CRL checking of smart card causes Segmentation Fault
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
pam-pkcs11 (Ubuntu) |
New
|
Undecided
|
Unassigned |
Bug Description
I was following the Ubuntu white paper for setting up smart cards (SmartCardLogin
Running on 18.04 server minimal install using package version 0.6.9-2build2
I performed the following steps to install and setup:
* Installed the packages required in the white paper
* Added my Root and Intermediate certificates to /etc/pam_
* Installed local versions of the CRLs in /etc/pam_
* Copied and unziped the example config file from /usr/share/
* Modified /etc/pam_
* Added a subject to the /etc/pam_
When I try to login as the user I get a segmentation fault and when running pkcs11_inspect I also get the same fault.
With debugging enabled in the pam config file it tries first to download the CRLs of the cert and fails it then attempts to use the local crls and that where it fails.
# pkcs11_inspect
....
DEBUG:cert_
If is remove crl_auto from the pam config I can authenticate with the user just fine but there is no crl checking being done.
If I perform a strace of pkcs11_inspect it looks like it is trying to load a crl that does not exist and fails. There is a recent patch upstream that seems to address this issue.
#strace pkcs11_inspect
....
stat("/
stat("/
openat(AT_FDCWD, "/etc/pam_
fstat(4, {st_mode=
read(4, "-----BEGIN X509 CRL----
read(4, "", 4096) = 0
close(4) = 0
stat("/
--- SIGSEGV {si_signo=SIGSEGV, si_code=
+++ killed by SIGSEGV (core dumped) +++
As seen in the logs it inspects crl 37f834c3.r0 but then tries to inspect 37f834c3.r1 which does not exist.
Here is an upstream bug report
https:/
Here is an upstream pull request
https:/
#lsb_release -rd
Descripton: Ubuntu 10.04.5 LTS
Release: 18.04
#apt-cache policy pkgname
libpam-pkcs11:
Installed: 0.6.9-2build2
Candidate: 0.6.9-2build2
Version table:
*** 0.6.9-2build2 500
500 http://
100 /var/lib/
tags: | added: amd64 bionic |