Error loading shared library for smart card authentication to server

Bug #1268770 reported by Andrew R. Orndorff
10
This bug affects 2 people
Affects Status Importance Assigned to Milestone
vmware-view-client (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Description: Ubuntu 13.10
Release: 13.10

host OS: Xubuntu 13.10
kernel: 3.11.0-15-generic (32-bit)

Product: VMware Horizon View Client
Version: 2.1.0
Build: 1213173

Gtk+ version: 2.24.20
Glib version: 2.38.1

OpenSC version: 0.13.0-3ubuntu1

When starting the VMware Horizon View Client and attempting to use a FIPS 201-compliant smart card for authentication to the server, it is expected that the user is presented with the dialog listing available authentication certificates, and given the option to provided the master PIN to unlock/access the smart card and certificates for authentication to the VMware Horizon View server.

Instead, the client fails to load /usr/lib/pkcs11/libopensc-pkcs11.so or /usr/lib/vmware/view/pkcs11/libopensc-pkcs11.so with the error:

Using log file /tmp/vmware-andrew_orndorff/vmware-view.bin-16562.log
Jan 13 17:46:12.527: vmware-view.bin 16562| Could not open module /usr/lib/vmware/view/pkcs11/libopensc-pkcs11.so.so: /usr/lib/vmware/view/pkcs11/libopensc-pkcs11.so.so: cannot open shared object file: No such file or directory

When a symlink is created from /usr/lib/i386-linux-gnu/opensc-pkcs11.so to either of the two target filenames, the error message changes to:

Jan 13 17:46:12.528: vmware-view.bin 16562| Could not resolve C_Initialize from /usr/lib/vmware/view/pkcs11/libopensc-pkcs11.so

Per prior bug reports for this package and on this topic, these issues have been known for some time and can be resolved by:

a) Creating a custom build of the OpenSC libraries that exports all symbols, including C_Initialize, and place that in the loader search path, ahead of the installed system library.

b) Creating a custom build of the OpenSC libraries that explicitly exports C_Initialize and place that in the loader search path, ahead of the installed system library.

The problem with these solutions, particularly since the pcsclite, opensc-pkcs11.so, and libopensc.so libraries have been made parts of the system-installed libraries, is that race conditions and memory leaks can be created that either impact the performance or the stability of the application.

The most correct fix would appear to be to have EMC/VMware fix the dynamic load code in the client to properly initialize the opensc-pkcs11.so library, and link it against the current system libraries.

The second option is to simply fix the exports on the OpenSC libraries to explicitly export C_Initialize (at a minimum).

Revision history for this message
Derek (bugs-m8y) wrote :

So. I encountered this when VMWare View was completely unable to connect to our view server using 14.04 LTS.
After digging through the log, encountered this bug report.
Some further digging turned up:
https://github.com/OpenSC/OpenSC/issues/183
and
https://github.com/OpenSC/OpenSC/commit/162e71419ba9b84d37321acc05e32980a438ae9a

where people argue for a very very long time about adding 2 functions to the .exports :p

For anyone here using ubuntu who is finding the VMWare View package non-functional, you have to:
1) sudo mkdir -p /usr/lib/vmware/view/pkcs11/
2) cd /usr/lib/vmware/view/pkcs11/
3) sudo ln -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so libopensc-pkcs11.so

This fixes the bad plugin path in the vmware package. Now you have to fix the exports from the opensc package.

--- opensc-0.13.0.orig/src/pkcs11/opensc-pkcs11.exports
+++ opensc-0.13.0/src/pkcs11/opensc-pkcs11.exports
@@ -1 +1,3 @@
 C_GetFunctionList
+C_Initialize
+C_Finalize
--- opensc-0.13.0.orig/src/pkcs11/pkcs11-spy.exports
+++ opensc-0.13.0/src/pkcs11/pkcs11-spy.exports
@@ -1 +1,3 @@
 C_GetFunctionList
+C_Initialize
+C_Finalize

This patch was autogenerated after editing the exports files. I don't think pkcs11-spy was necessary, but, eh, why not...

1) apt-get source opensc
2) get prompted for some build deps, apt-get install those... for me it was apt-get install dh-autoreconf libpcsclite-dev libreadline-dev
3) go to the sources and either put that patch in debian/patches or just edit src/pkcs11 exports files and add those 2 lines
4) dpkg-buildpackage

theeeen just dpkg -i the resulting .deb and enjoy your finally-working vmware-view. YAY!

