List Info

Thread: pam_pkcs11 fails to login with cert on eToken 64
pam_pkcs11 fails to login with cert on eToken 64
country flaguser name
France		 2008-03-12 10:20:15 
Hi there,

I'm trying to use an eToken Pro 64k with pam_pkcs11 module.
I currently test
the Aladdin (binary) driver. I've put a certificate on the
token, then try to
use it to login to a workstation.

The workstation is running Debian sid, nsswitch uses ldap to
get users
attributes, and I can login using su - <uid>. 

I'm trying to use pwent or ldap mapping, but both fail,
wether I use a login
name or not.

Using pwent mapping:
--------------------

pklogin_finder finds the correct uid.

login using no username finds a match to my uid. Few output
lines from
debugging output returns:

DEBUG:pam_pkcs11.c:465: certificate is valid and matches
user '<uid>'
DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
DEBUG:pkcs11_lib.c:1403: random-value[128] =
[59:43:aa...:95]
DEBUG:pkcs11_lib.c:1345: hash[35] = [...:44:05:df:...:67]
DEBUG:pkcs11_lib.c:1366: increased signature buffer-length
to 512
ERROR:pam_pkcs11.c:531: sign_value() failed: C_Sign()
failed: 91
DEBUG:mapper_mgr.c:214: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() pwent
DEBUG:mapper_mgr.c:148: Module pwent is static: don't
remove
DEBUG:pkcs11_lib.c:1065: logout user
DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
DEBUG:pkcs11_lib.c:1077: releasing keys and certificates

I dont really get the error, and google search isn't really
useful. I don't
know what's this 91 error code.

If I provide the username 'uid', same thing happens.

Using ldap mapping:
-------------------

pklogin_finder segfaults

End of debug log shows:

DEBUG:ldap_mapper.c:892: Trying to match certificate with
user: '<uid>'
DEBUG:ldap_mapper.c:615: ldap_get_certificate(): begin login
= <uid>
DEBUG:ldap_mapper.c:620: ldap_get_certificate(): filter_str
=
(&(objectClass=posixAccount)(uid=<uid>))
DEBUG:ldap_mapper.c:578: added URI ldap://ldap:389
DEBUG:ldap_mapper.c:679: ldap_get_certificate(): try do_open
for
ldap://ldap:389
DEBUG:ldap_mapper.c:141: do_init():
DEBUG:ldap_mapper.c:411: Set connection timeout to 8
DEBUG:ldap_mapper.c:319: do_bind(): bind DN=""
pass=""
DEBUG:ldap_mapper.c:352: do_bind rc=97
DEBUG:ldap_mapper.c:718: ldap_get_certificate(): entries =
1
DEBUG:ldap_mapper.c:743: attribute name = userCertificate
DEBUG:ldap_mapper.c:748: number auf usercertificates = 1
DEBUG:ldap_mapper.c:766: d2i_X509(): success for certificate
0
DEBUG:ldap_mapper.c:780: ldap_get_certificate(): end
Segmentation fault

Backtrace log is:

#0  0xb7e7257d in X509_check_purpose ()
from /usr/lib/i686/cmov/libcrypto.so.0.9.8
No symbol table info available.
#1  0xb7e5ee46 in X509_cmp () from
/usr/lib/i686/cmov/libcrypto.so.0.9.8
No symbol table info available.
#2  0xb6f5477a in ?? () from /lib/pam_pkcs11/ldap_mapper.so
No symbol table info available.
#3  0x0807fad0 in ?? ()
No symbol table info available.
#4  0x00000000 in ?? ()
No symbol table info available.
The program is running.  Exit anyway? (y or n) 

Not really useful, I know. I may try to rebuild using debug
symbols, but I
currently don't have practical way to do that on this box.

login with username ends with the same log, then returns
back to login prompt
(so I guess it segfaults too)

login without username first search for the right username
(parsing pwent
entries I guess), then returns to prompt. Segfaults too, I
guess.

If I need to provide you some more info, please ask.

