Chapter 10. Troubleshooting authentication with smart cards
The following sections describe how to resolve some of the issues you might encounter when setting up smart card authentication.
10.1. Testing smart card access on the system
Follow this procedure to test whether you can access your smart card.
Prerequisites
- You have installed and configured your IdM Server and client for use with smart cards.
-
You have installed the
certutil
tool from thenss-tools
package. - You have the PIN or password for your smart card.
Procedure
Using the
lsusb
command, verify that the smart card reader is visible to the operating system:$ lsusb Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub Bus 001 Device 003: ID 072f:b100 Advanced Card Systems, Ltd ACR39U Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
For more information about the smart cards and readers tested and supported in RHEL, see Smart Card support in RHEL 9.
Ensure that the
pcscd
service and socket are enabled and running:$ systemctl status pcscd.service pcscd.socket ● pcscd.service - PC/SC Smart Card Daemon Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; vendor preset: disabled) Active: active (running) since Fri 2021-09-24 11:05:04 CEST; 2 weeks 6 days ago TriggeredBy: ● pcscd.socket Docs: man:pcscd(8) Main PID: 3772184 (pcscd) Tasks: 12 (limit: 38201) Memory: 8.2M CPU: 1min 8.067s CGroup: /system.slice/pcscd.service └─3772184 /usr/sbin/pcscd --foreground --auto-exit ● pcscd.socket - PC/SC Smart Card Daemon Activation Socket Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled; vendor preset: enabled) Active: active (running) since Fri 2021-09-24 11:05:04 CEST; 2 weeks 6 days ago Triggers: ● pcscd.service Listen: /run/pcscd/pcscd.comm (Stream) CGroup: /system.slice/pcscd.socket
Using the
p11-kit list-modules
command, display information about the configured smart card and the tokens present on the smart card:$ p11-kit list-modules p11-kit-trust: p11-kit-trust.so [...] opensc: opensc-pkcs11.so library-description: OpenSC smartcard framework library-manufacturer: OpenSC Project library-version: 0.20 token: MyEID (sctest) manufacturer: Aventra Ltd. model: PKCS#15 serial-number: 8185043840990797 firmware-version: 40.1 flags: rng login-required user-pin-initialized token-initialized
Verify you can access the contents of your smart card:
$ pkcs11-tool --list-objects --login Using slot 0 with a present token (0x0) Logging in to "MyEID (sctest)". Please enter User PIN: Private Key Object; RSA label: Certificate ID: 01 Usage: sign Access: sensitive Public Key Object; RSA 2048 bits label: Public Key ID: 01 Usage: verify Access: none Certificate Object; type = X.509 cert label: Certificate subject: DN: O=IDM.EXAMPLE.COM, CN=idmuser1 ID: 01
Display the contents of the certificate on your smart card using the
certutil
command:Run the following command to determine the correct name of your certificate:
$ certutil -d /etc/pki/nssdb -L -h all Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Enter Password or Pin for "MyEID (sctest)": Smart Card CA 0f5019a8-7e65-46a1-afe5-8e17c256ae00 CT,C,C MyEID (sctest):Certificate u,u,u
Display the contents of the certificate on your smart card:
NoteEnsure the name of the certificate is an exact match for the output displayed in the previous step, in this example
MyEID (sctest):Certificate
.$ certutil -d /etc/pki/nssdb -L -n "MyEID (sctest):Certificate" Enter Password or Pin for "MyEID (sctest)": Certificate: Data: Version: 3 (0x2) Serial Number: 15 (0xf) Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=IDM.EXAMPLE.COM" Validity: Not Before: Thu Sep 30 14:01:41 2021 Not After : Sun Oct 01 14:01:41 2023 Subject: "CN=idmuser1,O=IDM.EXAMPLE.COM" Subject Public Key Info: Public Key Algorithm: PKCS #1 RSA Encryption RSA Public Key: Modulus: [...] Exponent: 65537 (0x10001) Signed Extensions: Name: Certificate Authority Key Identifier Key ID: e2:27:56:0d:2f:f5:f2:72:ce:de:37:20:44:8f:18:7f: 2f:56:f9:1a Name: Authority Information Access Method: PKIX Online Certificate Status Protocol Location: URI: "http://ipa-ca.idm.example.com/ca/ocsp" Name: Certificate Key Usage Critical: True Usages: Digital Signature Non-Repudiation Key Encipherment Data Encipherment Name: Extended Key Usage TLS Web Server Authentication Certificate TLS Web Client Authentication Certificate Name: CRL Distribution Points Distribution point: URI: "http://ipa-ca.idm.example.com/ipa/crl/MasterCRL.bin" CRL issuer: Directory Name: "CN=Certificate Authority,O=ipaca" Name: Certificate Subject Key ID Data: 43:23:9f:c1:cf:b1:9f:51:18:be:05:b5:44:dc:e6:ab: be:07:1f:36 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Signature: [...] Fingerprint (SHA-256): 6A:F9:64:F7:F2:A2:B5:04:88:27:6E:B8:53:3E:44:3E:F5:75:85:91:34:ED:48:A8:0D:F0:31:5D:7B:C9:E0:EC Fingerprint (SHA1): B4:9A:59:9F:1C:A8:5D:0E:C1:A2:41:EC:FD:43:E0:80:5F:63:DF:29 Mozilla-CA-Policy: false (attribute missing) Certificate Trust Flags: SSL Flags: User Email Flags: User Object Signing Flags: User
Additional resources
-
certutil(1)
man page on your system
10.2. Troubleshooting smart card authentication with SSSD
Follow this procedure to troubleshoot authentication with SSSD using smart cards.
