Chapter 10. Troubleshooting authentication with smart cards

Procedure

1. Using the lsusb command, verify that the smart card reader is visible to the operating system:

   $ lsusb
   Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
   Bus 001 Device 003: ID 072f:b100 Advanced Card Systems, Ltd ACR39U
   Bus 001 Device 002: ID 0627:0001 Adomax Technology Co., Ltd
   Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

   Copy to Clipboard

   For more information about the smart cards and readers tested and supported in RHEL, see Smart Card support in RHEL 10.

2. Ensure that the pcscd service and socket are enabled and running:

   $ systemctl status pcscd.service pcscd.socket
   
   ● pcscd.service - PC/SC Smart Card Daemon
         Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect;
   vendor preset: disabled)
         Active: active (running) since Fri 2021-09-24 11:05:04 CEST; 2
   weeks 6 days ago
   TriggeredBy: ● pcscd.socket
           Docs: man:pcscd(8)
       Main PID: 3772184 (pcscd)
          Tasks: 12 (limit: 38201)
         Memory: 8.2M
            CPU: 1min 8.067s
         CGroup: /system.slice/pcscd.service
                 └─3772184 /usr/sbin/pcscd --foreground --auto-exit
   
   ● pcscd.socket - PC/SC Smart Card Daemon Activation Socket
         Loaded: loaded (/usr/lib/systemd/system/pcscd.socket; enabled;
   vendor preset: enabled)
         Active: active (running) since Fri 2021-09-24 11:05:04 CEST; 2
   weeks 6 days ago
       Triggers: ● pcscd.service
         Listen: /run/pcscd/pcscd.comm (Stream)
         CGroup: /system.slice/pcscd.socket

   Copy to Clipboard

3. Using the p11-kit list-modules command, display information about the configured smart card and the tokens present on the smart card:

   $ p11-kit list-modules
   p11-kit-trust: p11-kit-trust.so
   [...]
   opensc: opensc-pkcs11.so
       library-description: OpenSC smartcard framework
       library-manufacturer: OpenSC Project
       library-version: 0.20
       token: MyEID (sctest)
           manufacturer: Aventra Ltd.
           model: PKCS#15
           serial-number: 8185043840990797
           firmware-version: 40.1
           flags:
                  rng
                  login-required
                  user-pin-initialized
                  token-initialized

   Copy to Clipboard

4. Verify you can access the contents of your smart card:

   $ pkcs11-tool --list-objects --login
   Using slot 0 with a present token (0x0)
   Logging in to "MyEID (sctest)".
   Please enter User PIN:
   Private Key Object; RSA
     label:      Certificate
     ID:         01
     Usage:      sign
     Access:     sensitive
   Public Key Object; RSA 2048 bits
     label:      Public Key
     ID:         01
     Usage:      verify
     Access:     none
   Certificate Object; type = X.509 cert
     label:      Certificate
     subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
     ID:         01

   Copy to Clipboard

5. Display the contents of the certificate on your smart card using the certutil command:

   1. Run the following command to determine the correct name of your certificate:

      $ certutil -d /etc/pki/nssdb -L -h all
      
      Certificate Nickname                                         Trust Attributes
                                                                   SSL,S/MIME,JAR/XPI
      
      Enter Password or Pin for "MyEID (sctest)":
      Smart Card CA 0f5019a8-7e65-46a1-afe5-8e17c256ae00           CT,C,C
      MyEID (sctest):Certificate                                   u,u,u

      Copy to Clipboard

   2. Display the contents of the certificate on your smart card:

      Note

      Ensure the name of the certificate is an exact match for the output displayed in the previous step, in this example MyEID (sctest):Certificate.

      $ certutil -d /etc/pki/nssdb -L -n "MyEID (sctest):Certificate"
      
      Enter Password or Pin for "MyEID (sctest)":
      Certificate:
          Data:
              Version: 3 (0x2)
              Serial Number: 15 (0xf)
              Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
              Issuer: "CN=Certificate Authority,O=IDM.EXAMPLE.COM"
              Validity:
                  Not Before: Thu Sep 30 14:01:41 2021
                  Not After : Sun Oct 01 14:01:41 2023
              Subject: "CN=idmuser1,O=IDM.EXAMPLE.COM"
              Subject Public Key Info:
                  Public Key Algorithm: PKCS #1 RSA Encryption
                  RSA Public Key:
                      Modulus:
                          [...]
                      Exponent: 65537 (0x10001)
              Signed Extensions:
                  Name: Certificate Authority Key Identifier
                  Key ID:
                      e2:27:56:0d:2f:f5:f2:72:ce:de:37:20:44:8f:18:7f:
                      2f:56:f9:1a
      