Hope you can help, and thanks for your time,
-- 
Yves-Alexis
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_pkcs11 fails to login with cert on eToken 64
user name
 2008-03-20 04:23:54 
On Wed, Mar 12, 2008 at 4:20 PM, Yves-Alexis Perez
<corsaccorsac.net> wrote:
> Hi there,

Hello,

>  I'm trying to use an eToken Pro 64k with pam_pkcs11
module. I currently test
>  the Aladdin (binary) driver. I've put a certificate on
the token, then try to
>  use it to login to a workstation.
>
>  The workstation is running Debian sid, nsswitch uses
ldap to get users
>  attributes, and I can login using su - <uid>.
>
>  I'm trying to use pwent or ldap mapping, but both
fail, wether I use a login
>  name or not.
>
>  Using pwent mapping:
>  --------------------
>
>  pklogin_finder finds the correct uid.
>
>  login using no username finds a match to my uid. Few
output lines from
>  debugging output returns:
>
>  DEBUG:pam_pkcs11.c:465: certificate is valid and
matches user '<uid>'
>  DEBUG:pkcs11_lib.c:1384: reading 128 random bytes from
/dev/urandom
>  DEBUG:pkcs11_lib.c:1403: random-value[128] =
[59:43:aa...:95]
>  DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:44:05:df:...:67]
>  DEBUG:pkcs11_lib.c:1366: increased signature
buffer-length to 512
>  ERROR:pam_pkcs11.c:531: sign_value() failed: C_Sign()
failed: 91
>  DEBUG:mapper_mgr.c:214: unloading mapper module list
>  DEBUG:mapper_mgr.c:137: calling mapper_module_end()
pwent
>  DEBUG:mapper_mgr.c:148: Module pwent is static: don't
remove
>  DEBUG:pkcs11_lib.c:1065: logout user
>  DEBUG:pkcs11_lib.c:1071: closing the PKCS #11 session
>  DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
>
>  I dont really get the error, and google search isn't
really useful. I don't
>  know what's this 91 error code.

91 (hex) is
#define CKR_OPERATION_NOT_INITIALIZED         0x00000091

The code is doing:
C_SignInit() -> CKR_OK
C_Sign() -> CKR_BUFFER_TOO_SMALL
the signature buffer is then increased from 128 to 512 as
indicated in the log
C_Sign() -> CKR_OPERATION_NOT_INITIALIZED

I think it is a bug in the pkcs#11 token you use (Aladdin
(binary)
driver). According to the PKCS#11 specification C_Sign:

"The signing operation must have been initialized with
C_SignInit. A
call to C_Sign always     terminates    the     active   
signing
operation    unless it returns CKR_BUFFER_TOO_SMALL or is a
successful
call (i.e., one which returns CKR_OK) to determine the
length of the
buffer needed to hold the signature."

So the second call to C_Sign() should not fail in the case
of
CKR_BUFFER_TOO_SMALL.

