p11 does not seem to work. For information, I am using the Feitian PKI card.

When I try "su", it does work (asking for password).

IMHO pam-p11 could be very useful to people who do not need to manage several users except themselves. This is so nice to be able to connect using SSH style keys. I would love to be able to connect using pam-p11.

Can you reproduce my howto and confirm this works or does not work. I spent more than 5-10 hours figuring what was going on.

Kind regards, Jean-Michel

[martin]

Please don't have a "commercial footer" in tickets (DevelopmentPolicy#Wiki). You can add yourself to the list of resellers in FrequentlyAskedQuestions#WherecanIbuysmartcards or add a link to the relevant feitian card page (which you already have done)

As for the PAM issue, I'll give it a look. How does the "not working" reveal itself?

[jmpoure]

Sorry for the footer, I will not make it again.

As for the PAM issue:

• My card has an RSA key pair.
• The public key is extracted in RSA2 format and moved to /root/.ssh/authorized_keys

When I try to su, after a few seconds of activity, a password is asked.

In the /var/log/auth.log, I can read: Mar 15 15:47:42 acer su[4952]: pam_p11_openssh(su:auth): no certificates found

Attached is the OpenSC log.

Also, please not that I used Debian binaries of libpam-p11. It seems that source code compiles, but does not install. It could be due to recent changes in OpenSC.

Thanks.

[martin]

pam_p11 is looking for a certificate. Do you have a certificate on the card? What does pkcs11-tool -L say

[jmpoure]

pkcs11-tool -L

Slot 2           OmniKey CardMan 4321 00 00
  (empty)
Slot 3           OmniKey CardMan 4321 00 00
  (empty)
Slot 4           OmniKey CardMan 4321 00 00
  (empty)
Slot 5           Feitian SCR301 01 00
  token label:   Test (User PIN)
  token manuf:   EnterSafe
  token model:   PKCS#15
  token flags:   rng, login required, PIN initialized, token initialized
  serial num  :  2998511513171109
Slot 6           Feitian SCR301 01 00
  (empty)
Slot 7           Feitian SCR301 01 00
  (empty)
Slot 8           Feitian SCR301 01 00
  (empty)
You must specify a slot ID

and

pkcs15-tool --dump
Using reader with a card: Feitian SCR301 01 00
PKCS#15 Card [Test]:
	Version        : 1
	Serial number  : 2998511513171109
	Manufacturer ID: EnterSafe
	Last update    : 20100315143703Z
	Flags          : PRN generation, EID compliant

PIN [User PIN]
	Com. Flags: 0x3
	ID        : 01
	Flags     : [0x30], initialized, needs-padding
	Length    : min_len:4, max_len:16, stored_len:16
	Pad char  : 0x00
	Reference : 1
	Type      : ascii-numeric
	Path      : 

Private RSA Key [Private Key]
	Com. Flags  : 3
	Usage       : [0x4], sign
	Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
	ModLength   : 2048
	Key ref     : 1
	Native      : yes
	Path        : 3f005015
	Auth ID     : 01
	ID          : f028b0bd38a0f5c983a9828f797038616518ca5b

Public RSA Key [Private Key]
	Com. Flags  : 2
	Usage       : [0x4], sign
	Access Flags: [0x0]
	ModLength   : 2048
	Key ref     : 0
	Native      : no
	Path        : 3f0050153000
	Auth ID     : 
	ID          : f028b0bd38a0f5c983a9828f797038616518ca5b

[aj]

martin is right. its not a bug, its a feature :-(

some cards don't have rsa public keys, or hide all rsa keys, until you log in. thus the pam module expects a certificate on the card, and extracts the rsa public key from it. without a certificate it doesn't work.

hmm, guess we should improve the documentation and the error messages? can you look at the pam_p11 wiki and edit it? and I can see if there is a good place for a message, if no certificate is on the card.

[jmpoure]

Thanks. Then I should create an X.509 certificate and sign the RSA key, right? When I succeed, I will add the required information on wiki. Thanks!

Closing bug as it should be a feature.

[jmpoure]

I admit I am a little bit lost. What command should I run to create an RSA key pair + certificate?

[aj]

 http://www.opensc-project.org/opensc/wiki/QuickStart has all the details.

[jmpoure]

Thanks aj. Now I understand in more details.

But why should we require an X.509 certificate in the case of OpenSSH style login? X.509 certificates are for collaboration and managing access of several people.

In the case of ~/.ssh/authorized_keys the goal is clearly access to a single machine. This is like SSH access.

Furthermore, PAM-P11 does not manage revocation.

IMHO, to ease access to smart cards, we should enable the sole verification of RSA keys without X.509 certificates. OpenSSH works like that and is widely spread.

In my case, where i am the sole person accessing my computers (locally and remotely), this would perfectly suit my needs. Furthermore, it is easier to archive keys.

What is you opinion?

[aj]

pam_p11 is supposed to work not only with opensc, but with any implementation of a pkcs#11 module for smart cards. other cards/libraries might not have any rsa public key. but every smart card has a certificate, so that works much better, and with all implementations we have seen so far.

we could read both, but for most users it wouldn't make a difference.

revocation? the new mechanism in the latest openssh release? patches welcome.

Regards, Andreas

[jmpoure]

Okay, I understand now. Thank you for the explanations. This is very nice of you. Bye.