pam_pkcs11
pam_pkcs11 copied to clipboard
OpenSC
make pkcs11_module option "slot_description" a substring match
Hi there
Problem description A while ago i discovered that the slot_description in the pkcs11_module not working as intended, cause the string which is compared to also have the slot id inside.
Furthermore we use Yubikey as smartcard in our company for authentication. Over the years we got different versions. Some users have Yubikey NEO, some Yubikey 4 and now there are Yubikey 5 as well. On top of that there are users with smartcards from our customers to authenticate on external systems.
So it would be very nice to have a substring match over a full match for the slot_description field in config file.
Testsetup System: Ubuntu 20.04 opensc version 0.20.0-3 amd64 libpam-pkcs11version 0.6.11-2 amd64
inserted smartcards on the system:
- Slot 0: Yubikey NEO OTP+CCID
- Slot 1: Yubikey NEO OTP+U2F+CCID
- Slot 2: Yubikey 4 OTP+CCID
- Slot 3: Gemalto PC Twin Reader with customer smartcard
# opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00
1 Yes Yubico Yubikey NEO OTP+CCID 01 00
2 Yes Yubico Yubikey 4 OTP+CCID 02 00
3 Yes Gemalto PC Twin Reader (922FBFB3) 03 00`
relevant part of pam_pkcs11 config:
# cat /etc/pam_pkcs11/pam_pkcs11.conf
pam_pkcs11 {
...
use_pkcs11_module = yubikey;
pkcs11_module yubikey {
module = /usr/lib/opensc-pkcs11.so;
description = "OpenSC PKCS#11 module";
slot_description = "Yubico Yubikey NEO OTP+CCID";
#slot_num = 1;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
support_threads = false;
cert_policy = ca,signature;
#crl check disabled as workaround cause of segmentation fault, see https://github.com/OpenSC/pam_pkcs11/issues/42
#cert_policy = ca,signature,crl_auto;
token_type = "YubiKey";
}
...
Steps to reproduce
# /usr/bin/pklogin_finder debug
DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pklogin_finder.c:71: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:1000: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
DEBUG:pkcs11_lib.c:1016: module permissions: uid = 0, gid = 0, mode = 644
DEBUG:pkcs11_lib.c:1026: loading module /usr/lib/opensc-pkcs11.so
DEBUG:pkcs11_lib.c:1034: getting function list
DEBUG:pklogin_finder.c:79: initialising pkcs #11 module...
DEBUG:pkcs11_lib.c:1180: module information:
DEBUG:pkcs11_lib.c:1181: - version: 2.20
DEBUG:pkcs11_lib.c:1182: - manufacturer: OpenSC Project
DEBUG:pkcs11_lib.c:1183: - flags: 0000
DEBUG:pkcs11_lib.c:1184: - library description: OpenSC smartcard framework
DEBUG:pkcs11_lib.c:1185: - library version: 0.20
DEBUG:pkcs11_lib.c:1077: number of slots (a): 5
DEBUG:pkcs11_lib.c:1100: number of slots (b): 5
DEBUG:pkcs11_lib.c:1112: slot 1:
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey NEO OTP+U2F+CCID 00 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: test.user1
DEBUG:pkcs11_lib.c:1133: - manufacturer: piv_II
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: fa199c6821e35273
DEBUG:pkcs11_lib.c:1136: - flags: 040d
DEBUG:pkcs11_lib.c:1112: slot 2:
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey NEO OTP+CCID 01 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: test.user3
DEBUG:pkcs11_lib.c:1133: - manufacturer: piv_II
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: 5f11379df7ff0e16
DEBUG:pkcs11_lib.c:1136: - flags: 2040d
DEBUG:pkcs11_lib.c:1112: slot 3:
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey 4 OTP+CCID 02 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: test.user2
DEBUG:pkcs11_lib.c:1133: - manufacturer: piv_II
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: c0fdcb8f44270042