>  If I provide the username 'uid', same thing happens.
>
>  Using ldap mapping:
>  -------------------
>
>  pklogin_finder segfaults
>
>  End of debug log shows:
>
>  DEBUG:ldap_mapper.c:892: Trying to match certificate
with user: '<uid>'
>  DEBUG:ldap_mapper.c:615: ldap_get_certificate(): begin
login = <uid>
>  DEBUG:ldap_mapper.c:620: ldap_get_certificate():
filter_str =
>  (&(objectClass=posixAccount)(uid=<uid>))
>  DEBUG:ldap_mapper.c:578: added URI ldap://ldap:389
>  DEBUG:ldap_mapper.c:679: ldap_get_certificate(): try
do_open for
>  ldap://ldap:389
>  DEBUG:ldap_mapper.c:141: do_init():
>  DEBUG:ldap_mapper.c:411: Set connection timeout to 8
>  DEBUG:ldap_mapper.c:319: do_bind(): bind
DN="" pass=""
>  DEBUG:ldap_mapper.c:352: do_bind rc=97
>  DEBUG:ldap_mapper.c:718: ldap_get_certificate():
entries = 1
>  DEBUG:ldap_mapper.c:743: attribute name =
userCertificate
>  DEBUG:ldap_mapper.c:748: number auf usercertificates =
1
>  DEBUG:ldap_mapper.c:766: d2i_X509(): success for
certificate 0
>  DEBUG:ldap_mapper.c:780: ldap_get_certificate(): end
>  Segmentation fault
>
>  Backtrace log is:
>
>  #0  0xb7e7257d in X509_check_purpose ()
>  from /usr/lib/i686/cmov/libcrypto.so.0.9.8
>  No symbol table info available.
>  #1  0xb7e5ee46 in X509_cmp () from
/usr/lib/i686/cmov/libcrypto.so.0.9.8
>  No symbol table info available.
>  #2  0xb6f5477a in ?? () from
/lib/pam_pkcs11/ldap_mapper.so
>  No symbol table info available.
>  #3  0x0807fad0 in ?? ()
>  No symbol table info available.
>  #4  0x00000000 in ?? ()
>  No symbol table info available.
>  The program is running.  Exit anyway? (y or n)
>
>  Not really useful, I know. I may try to rebuild using
debug symbols, but I
>  currently don't have practical way to do that on this
box.

You do not need to rebuild with debug symbol. I think the
library is
stripped during installation. Just copy
./src/mappers/.libs/ldap_mapper.so in
/lib/pam_pkcs11/ldap_mapper.so

Bye

-- 
 Dr. Ludovic Rousseau
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_pkcs11 fails to login with cert on eToken 64
country flaguser name
Germany		 2008-03-20 05:05:17 
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hello Yves-Alexis,

what version of the aladdin binary are you using? Still
3.65?
I think i saw this C_sgin failed before.

