Package: libopensc2
Version: 0.11.13-1
Severity: normal
I can't use my OpenSC-supported smartcard with both PAM and OpenSSH
concurrently. I think i ought to be able to.
I'm using OpenSSH v5.4 or later, with upstream's PKCS#11 support. I
keep my keys loaded in an instance of ssh-agent.
I'm also using pam-p11 in common-auth:
0 d...@pip:~$ grep p11 /etc/pam.d/common-auth
auth required pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
0 d...@pip:~$
For use with the agent, i add my Cryptoflex eGate USB device like
this:
ssh-add -s /usr/lib/opensc-pkcs11.so
Once my smartcard is loaded, if i try to run a command via sudo (which
uses PAM's common-auth config), i get the following unusual errors:
[opensc-pkcs11] pkcs15.c:720:sc_pkcs15_bind: sc_lock() failed: Generic reader
error
[opensc-pkcs11] pkcs15.c:722:sc_pkcs15_bind: returning with: Generic reader
error
sudo: pam_authenticate: Authentication service cannot retrieve authentication
info
and sudo returns an exit code of 1.
I get the same failures if i try to re-authenticate to xscreensaver in
the same context, fwiw, so i don't think the problem is with anything
special sudo is doing.
Why do i think this *should* work in the first place? In section 6.2
of PKCS#11 Base v2.30, describing the goals of PKCS#11, it says:
A secondary goal was resource-sharing. As desktop multi-tasking
operating systems become more popular, a single device should be
shared between more than one application. In addition, an
application should be able to interface to more than one device at a
given time.
So i suspect this is a problem with opensc-pkcs11.so. However,
PKCS#11 support in OpenSSH is fairly new, and it's also possible that
it's a bug in how ssh-agent interacts with PCKS#11. Feel free to
re-assign this bug to openssh-client, if you think that is the case.
(i suppose it's also possible that this is a bug in pam-p11 or in pam
itself, though those seem increasingly less likely).
Note that there are two workarounds that let me use the card again
with PAM:
0) ssh-agent -e /usr/lib/opensc-pkcs11.so
(this clears the token from my running agent)
1) unplug and re-plug the token physically (this makes the keys in
the agent useless, but the agent doesn't seem to know that)
In either case, i need to clear the agent and re-load the token after
i've used the PAM stack. these tools should be able to play together
better.
Thanks for maintaining OpenSC in debian!
--dkg
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (200, 'unstable'), (1, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.32-4-686 (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages libopensc2 depends on:
ii libc6 2.10.2-6 Embedded GNU C Library: Shared lib
ii libltdl7 2.2.6b-2 A system independent dlopen wrappe
ii libopenct1 0.6.20-1.1 middleware framework for smart car
ii libssl0.9.8 0.9.8n-1 SSL shared libraries
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
libopensc2 recommends no packages.
libopensc2 suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