Prerequisites
- You have installed and configured your IdM Server and client for use with smart cards.
-
You have installed the
sssd-tools
package. - You are able to detect your smart card reader and display the contents of your smart card. See Testing smart card access on the system.
Procedure
Verify you can authenticate with your smart card using
su
:$ su - idmuser1 -c ‘su - idmuser1 -c whoami’ PIN for MyEID (sctest): idmuser1
If you are not prompted for the smart card PIN, and either a password prompt or an authorization error are returned, check the SSSD logs. See Troubleshooting authentication with SSSD in IdM for information about logging in SSSD. The following is an example of an authentication failure:
$ su - idmuser1 -c ‘su - idmuser1 -c whoami’ PIN for MyEID (sctest): su: Authentication failure
If the SSSD logs indicate an issue from the
krb5_child
, similar to the following, you may have an issue with your CA certificates. To troubleshoot issues with certificates, see Verifying that IdM Kerberos KDC can use Pkinit and that the CA certificates are correctly located.[Pre-authentication failed: Failed to verify own certificate (depth 0): unable to get local issuer certificate: could not load the shared library]
If the SSSD logs indicate a timeout either from
p11_child
orkrb5_child
, you may need to increase the SSSD timeouts and try authenticating again with your smart card. See Increasing SSSD timeouts for details on how to increase the timeouts.Verify your GDM smart card authentication configuration is correct. A success message for PAM authentication should be returned as shown below:
# sssctl user-checks -s gdm-smartcard "idmuser1" -a auth user: idmuser1 action: auth service: gdm-smartcard SSSD nss user lookup result: - user name: idmuser1 - user id: 603200210 - group id: 603200210 - gecos: idm user1 - home directory: /home/idmuser1 - shell: /bin/sh SSSD InfoPipe user lookup result: - name: idmuser1 - uidNumber: 603200210 - gidNumber: 603200210 - gecos: idm user1 - homeDirectory: /home/idmuser1 - loginShell: /bin/sh testing pam_authenticate PIN for MyEID (sctest) pam_authenticate for user [idmuser1]: Success PAM Environment: - PKCS11_LOGIN_TOKEN_NAME=MyEID (sctest) - KRB5CCNAME=KCM:
If an authentication error, similar to the following, is returned, check the SSSD logs to try and determine what is causing the issue. See Troubleshooting authentication with SSSD in IdM for information about logging in SSSD.
pam_authenticate for user [idmuser1]: Authentication failure PAM Environment: - no env -
If PAM authentication continues to fail, clear your cache and run the command again.
# sssctl cache-remove SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes Creating backup of local data… Removing cache files… SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes
10.3. Verifying that IdM Kerberos KDC can use PKINIT and that the CA certificates are correctly located
Follow this procedure to verify that IdM Kerberos KDC can use PKINIT and also describes how to verify your CA certificates are correctly located.
Prerequisites
- You have installed and configured your IdM Server and client for use with smart cards.
- You are able to detect your smart card reader and display the contents of your smart card. See Testing smart card access on the system.
Procedure
Run the
kinit
utility to authenticate as theidmuser1
with the certificate stored on your smart card:$ kinit -X X509_user_identity=PKCS11: idmuser1 MyEID (sctest) PIN:
- Enter your smart card PIN. If you are not prompted for your PIN, check that you can detect your smart card reader and display the contents of your smart card. See Testing smart card authentication.
If your PIN is accepted and you are then prompted for your password, you might be missing your CA signing certificate.