Kind regards
Cornelius

Ludovic Rousseau schrieb:
> On Wed, Mar 12, 2008 at 4:20 PM, Yves-Alexis Perez
<corsaccorsac.net>
wrote:
>> Hi there,
>
> Hello,
>
>>  I'm trying to use an eToken Pro 64k with
pam_pkcs11 module. I
currently test
>>  the Aladdin (binary) driver. I've put a
certificate on the token,
then try to
>>  use it to login to a workstation.
>>
>>  The workstation is running Debian sid, nsswitch
uses ldap to get users
>>  attributes, and I can login using su -
<uid>.
>>
>>  I'm trying to use pwent or ldap mapping, but both
fail, wether I use
a login
>>  name or not.
>>
>>  Using pwent mapping:
>>  --------------------
>>
>>  pklogin_finder finds the correct uid.
>>
>>  login using no username finds a match to my uid.
Few output lines from
>>  debugging output returns:
>>
>>  DEBUG:pam_pkcs11.c:465: certificate is valid and
matches user '<uid>'
>>  DEBUG:pkcs11_lib.c:1384: reading 128 random bytes
from /dev/urandom
>>  DEBUG:pkcs11_lib.c:1403: random-value[128] =
[59:43:aa...:95]
>>  DEBUG:pkcs11_lib.c:1345: hash[35] =
[...:44:05:df:...:67]
>>  DEBUG:pkcs11_lib.c:1366: increased signature
buffer-length to 512
>>  ERROR:pam_pkcs11.c:531: sign_value() failed:
C_Sign() failed: 91
>>  DEBUG:mapper_mgr.c:214: unloading mapper module
list
>>  DEBUG:mapper_mgr.c:137: calling
mapper_module_end() pwent
>>  DEBUG:mapper_mgr.c:148: Module pwent is static:
don't remove
>>  DEBUG:pkcs11_lib.c:1065: logout user
>>  DEBUG:pkcs11_lib.c:1071: closing the PKCS #11
session
>>  DEBUG:pkcs11_lib.c:1077: releasing keys and
certificates
>>
>>  I dont really get the error, and google search
isn't really useful. I
don't
>>  know what's this 91 error code.
>
> 91 (hex) is
> #define CKR_OPERATION_NOT_INITIALIZED        
0x00000091
>
> The code is doing:
> C_SignInit() -> CKR_OK
> C_Sign() -> CKR_BUFFER_TOO_SMALL
> the signature buffer is then increased from 128 to 512
as indicated in
the log
> C_Sign() -> CKR_OPERATION_NOT_INITIALIZED
>
> I think it is a bug in the pkcs#11 token you use
(Aladdin (binary)
> driver). According to the PKCS#11 specification
C_Sign:
>
> "The signing operation must have been initialized
with C_SignInit. A
> call to C_Sign always     terminates    the     active 
  signing
> operation    unless it returns CKR_BUFFER_TOO_SMALL or
is a successful
> call (i.e., one which returns CKR_OK) to determine the
length of the
> buffer needed to hold the signature."
>
> So the second call to C_Sign() should not fail in the
case of
> CKR_BUFFER_TOO_SMALL.
>
>>  If I provide the username 'uid', same thing
happens.
>>
>>  Using ldap mapping:
>>  -------------------
>>
>>  pklogin_finder segfaults
>>
>>  End of debug log shows:
>>
>>  DEBUG:ldap_mapper.c:892: Trying to match
certificate with user: '<uid>'
>>  DEBUG:ldap_mapper.c:615: ldap_get_certificate():
begin login = <uid>
>>  DEBUG:ldap_mapper.c:620: ldap_get_certificate():
filter_str =
>> 
(&(objectClass=posixAccount)(uid=<uid>))
>>  DEBUG:ldap_mapper.c:578: added URI
ldap://ldap:389
>>  DEBUG:ldap_mapper.c:679: ldap_get_certificate():
try do_open for
>>  ldap://ldap:389
>>  DEBUG:ldap_mapper.c:141: do_init():
>>  DEBUG:ldap_mapper.c:411: Set connection timeout to
8
>>  DEBUG:ldap_mapper.c:319: do_bind(): bind
DN="" pass=""
>>  DEBUG:ldap_mapper.c:352: do_bind rc=97
>>  DEBUG:ldap_mapper.c:718: ldap_get_certificate():
entries = 1
>>  DEBUG:ldap_mapper.c:743: attribute name =
userCertificate
>>  DEBUG:ldap_mapper.c:748: number auf
usercertificates = 1
>>  DEBUG:ldap_mapper.c:766: d2i_X509(): success for
certificate 0
>>  DEBUG:ldap_mapper.c:780: ldap_get_certificate():
end
>>  Segmentation fault
>>
>>  Backtrace log is:
>>
>>  #0  0xb7e7257d in X509_check_purpose ()
>>  from /usr/lib/i686/cmov/libcrypto.so.0.9.8
>>  No symbol table info available.
>>  #1  0xb7e5ee46 in X509_cmp () from
/usr/lib/i686/cmov/libcrypto.so.0.9.8
>>  No symbol table info available.
>>  #2  0xb6f5477a in ?? () from
/lib/pam_pkcs11/ldap_mapper.so
>>  No symbol table info available.
>>  #3  0x0807fad0 in ?? ()
>>  No symbol table info available.
>>  #4  0x00000000 in ?? ()
>>  No symbol table info available.
>>  The program is running.  Exit anyway? (y or n)
>>
>>  Not really useful, I know. I may try to rebuild
using debug symbols,
but I
>>  currently don't have practical way to do that on
this box.
>
> You do not need to rebuild with debug symbol. I think
the library is
> stripped during installation. Just copy
> ./src/mappers/.libs/ldap_mapper.so in
/lib/pam_pkcs11/ldap_mapper.so
>
> Bye
>

- --
Cornelius Kölbel (Senior Security Consultant), http://www.lsexperts.de
LSE Leading Security Experts GmbH, Postfach 100121, 64201
Darmstadt
Tel: +49 6151 9067-252, Fax: -299, Mobil: +49 160 96307089
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt:
HRB8649
Geschaeftsfuehrer: Oliver Michel, Sven Walther
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org


iD8DBQFH4jbaA5hpJzCAJ7QRCKlIAJ4+sWceqOKZCNpEVcfKR2zKi8pJ5ACf
d/Hm
m9od4UWXGR2plD35OFPsrIQ=
=sLoM
-----END PGP SIGNATURE-----

