Login issues: PIV/CAC cards

I’ve been trying figure out, the login error “Please (re) insert a different smartcard” after entering username. Almalinux 9.

Here are some of the outputs received. I hope some one can share some light.
Some of the changes below blocked me from logging in. But I have since changed them back.
**Info
[root@sa etc]# cat /etc/pam.d/login
#%PAM-1.0
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth

pam_selinux.so close should be the first session rule

session required pam_selinux.so close
session required pam_loginuid.so

pam_selinux.so open should only be followed by sessions to be executed in the user context

session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so

This code line should be added, in that file: auth required pam_pkcs11.so

[root@sa /]# systemctl status pcscd
● pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: d>
Active: active (running) since Thu 2024-09-19 13:53:50 EDT; 5 days ago
TriggeredBy: ● pcscd.socket
Docs: man:pcscd(8)
Main PID: 3169 (pcscd)
Tasks: 9 (limit: 199712)
Memory: 2.7M
CPU: 1min 7.224s
CGroup: /system.slice/pcscd.service
└─3169 /usr/sbin/pcscd --foreground --auto-exit

Sep 19 13:53:50 sa systemd[1]: Started PC/SC Smart Card Daemon.

Fix applied
Modify /etc/pam.d/system-auth to include the pam_pkcs11 module:

 auth     required       pam_pkcs11.so

Original line

Generated by authselect on Mon Sep 9 17:56:37 2024

Do not modify this file manually.

auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=2 ignore=ignore success=ok] pam_localuser.so
auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail
auth required pam_deny.so → changed to pam_pkcs11.so ( in /etc/pam.d/smartcard and system-auth)

account required pam_access.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

Configure pam_pkcs11:

Edit /etc/pam_pkcs11/pam_pkcs11.conf to specify your PKCS#11 module and mapping files:

 # Example configuration
 use_pkcs11_module = opensc;

 pkcs11_module opensc {
     module = /usr/lib64/opensc-pkcs11.so;
 };

 use_mappers = digest;

Original file

Filename of the PKCS #11 module. The default value is “default”

use_pkcs11_module = opensc;

pkcs11_module opensc {
module = /usr/lib/opensc-pkcs11.so;
description = “OpenSC PKCS#11 module”;
##Ran test
pcsc_scan
receive output
[root@sa /]# pcsc_scan
PC/SC device scanner
V 1.6.2 (c) 2001-2022, Ludovic Rousseau ludovic.rousseau@free.fr
Using reader plug’n play mechanism
Scanning present readers…
0: Broadcom Corp 58200 [Contacted SmartCard] (0123456789ABCD) 00 00

Wed Sep 25 11:10:26 2024
Reader 0: Broadcom Corp 58200 [Contacted SmartCard] (0123456789ABCD) 00 00
Event number: 10
Card state: Card inserted, Shared Mode,
ATR: 3B D6 97 00 81 – –

ATR: 3B D6 97 00 81 – –

  • TS = 3B → Direct Convention
  • T0 = D6, Y(1): 1101, K: 6 (historical bytes)
    TA(1) = 97 → Fi=512, Di=64, 8 cycles/ETU
    500000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 625000 bits/s
    TC(1) = 00 → Extra guard time: 0
    TD(1) = 81 → Y(i+1) = 1000, Protocol T = 1

TD(2) = B1 → Y(i+1) = 1011, Protocol T = 1

TA(3) = FE → IFSC: 254
TB(3) = 45 → Block Waiting Integer: 4 - Character Waiting Integer: 5
TD(3) = 1F → Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following

TA(4) = 87 → Clock stop: state H - Class accepted by the card: (3G) A 5V B 3V C 1.8V

  • Historical bytes: 80 31 C1 52 41 1A
    Category indicator byte: 80 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
    Card service data byte: C1
    - Application selection: by full DF name
    - Application selection: by partial DF name
    - EF.DIR and EF.ATR access services: by GET RECORD(s) command
    - Card without MF
    Tag: 5, len: 2 (card issuer’s data)
    Card issuer data: 41 1A
  • TCK = 2B (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B D6 97 00 81 – –
Oberthur Technologies ID-One PIV/CIV on V8 Device (eID)
https://***/cc/media/projects/cryptographic-module-validation-program/documents/security-policies/140s p2986.pdf

**

.so file

[root@sa etc]# cd /etc/pam.d/
[root@sa pam.d]# ls
atd fingerprint-auth gdm-smartcard-pkcs11-exclusive other remote su systemd-user
chfn gdm-autologin gdm-smartcard-pkcs11-exclusive.dpkg-dist passwd runuser sudo vlock
chsh gdm-fingerprint gdm-smartcard-sssd-exclusive password-auth runuser-l sudo-i vmtoolsd
cockpit gdm-launch-environment gdm-smartcard-sssd-exclusive.dpkg-dist piv-auth samba sudo-root xpra
config-util gdm-password gdm-smartcard-sssd-or-password pluto smartcard-auth sudo-root.dist xserver
crond gdm-pin ksu polkit-1 sshd su-l
cups gdm-smartcard login postlogin sssd-shadowutils system-auth

[root@sa pam.d]# cat smartcard-auth

Generated by authselect on Mon Sep 9 17:56:37 2024

Do not modify this file manually.

auth required pam_env.so
auth required pam_faillock.so preauth silent
auth sufficient pam_sss.so allow_missing_name
auth required pam_faillock.so authfail
auth required pam_deny.so

account required pam_access.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
[root@sa pam.d]# cat system
cat: system: No such file or directory
[root@sa pam.d]# cat system-auth

Generated by authselect on Mon Sep 9 17:56:37 2024

Do not modify this file manually.

auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=2 ignore=ignore success=ok] pam_localuser.so
auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail
auth required pam_pkcs11.so

account required pam_access.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so

password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so

session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so

I added debug to pam_pkcs11.so = pam_pkcs11.so debug. After a reboot I am not able to remote in. But I did add my profile to /etc/passwd.

09/27/24

Output of the following:

Configure Kerberos authentication for users

Use the AD servers for user authentication as “common sign-on”.
System users should use the same user names as the AD

Packages

krb5-pkinit-1.21.1-2.el9_4.x86_64
opensc-0.23.0-4.el9_3.x86_64
kstart-4.3-1.el9.x86_64
pam_krb5-4.11-1.el9.x86_64
krb5-workstation-1.21.1-2.el9_4.x86_64
oddjob-mkhomedir-0.34.7-7.el9.x86_64

Config

default_realm = N
Keeping preconfigured krb5.conf file.

Middleware

Using /usr/lib64/pkcs11/libcoolkeypk11.so middleware
No such library as /usr/lib64/pkcs11/libcoolkeypk11.so
No change for pkinit_identities

PAM

/opt/Lab/bin/AD-authentication: line 83: authconfig: not found
authselect is a tracked alias for /usr/bin/authselect
[error] [/etc/authselect/system-auth] has unexpected content!
[error] [/etc/authselect/smartcard-auth] has unexpected content!
[error] [/etc/nsswitch.conf] is not a symbolic link!
[error] [/etc/nsswitch.conf] was not created by authselect!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.

Some unexpected changes to the configuration were detected.
Use --force parameter if you want to overwrite these changes.