Verify the CA chain is listed in the default certificate bundle file using
openssl
commands:$ openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/ca-bundle.pem | openssl pkcs7 -print_certs -noout subject=O = IDM.EXAMPLE.COM, CN = Certificate Authority issuer=O = IDM.EXAMPLE.COM, CN = Certificate Authority
Verify the validity of your certificates:
Find the user authentication certificate ID for
idmuser1
:$ pkcs11-tool --list-objects --login [...] Certificate Object; type = X.509 cert label: Certificate subject: DN: O=IDM.EXAMPLE.COM, CN=idmuser1 ID: 01
Read the user certificate information from the smart card in DER format:
$ pkcs11-tool --read-object --id 01 --type cert --output-file cert.der Using slot 0 with a present token (0x0)
Convert the DER certificate to PEM format:
$ openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM
Verify the certificate has valid issuer signatures up to the CA:
$ openssl verify -CAfile /var/lib/ipa-client/pki/ca-bundle.pem <path>/cert.pem cert.pem: OK
If your smart card contains several certificates,
kinit
might fail to choose the correct certificate for authentication. In this case, you need to specify the certificate ID as an argument to thekinit
command using thecertid=<ID>
option.Check how many certificates are stored on the smart card and get the certificate ID for the one you are using:
$ pkcs11-tool --list-objects --type cert --login Using slot 0 with a present token (0x0) Logging in to "MyEID (sctest)". Please enter User PIN: Certificate Object; type = X.509 cert label: Certificate subject: DN: O=IDM.EXAMPLE.COM, CN=idmuser1 ID: 01 Certificate Object; type = X.509 cert label: Second certificate subject: DN: O=IDM.EXAMPLE.COM, CN=ipauser1 ID: 02
Run
kinit
with certificate ID 01:$ kinit -X kinit -X X509_user_identity=PKCS11:certid=01 idmuser1 MyEID (sctest) PIN:
Run
klist
to view the contents of the Kerberos credentials cache:$ klist Ticket cache: KCM:0:11485 Default principal: idmuser1@EXAMPLE.COM Valid starting Expires Service principal 10/04/2021 10:50:04 10/05/2021 10:49:55 krbtgt/EXAMPLE.COM@EXAMPLE.COM
Destroy your active Kerberos tickets once you have finished:
$ kdestroy -A
Additional resources
-
See
kinit
man page on your system. -
See
kdestroy
man page on your system.
10.4. Increasing SSSD timeouts
If you are having issues authenticating with a smart card, check the krb5_child.log
and the p11_child.log
file for timeout entries similar to the following:
krb5_child: Timeout for child [9607] reached…..consider increasing value of krb5_auth_timeout.
If there is a timeout entry in the log file, try increasing the SSSD timeouts as outlined in this procedure.
Prerequisites
- You have configured your IdM Server and client for smart card authentication.
Procedure
Open the
sssd.conf
file on the IdM client:# vim /etc/sssd/sssd.conf
In your domain section, for example
[domain/idm.example.com]
, add the following option:krb5_auth_timeout = 60
In the
[pam]
section, add the following:p11_child_timeout = 60
Clear the SSSD cache:
# sssctl cache-remove SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes Creating backup of local data… Removing cache files… SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes
Once you have increased the timeouts, try authenticating again using your smart card. See Testing smart card authentication for more details.
10.5. Troubleshooting certificate mapping and matching rules
If you are having issues authenticating with a smart card, check that you have linked your smart card certificate correctly to a user. By default, a certificate is associated with a user when the user entry contains the full certificate as part of the usercertificate
attribute. However, if you have defined certificate mapping rules, you may have changed how certificates are associated with users. To troubleshoot certificate mapping and matching rules, refer to the following sections:
If you are using your smart card to authenticate using SSH, you need to add the full certificate to the user entry in Identity Management (IdM). If you are not using your smart card to authenticate using SSH, you can add certificate mapping data using the ipa user-add-certmapdata
command.
10.5.1. Checking how the certificates are mapped to users
By default, a certificate is associated with a user when the user entry contains the full certificate as part of the usercertificate
attribute. However, if you have defined certificate mapping rules, you may have changed how certificates are associated with users. Follow this procedure to check your certificate mapping rules.
Prerequisites
- You have installed and configured your Identity Management (IdM) server and client for use with smart cards.
- You are able to detect your smart card reader and display the contents of your smart card. See Testing smart card access on the system.
- You have mapped your smart card certificate to an IdM user. See Certificate mapping rules for configuring authentication on smart cards.
Procedure
Verify the certificate mapping rules currently configured for IdM:
# ipa certmaprule-find ------------------------------------------- 1 Certificate Identity Mapping Rule matched ------------------------------------------- Rule name: smartcardrule Mapping rule: (ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}) Matching rule: <ISSUER>CN=Certificate Authority,O=IDM.EXAMPLE.COM Enabled: TRUE ---------------------------- Number of entries returned 1 ----------------------------
You can expect to see one of the following mapping rules defined:
-
ipacertmapdata
indicates that the IdM user entrycertmapdata
attribute is used. -
altSecurityIdentities
specifies that Active Directory’s user entry name mapping attribute is used. -
userCertificate;binary=
indicates that the whole certificate in either IdM or AD is used.