                  Name: Authority Information Access
                  Method: PKIX Online Certificate Status Protocol
                  Location:
                      URI: "http://ipa-ca.idm.example.com/ca/ocsp"
      
                  Name: Certificate Key Usage
                  Critical: True
                  Usages: Digital Signature
                          Non-Repudiation
                          Key Encipherment
                          Data Encipherment
      
                  Name: Extended Key Usage
                      TLS Web Server Authentication Certificate
                      TLS Web Client Authentication Certificate
      
                  Name: CRL Distribution Points
                  Distribution point:
                      URI: "http://ipa-ca.idm.example.com/ipa/crl/MasterCRL.bin"
                      CRL issuer:
                          Directory Name: "CN=Certificate Authority,O=ipaca"
      
                  Name: Certificate Subject Key ID
                  Data:
                      43:23:9f:c1:cf:b1:9f:51:18:be:05:b5:44:dc:e6:ab:
                      be:07:1f:36
      
          Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
          Signature:
              [...]
          Fingerprint (SHA-256):
              6A:F9:64:F7:F2:A2:B5:04:88:27:6E:B8:53:3E:44:3E:F5:75:85:91:34:ED:48:A8:0D:F0:31:5D:7B:C9:E0:EC
          Fingerprint (SHA1):
              B4:9A:59:9F:1C:A8:5D:0E:C1:A2:41:EC:FD:43:E0:80:5F:63:DF:29
      
          Mozilla-CA-Policy: false (attribute missing)
          Certificate Trust Flags:
              SSL Flags:
                  User
              Email Flags:
                  User
              Object Signing Flags:
                  User

      Copy to Clipboard

Procedure

1. Verify you can authenticate with your smart card using su:

   $ su - idmuser1 -c ‘su - idmuser1 -c whoami'
   PIN for MyEID (sctest):
   idmuser1

   Copy to Clipboard

   If you are not prompted for the smart card PIN, and either a password prompt or an authorization error are returned, check the SSSD logs. See Troubleshooting authentication with SSSD in IdM for information about logging in SSSD. The following is an example of an authentication failure:

   $ su - idmuser1 -c ‘su - idmuser1 -c whoami'
   PIN for MyEID (sctest):
   su: Authentication failure

   Copy to Clipboard

   If the SSSD logs indicate an issue from the krb5_child, similar to the following, you may have an issue with your CA certificates. To troubleshoot issues with certificates, see Verifying that IdM Kerberos KDC can use Pkinit and that the CA certificates are correctly located.

   [Pre-authentication failed: Failed to verify own certificate (depth 0): unable to get local issuer certificate: could not load the shared library]

   Copy to Clipboard

   If the SSSD logs indicate a timeout either from p11_child or krb5_child, you may need to increase the SSSD timeouts and try authenticating again with your smart card. See Increasing SSSD timeouts for details on how to increase the timeouts.

2. Verify your GDM smart card authentication configuration is correct. A success message for PAM authentication should be returned as shown below:

   # sssctl user-checks -s gdm-smartcard "idmuser1" -a auth
   user: idmuser1
   action: auth
   service: gdm-smartcard
   
   SSSD nss user lookup result:
    - user name: idmuser1
    - user id: 603200210
    - group id: 603200210
    - gecos: idm user1
    - home directory: /home/idmuser1
    - shell: /bin/sh
   
   SSSD InfoPipe user lookup result:
    - name: idmuser1
    - uidNumber: 603200210
    - gidNumber: 603200210
    - gecos: idm user1
    - homeDirectory: /home/idmuser1
    - loginShell: /bin/sh
   
   testing pam_authenticate
   
   PIN for MyEID (sctest)
   pam_authenticate for user [idmuser1]: Success
   
   PAM Environment:
    - PKCS11_LOGIN_TOKEN_NAME=MyEID (sctest)
    - KRB5CCNAME=KCM:

   Copy to Clipboard

   If an authentication error, similar to the following, is returned, check the SSSD logs to try and determine what is causing the issue. See Troubleshooting authentication with SSSD in IdM for information about logging in SSSD.

   pam_authenticate for user [idmuser1]: Authentication failure
   
   PAM Environment:
    - no env -

   Copy to Clipboard

   If PAM authentication continues to fail, clear your cache and run the command again.