_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_pkcs11 fails to login with cert on eToken 64
user name
 2008-03-20 08:29:09 
On Thu, Mar 20, 2008 at 2:09 PM, Timothy J Miller
<tmillermitre.org> wrote:
> On Mar 20, 2008, at 4:23 AM, Ludovic Rousseau wrote:
>
>  > You do not need to rebuild with debug symbol. I
think the library is
>  > stripped during installation.
>
>  Correct, but the package can be fixed to provide a
-dbg package
>  containing the symbols for gdb to read.
>
>  Plenty of Debian docs on how to do this available.

Good idea. Reported as bug #471830
http://bugs.debian.org/
471830

-- 
 Dr. Ludovic Rousseau
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_pkcs11 fails to login with cert on eToken 64
country flaguser name
United States		 2008-03-20 08:09:01 
On Mar 20, 2008, at 4:23 AM, Ludovic Rousseau wrote:

> You do not need to rebuild with debug symbol. I think
the library is
> stripped during installation.

Correct, but the package can be fixed to provide a -dbg
package  
containing the symbols for gdb to read.

Plenty of Debian docs on how to do this available.

-- Tim


_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_pkcs11 fails to login with cert on eToken 64
user name
 2008-03-20 12:51:05 
On jeu, 2008-03-20 at 10:23 +0100, Ludovic Rousseau wrote:
> You do not need to rebuild with debug symbol. I think
the library is
> stripped during installation. Just copy
> ./src/mappers/.libs/ldap_mapper.so in
/lib/pam_pkcs11/ldap_mapper.so
> 

Ok, but as I'm running it on debian anyway, I didn't built
it the first
time. Still need to rebuild it.
-- 
Yves-Alexis
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_pkcs11 fails to login with cert on eToken 64
user name
 2008-03-20 12:52:56 
On jeu, 2008-03-20 at 11:05 +0100, Cornelius Kölbel wrote:
> what version of the aladdin binary are you using? Still
3.65?
> I think i saw this C_sgin failed before.

Yes, as it was the only version I could test without buying
first a $$$
license. I don't really know yet how everything should work
(I need to
use those tokens on windows and linux hosts, using a third
party, not
yet chosen, PKI) so I wanted to try both Aladdin and OpenSC
drivers.
-- 
Yves-Alexis
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_pkcs11 fails to login with cert on eToken 64
user name
 2008-03-20 12:59:43 
On jeu, 2008-03-20 at 09:09 -0500, Timothy J Miller wrote:
> They tell you a little about supporting  
> DEB_BUILD_OPTIONS for making a debugging symbol build,
but no
> explicit  
> instructions for library package maintainers that -dbg
should be  
> produced along with -dev.

Producing -dbg packages is _really_ easy. It's just an
argument to
dh_strip and a binary package addition to debian/control.
The dh_strip
part can even be skipped if using cdbs.

I don't think all packages should be forced to provide -dbg
packages as
this can be quite heavy on disk usage, for mirrors
essentially.
(especially if it's easy to rebuild them not using debug
symbols). (and
maintainer can usually provide themselves not-debug-stripped
packages
for most-used arches)

Cheers,
-- 
Yves-Alexis
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
Re: pam_pkcs11 fails to login with cert on eToken 64
country flaguser name
United States		 2008-03-20 13:43:16 
On Mar 20, 2008, at 12:59 PM, Yves-Alexis Perez wrote:

> I don't think all packages should be forced to provide
-dbg packages  
> as
> this can be quite heavy on disk usage, for mirrors
essentially.

Then you dump it in a special developer pool, and let the
mirrors  
decide whether to carry it.  Not having it at hand is a PITA
if you're  
not a deb-head.

-- Tim
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
[1-9]

about | contact  Other archives ( Real Estate discussion Medical topics )