I’ve been trying figure out, the login error “Please (re) insert a different smartcard” after entering username. Almalinux 9.
Here are some of the outputs received. I hope some one can share some light.
Some of the changes below blocked me from logging in. But I have since changed them back.
**Info
[root@sa etc]# cat /etc/pam.d/login
#%PAM-1.0
auth substack system-auth
auth include postlogin
account required pam_nologin.so
account include system-auth
password include system-auth
pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include system-auth
session include postlogin
-session optional pam_ck_connector.so
This code line should be added, in that file: auth required pam_pkcs11.so
[root@sa /]# systemctl status pcscd
● pcscd.service - PC/SC Smart Card Daemon
Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: d>
Active: active (running) since Thu 2024-09-19 13:53:50 EDT; 5 days ago
TriggeredBy: ● pcscd.socket
Docs: man:pcscd(8)
Main PID: 3169 (pcscd)
Tasks: 9 (limit: 199712)
Memory: 2.7M
CPU: 1min 7.224s
CGroup: /system.slice/pcscd.service
└─3169 /usr/sbin/pcscd --foreground --auto-exit
Sep 19 13:53:50 sa systemd[1]: Started PC/SC Smart Card Daemon.
Fix applied
Modify /etc/pam.d/system-auth to include the pam_pkcs11 module:
auth required pam_pkcs11.so
Original line
Generated by authselect on Mon Sep 9 17:56:37 2024
Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=2 ignore=ignore success=ok] pam_localuser.so
auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail
auth required pam_deny.so → changed to pam_pkcs11.so ( in /etc/pam.d/smartcard and system-auth)
account required pam_access.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
Configure pam_pkcs11:
Edit /etc/pam_pkcs11/pam_pkcs11.conf to specify your PKCS#11 module and mapping files:
# Example configuration
use_pkcs11_module = opensc;
pkcs11_module opensc {
module = /usr/lib64/opensc-pkcs11.so;
};
use_mappers = digest;
Original file
Filename of the PKCS #11 module. The default value is “default”
use_pkcs11_module = opensc;
pkcs11_module opensc {
module = /usr/lib/opensc-pkcs11.so;
description = “OpenSC PKCS#11 module”;
##Ran test
pcsc_scan
receive output
[root@sa /]# pcsc_scan
PC/SC device scanner
V 1.6.2 (c) 2001-2022, Ludovic Rousseau ludovic.rousseau@free.fr
Using reader plug’n play mechanism
Scanning present readers…
0: Broadcom Corp 58200 [Contacted SmartCard] (0123456789ABCD) 00 00
Wed Sep 25 11:10:26 2024
Reader 0: Broadcom Corp 58200 [Contacted SmartCard] (0123456789ABCD) 00 00
Event number: 10
Card state: Card inserted, Shared Mode,
ATR: 3B D6 97 00 81 – –
ATR: 3B D6 97 00 81 – –
- TS = 3B → Direct Convention
- T0 = D6, Y(1): 1101, K: 6 (historical bytes)
TA(1) = 97 → Fi=512, Di=64, 8 cycles/ETU
500000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 625000 bits/s
TC(1) = 00 → Extra guard time: 0
TD(1) = 81 → Y(i+1) = 1000, Protocol T = 1
TD(2) = B1 → Y(i+1) = 1011, Protocol T = 1
TA(3) = FE → IFSC: 254
TB(3) = 45 → Block Waiting Integer: 4 - Character Waiting Integer: 5
TD(3) = 1F → Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
TA(4) = 87 → Clock stop: state H - Class accepted by the card: (3G) A 5V B 3V C 1.8V
- Historical bytes: 80 31 C1 52 41 1A
Category indicator byte: 80 (compact TLV data object)
Tag: 3, len: 1 (card service data byte)
Card service data byte: C1
- Application selection: by full DF name
- Application selection: by partial DF name
- EF.DIR and EF.ATR access services: by GET RECORD(s) command
- Card without MF
Tag: 5, len: 2 (card issuer’s data)
Card issuer data: 41 1A - TCK = 2B (correct checksum)
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B D6 97 00 81 – –
Oberthur Technologies ID-One PIV/CIV on V8 Device (eID)
https://***/cc/media/projects/cryptographic-module-validation-program/documents/security-policies/140s p2986.pdf
**
.so file
[root@sa etc]# cd /etc/pam.d/
[root@sa pam.d]# ls
atd fingerprint-auth gdm-smartcard-pkcs11-exclusive other remote su systemd-user
chfn gdm-autologin gdm-smartcard-pkcs11-exclusive.dpkg-dist passwd runuser sudo vlock
chsh gdm-fingerprint gdm-smartcard-sssd-exclusive password-auth runuser-l sudo-i vmtoolsd
cockpit gdm-launch-environment gdm-smartcard-sssd-exclusive.dpkg-dist piv-auth samba sudo-root xpra
config-util gdm-password gdm-smartcard-sssd-or-password pluto smartcard-auth sudo-root.dist xserver
crond gdm-pin ksu polkit-1 sshd su-l
cups gdm-smartcard login postlogin sssd-shadowutils system-auth
[root@sa pam.d]# cat smartcard-auth
Generated by authselect on Mon Sep 9 17:56:37 2024
Do not modify this file manually.
auth required pam_env.so
auth required pam_faillock.so preauth silent
auth sufficient pam_sss.so allow_missing_name
auth required pam_faillock.so authfail
auth required pam_deny.so
account required pam_access.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
[root@sa pam.d]# cat system
cat: system: No such file or directory
[root@sa pam.d]# cat system-auth
Generated by authselect on Mon Sep 9 17:56:37 2024
Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=2 ignore=ignore success=ok] pam_localuser.so
auth [success=done authinfo_unavail=ignore user_unknown=ignore ignore=ignore default=die] pam_sss.so try_cert_auth
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_faillock.so authfail
auth required pam_pkcs11.so
account required pam_access.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password [success=1 default=ignore] pam_localuser.so
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session optional pam_oddjob_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
I added debug to pam_pkcs11.so = pam_pkcs11.so debug. After a reboot I am not able to remote in. But I did add my profile to /etc/passwd.
09/27/24
Output of the following:
Configure Kerberos authentication for users
Use the AD servers for user authentication as “common sign-on”.
System users should use the same user names as the AD
Packages
krb5-pkinit-1.21.1-2.el9_4.x86_64
opensc-0.23.0-4.el9_3.x86_64
kstart-4.3-1.el9.x86_64
pam_krb5-4.11-1.el9.x86_64
krb5-workstation-1.21.1-2.el9_4.x86_64
oddjob-mkhomedir-0.34.7-7.el9.x86_64
Config
default_realm = N
Keeping preconfigured krb5.conf file.
Middleware
Using /usr/lib64/pkcs11/libcoolkeypk11.so middleware
No such library as /usr/lib64/pkcs11/libcoolkeypk11.so
No change for pkinit_identities
PAM
/opt/Lab/bin/AD-authentication: line 83: authconfig: not found
authselect is a tracked alias for /usr/bin/authselect
[error] [/etc/authselect/system-auth] has unexpected content!
[error] [/etc/authselect/smartcard-auth] has unexpected content!
[error] [/etc/nsswitch.conf] is not a symbolic link!
[error] [/etc/nsswitch.conf] was not created by authselect!
[error] Unexpected changes to the configuration were detected.
[error] Refusing to activate profile unless those changes are removed or overwrite is requested.
Some unexpected changes to the configuration were detected.
Use --force parameter if you want to overwrite these changes.