   # sssctl cache-remove
   SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes
   Creating backup of local data…
   Removing cache files…
   SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes

   Copy to Clipboard

Procedure

1. Run the kinit utility to authenticate as the idmuser1 with the certificate stored on your smart card:

   $ kinit -X X509_user_identity=PKCS11: idmuser1
   MyEID (sctest)                   PIN:

   Copy to Clipboard
2. Enter your smart card PIN. If you are not prompted for your PIN, check that you can detect your smart card reader and display the contents of your smart card. See link:https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/10/html/managing_smart_card_authentication/troubleshooting-authentication-with-smart-cards#testing-smart-card-access-on-the-system

3. If your PIN is accepted and you are then prompted for your password, you might be missing your CA signing certificate.

   1. Verify the CA chain is listed in the default certificate bundle file using openssl commands:

      $ openssl crl2pkcs7 -nocrl -certfile /var/lib/ipa-client/pki/ca-bundle.pem | openssl pkcs7 -print_certs -noout
      subject=O = IDM.EXAMPLE.COM, CN = Certificate Authority
      
      issuer=O = IDM.EXAMPLE.COM, CN = Certificate Authority

      Copy to Clipboard

   2. Verify the validity of your certificates:

      1. Find the user authentication certificate ID for idmuser1:

         $ pkcs11-tool --list-objects --login
         [...]
         Certificate Object; type = X.509 cert
           label:      Certificate
           subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
          ID: 01

         Copy to Clipboard

      2. Read the user certificate information from the smart card in DER format:

         $ pkcs11-tool --read-object --id 01 --type cert --output-file cert.der
         Using slot 0 with a present token (0x0)

         Copy to Clipboard

      3. Convert the DER certificate to PEM format:

         $ openssl x509 -in cert.der -inform DER -out cert.pem -outform PEM

         Copy to Clipboard

      4. Verify the certificate has valid issuer signatures up to the CA:

         $ openssl verify -CAfile /var/lib/ipa-client/pki/ca-bundle.pem <path>/cert.pem
         cert.pem: OK

         Copy to Clipboard

4. If your smart card contains several certificates, kinit might fail to choose the correct certificate for authentication. In this case, you need to specify the certificate ID as an argument to the kinit command using the certid=<ID> option.

   1. Check how many certificates are stored on the smart card and get the certificate ID for the one you are using:

      $ pkcs11-tool --list-objects --type cert --login
      Using slot 0 with a present token (0x0)
      Logging in to "MyEID (sctest)".
      Please enter User PIN:
      Certificate Object; type = X.509 cert
        label:      Certificate
        subject:    DN: O=IDM.EXAMPLE.COM, CN=idmuser1
        ID:         01
      Certificate Object; type = X.509 cert
        label:      Second certificate
        subject:    DN: O=IDM.EXAMPLE.COM, CN=ipauser1
        ID:         02

      Copy to Clipboard

   2. Run kinit with certificate ID 01:

      $ kinit -X kinit -X X509_user_identity=PKCS11:certid=01 idmuser1
      MyEID (sctest)                   PIN:

      Copy to Clipboard

5. Run klist to view the contents of the Kerberos credentials cache:

   $ klist
   Ticket cache: KCM:0:11485
   Default principal: idmuser1@EXAMPLE.COM
   
   Valid starting       Expires              Service principal
   10/04/2021 10:50:04  10/05/2021 10:49:55  krbtgt/EXAMPLE.COM@EXAMPLE.COM

   Copy to Clipboard

6. Destroy your active Kerberos tickets once you have finished:

   $ kdestroy -A

   Copy to Clipboard

Procedure

1. Open the sssd.conf file on the IdM client:

   # vim /etc/sssd/sssd.conf

   Copy to Clipboard

2. In your domain section, for example [domain/idm.example.com], add the following option:

   krb5_auth_timeout = 60

   Copy to Clipboard

3. In the `` section, add the following:

   p11_child_timeout = 60

   Copy to Clipboard

4. Clear the SSSD cache:

   # sssctl cache-remove
   SSSD must not be running. Stop SSSD now? (yes/no) [yes] yes
   Creating backup of local data…
   Removing cache files…
   SSSD needs to be running. Start SSSD now? (yes/no) [yes] yes

   Copy to Clipboard