(Note that this all assumes you setup smartcard support in ubuntu in the first place - there are docs for that)

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in vmware-view-client (Ubuntu):
status: New → Confirmed
Revision history for this message
Derek (bugs-m8y) wrote :

Oh, and you'll have to repeat this process if the vmware-view and opensc packages are updated without incorporating the changes above of course.

Revision history for this message
Derek (bugs-m8y) wrote :

One more thing to add. The maintainer I think was under the impression the semi-broken vmware-view package (that has that hardcoded module directory path) was closed source, so:
http://www.vmware.com/company/news/releases/view_open_client
https://launchpad.net/ubuntu/+source/vmware-view-open-client
https://github.com/dontsueme/vmware-view-open-client

But, yeah, as far as I can see the main patch is in the opensc package, and that just needs to be backported from that upstream commit. The vmware-view issue could be addressed as a symlink in the install script as an alternative to actually patching the client.

Revision history for this message
Derek (bugs-m8y) wrote :

Oh, and, I get the feeling the symlink/packaging part will not be fixed any time soon.
http://packages.ubuntu.com/precise/vmware-view-open-client exists
http://packages.ubuntu.com/trusty/vmware-view-open-client 404 - this despite the fact that on computer #1 I have vmware-view-open-client in trusty-updates

My guess is VMware stopped paying Ubuntu to maintain it (shame on them, since they still link it on their site)

Revision history for this message
Derek (bugs-m8y) wrote :

Oh... This is kind of important I guess... I'm using vmware-view-open-client because vmware-view-client is, for some reason, i386 only - perhaps that's due to being non-open source as the maintainer of this package noted.

vmware-view-open-client was as noted above, annoyingly, removed from trusty. Apparently an upstream debian thing. This is pretty bad for the keycard/vmware view setup in corp/gov world.

Now, vmware-view-client *is* still in existence but due to the i386 dependency, to get your keycard to work on current ubuntu LTS will require installing a ton of i386 libs (since you're probably all-64bit like most sane people).

Now unfortunately, I was not able to find opensc:i386 or libengine-pkcs11-openssl:i386 packages, so this was a total non-starter.

Luckily, the ubuntu dev that pulled it kindly pointed me to:
http://launchpadlibrarian.net/160769423/vmware-view-open-client_4.5.0-297975+dfsg-4ubuntu4_amd64.deb

Which works just fine.

So, for anyone wandering by Launchpad trying to figure out how to get your VMWare view to work with your keycard, as well as the fixes above to opensc and the symlink, you'll probably want to get this .deb too that was yanked from ubuntu :/

Revision history for this message
Derek (bugs-m8y) wrote :

So. I asked around. If anyone here is trying to use Linux in the corporate world and encountering what I encountered, here's the rundown.
Ubuntu removed this because Debian removed it.
Debian's page is here:
https://packages.qa.debian.org/v/vmware-view-open-client.html

It was apparently pulled in 2014 as unmaintained upstream, which is why it eventually got yanked from Ubuntu 14.04 LTS I guess.

Other distros *do* still build it (after all, it is open source), and there are a number of "upstreams" on github, although I guess not "official" forks thus not qualifying to resurrect the package. Unfortunately Ubuntu and Redhat are really the only officially permitted options here, and probably in other corporations.

So. That basically means that if you are in a similar situation you are going to have to:
* hope the old package keeps working until maybe Linux gets a bit more attention from VMWare, or that Debian/Ubuntu choose one of these other repos as the "official" one.
* do your own build
* switch to i386 exclusively where you can use the vmware-view i386 closed-source client

The OpenSC issue from this bug will still be a problem with either of those though, so hopefully Ubuntu eventually updates their 14.04 LTS package against the upstream fixes, or applies the patch from this bug.

Revision history for this message
Derek (bugs-m8y) wrote :

A followup. The most recent server update broke the 4.5 open client.
Good news, there *is* a 64 bit 5.0 linux client. The trick is, it is not (yet) available in ubuntu package management, although apparently this will change soon.

Also, this 5.0 client seems to still require the symlink fix, and the upstream opensc changes, so the rest of this bug still applies.

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.