You can define many matching options but some of the typically configured options are as follows:
-
<ISSUER>CN=[…]
specifies the issuer attribute of the certificate being used is checked to make sure it matches this. -
<SUBJECT>.*,DC=MY,DC=DOMAIN
indicates the subject of the certificate is checked.
-
Enable System Security Services Daemon (SSSD) logging by adding
debug_level = 9
to the/etc/sssd/sssd.conf
file on the IdM server:[domain/idm.example.com] ... debug_level = 9
Restart SSSD:
# systemctl restart sssd
You should see the following entry in the
/var/log/sssd/sssd_idm.example.com.log
file if the mapping is read correctly:[be[idm.example.com]] [sdap_setup_certmap] (0x4000): Trying to add rule [smartcardrule][-1][<ISSUER>CN=Certificate Authority,O=IDM.EXAMPLE.COM][(|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500}))].
If your mapping rule contains an invalid syntax, an entry similar to the following can be seen in the log file:
[be[idm.example.com]]] [sss_certmap_init] (0x0040): sss_certmap initialized. [be[idm.example.com]]] [ipa_certmap_parse_results] (0x4000): Trying to add rule [smartcardrule][-1][<ISSUER>CN=Certificate Authority,O=IDM.EXAMPLE.COM][(ipacertmapdata=X509:<I>{issuer_dn!x509}<S>{subject_dn})]. [be[idm.example.com]]] [parse_template] (0x0040): Parse template invalid. [be[idm.example.com]]] [parse_ldap_mapping_rule] (0x0040): Failed to add template. [be[idm.example.com]]] [parse_mapping_rule] (0x0040): Failed to parse LDAP mapping rule. [be[idm.example.com]]] [ipa_certmap_parse_results] (0x0020): sss_certmap_add_rule failed for rule [smartcardrule], skipping. Please check for typos and if rule syntax is supported. [be[idm.example.com]]] [ipa_subdomains_certmap_done] (0x0040): Unable to parse certmap results [22]: Invalid argument [be[idm.example.com]]] [ipa_subdomains_refresh_certmap_done] (0x0020): Failed to read certificate mapping rules [22]: Invalid argument
Check your mapping rule syntax.
# ipa certmaprule-show smartcardrule Rule name: smartcardrule Mapping rule: (|(userCertificate;binary={cert!bin})(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})) Matching rule: <ISSUER>CN=Certificate Authority,O=IDM.EXAMPLE.COM Domain name: ipa.test Enabled: TRUE
If required, modify your certificate mapping rule:
# ipa certmaprule-mod smartcardrule --maprule '(ipacertmapdata=X509:<I>{issuer_dn!nss_x500}<S>{subject_dn!nss_x500})'
Additional resources
-
See the
sss-certmap
man page on your system.
10.5.2. Checking the user associated with a smart card certificate
If you are having issues authenticating with a smart card, verify the correct user is associated with your smart card certificate.
Prerequisites
- You have installed and configured your Identity Management (IdM) server and client for use with smart cards.
- You are able to detect your smart card reader and display the contents of your smart card. See Testing smart card access on the system.
- You have mapped your smart card certificate to an IdM user. See Certificate mapping rules for configuring authentication on smart cards.
-
You have a copy of the certificate from your smart card in PEM format, for example,
cert.pem
.
Procedure
Verify the user is associated with your smart card certificate:
# ipa certmap-match cert.pem -------------- 1 user matched -------------- Domain: IDM.EXAMPLE.COM User logins: idmuser1 ---------------------------- Number of entries returned 1 ----------------------------
If the user or domain are not correct, check how your certificates are mapped to users. See Checking how the certificates are mapped to users.
Check if the user entry contains the certificate:
# ipa user-show idmuser1 User login: idmuser1 [...] Certificate:MIIEejCCAuKgAwIBAgIBCzANBgkqhkiG9w0BAQsFADAzMREwDwYDVQQKDAhJUEEuVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XD
If your user entry does not contain the certificate, add your base-64 encoded certificate to the user entry:
Create an environment variable containing the certificate with the header and footer removed and concatenated into a single line, which is the format expected by the
ipa user-add-cert
command:$ export CERT=`openssl x509 -outform der -in idmuser1.crt | base64 -w0 -`
Note that the certificate in the
idmuser1.crt
file must be in PEM format.Add the certificate to the profile of
idmuser1
using theipa user-add-cert
command:$ ipa user-add-cert idmuser1 --certificate=$CERT
Clear the System Security Services Daemon (SSSD) cache.
# sssctl cache-remove SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes Creating backup of local data… Removing cache files… SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes
-
Run
ipa certmap-match
again to confirm the user is associated with your smart card certificate.