DEBUG:pkcs11_lib.c:1136: - flags: 040d
DEBUG:pkcs11_lib.c:1112: slot 4:
DEBUG:pkcs11_lib.c:1122: - description: Gemalto PC Twin Reader (922FBFB3) 03 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Gemalto
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: PKI Card (Card PIN)
DEBUG:pkcs11_lib.c:1133: - manufacturer: <CUSTOMER>
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15
DEBUG:pkcs11_lib.c:1135: - serial: 105003013405
DEBUG:pkcs11_lib.c:1136: - flags: 040c
DEBUG:pkcs11_lib.c:1112: slot 5:
DEBUG:pkcs11_lib.c:1122: - description: Gemalto PC Twin Reader (922FBFB3) 03 00
DEBUG:pkcs11_lib.c:1123: - manufacturer: Gemalto
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: PKI Card (Card PUK)
DEBUG:pkcs11_lib.c:1133: - manufacturer: <CUSTOMER>
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15
DEBUG:pkcs11_lib.c:1135: - serial: 105003013405
DEBUG:pkcs11_lib.c:1136: - flags: 040c
DEBUG:pklogin_finder.c:95: no token available
Expected result Find smartcard in slot 2 with test.user3 as its key description equal to slot_description in pam_pkcs11.conf (Yubico Yubikey NEO OTP+CCID).
Actual result
As you can see in debug, it adds a 01 00 at the end of the description, which represents the slot ID.
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey NEO OTP+CCID 01 00
and this resutls in
DEBUG:pklogin_finder.c:95: no token available
If i write this slot_description = "Yubico Yubikey NEO OTP+CCID 01 00"; into pam_pkcs11.conf then it will work, but only if the key is in slot 1. I guess this is not the idea behind the slot_description option, this way it is a more strict version of the alternate slot_num option.
Expected behavior after this request is implement To change this to a substring match, would also solve the problem with the different Yubikey versions we have. So i can write simply `slot_description = "Yubico Yubikey " into pam_pkcs11.conf and every user can login with his Yubikey on every system.
I like to see the following mis-/matches
Examples of matches:
description from debug: "Yubico Yubikey NEO OTP+U2F+CCID 00 00"
description in config : "Yubico Yubikey NEO OTP+U2F+CCID"
description from debug: "Yubico Yubikey NEO OTP+CCID 01 00"
description in config : "Yubico Yubikey"
description from debug: "Yubico Yubikey 4 OTP+CCID 02 00"
description in config : "Yubico Yubikey"
Examples of mismatches:
description from debug: "Yubico Yubikey NEO OTP+U2F+CCID 00 00"
description in config : "Yubico Yubikey NEO OTP+CCID"
description from debug: "Gemalto PC Twin Reader (922FBFB3) 03 00"
description in config : "Yubico Yubikey"`
Very ugly workaround i'm using at the moment
Change the description of all Yubikeys in /etc/libccid_Info.plist on every workstation we have into
<string>Yubico Yubikey description with more then 64 characters to workaround the pkcs11 string matching problem</string>
and enter the following slot description into pam_pkcs11.conf
slot_description = "Yubico Yubikey description with more then 64 characters as wo..."
then it will match, cause the login_finder will cut it of at 64 chars
DEBUG:pkcs11_lib.c:1122: - description: Yubico Yubikey description with more then 64 characters as wo...
DEBUG:pkcs11_lib.c:1123: - manufacturer: Yubico
DEBUG:pkcs11_lib.c:1124: - flags: 0007
DEBUG:pkcs11_lib.c:1126: - token:
DEBUG:pkcs11_lib.c:1132: - label: test.user3
DEBUG:pkcs11_lib.c:1133: - manufacturer: piv_II
DEBUG:pkcs11_lib.c:1134: - model: PKCS#15 emulated
DEBUG:pkcs11_lib.c:1135: - serial: 5f11379df7ff0e16
DEBUG:pkcs11_lib.c:1136: - flags: 2040d
