List Info

Thread: pam_p11 problem
pam_p11 problem
country flaguser name
Hungary		 2007-09-13 04:38:42 
Hi,

I also have problem with using pam_p11 :(
I got the same error message in auth.log as others got when
I tried to
use pam_p11_opensc.so:

pam_p11: fatal: pkcs11_sign failed


I'd like to use pkcs11-spy but I don't know how to use it.
:(
I've added the following to /etc/pam.d/sudo:
auth    sufficient pam_p11_opensc.so /usr/lib/pkcs11-spy.so

Then I set PKCS11SPY in the shell by
export PKCS11SPY=/usr/lib/opensc-pkcs11.so

Then tried to use sudo, but got the following error message
from pkcs11-spy:
*************** OpenSC PKCS#11 spy *****************
Error: no module specified. Please set PKCS11SPY
environment.


Why? PKCS11SPY was set... Could you help me in setting up
pkcs11-spy? I
googled it but did not find any answer. :( After getting a
proper
logging from pkcs11-spy I may find out what's the problem
with
pam_p11_opensc.so.


My card is an ikey3000. I use Debian Etch but built my own
opensc/openct
packages from unstable deb-source.
opensc 0.11.3
openct 0.6.14
libpam-p11 0.1.3
libp11 0.2.3

This ikey3000 is working perfectly with ssh-add, and I used
to use it
perfectly with pam before an upgrade, before you changed the
pam module. :(

Could you help me please?

thank you,
Zsolt


-- 
Zsolt KOZAK      zsoltzso.lt
personal web:    http://zso.lt
Road To Avonlea: http://avonlea.hu

_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_p11 problem
country flaguser name
Hungary		 2007-09-13 05:43:55 
Hi,

Finally I had success with "su". I got the same
error msn in auth.log:
pam_p11[28107]: fatal: pkcs11_sign failed
But I have a pkcs11-spy error log too.  Could you
please check it out
here?
http://zso.lt/spy.log.gz


thank you,
Zsolt

On 2007-09-13 11:38, Zsolt KOZAK wrote:
> Hi,
>
> I also have problem with using pam_p11 :(
> I got the same error message in auth.log as others got
when I tried to
> use pam_p11_opensc.so:
>
> pam_p11: fatal: pkcs11_sign failed
>
>
> I'd like to use pkcs11-spy but I don't know how to use
it. :(
> I've added the following to /etc/pam.d/sudo:
> auth    sufficient pam_p11_opensc.so
/usr/lib/pkcs11-spy.so
>
> Then I set PKCS11SPY in the shell by
> export PKCS11SPY=/usr/lib/opensc-pkcs11.so
>
> Then tried to use sudo, but got the following error
message from pkcs11-spy:
> *************** OpenSC PKCS#11 spy *****************
> Error: no module specified. Please set PKCS11SPY
environment.
>
>
> Why? PKCS11SPY was set... Could you help me in setting
up pkcs11-spy? I
> googled it but did not find any answer. :( After
getting a proper
> logging from pkcs11-spy I may find out what's the
problem with
> pam_p11_opensc.so.
>
>
> My card is an ikey3000. I use Debian Etch but built my
own opensc/openct
> packages from unstable deb-source.
> opensc 0.11.3
> openct 0.6.14
> libpam-p11 0.1.3
> libp11 0.2.3
>
> This ikey3000 is working perfectly with ssh-add, and I
used to use it
> perfectly with pam before an upgrade, before you
changed the pam module. :(
>
> Could you help me please?
>
> thank you,
> Zsolt
>
>
>   

-- 
Zsolt KOZAK      zsoltzso.lt
personal web:    http://zso.lt
Road To Avonlea: http://avonlea.hu

_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_p11 problem
country flaguser name
Hungary		 2007-09-13 15:30:04 
Hi Andreas,

Thank you! But how to change that 128 bytes to 7 bytes? Is
there any
config parameter? I'm not an opensc developer.  I'm just a
simple user. 

thanks,
Zsolt

On 2007-09-13 22:21, Andreas Jellinghaus wrote:
> On Thursday 13 September 2007 12:43:55 Zsolt KOZAK
wrote:
>   
>> Hi,
>>
>> Finally I had success with "su". I got
the same error msn in auth.log:
>> pam_p11[28107]: fatal: pkcs11_sign failed
>> But I have a pkcs11-spy error log too.  Could you
please check it out
>> here?
>>     
>
>
> found it. pam_p11 tries to sign 128 bytes of data, but
ikey 3000 does not
> support raw rsa signatures I guess. change that to 7
bytes (or better:
> implement a way to lookup what methods it supports and
use the "best"
> one).
>
> Regards, Andreas
> _______________________________________________
> opensc-user mailing list
> opensc-userlists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-
user
>   

-- 
Zsolt KOZAK      zsoltzso.lt
personal web:    http://zso.lt
Road To Avonlea: http://avonlea.hu

_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_p11 problem
user name
 2007-09-14 04:26:33 
On Thursday 13 September 2007 22:30:04 Zsolt KOZAK wrote:
> Thank you! But how to change that 128 bytes to 7 bytes?
Is there any
> config parameter? I'm not an opensc developer.  I'm just a
simple user.
> 

can you re-build libp11 from unstable deb source?
edit src/pam_p11.c and change
#define RANDOM_SIZE 128
to
#define RANDOM_SIZE 36

and see if this helps.

I had another look at the source and for the md5_sha1 method
36 bytes
is the normal payload. I guess your card supports this.

if you face any issue I can try compiling a package for you
(at least for i386 or x86_64 architectures).

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
[1-4]

about | contact  Other archives ( Real Estate discussion Medical topics )