Ubuntu
sssd package

Smart cards (modules) are ignored after one with an inserted token is found

  1. Focal (20.04)
  2. Bug #2003809
Bug #2003809 reported by Marco Trevisan (Treviño)
10
This bug affects 1 person
Affects Status Importance Assigned to Milestone
sssd (Ubuntu)
Fix Released
Medium
Unassigned
Focal
In Progress
Medium
Marco Trevisan (Treviño)
Jammy
Fix Released
Medium
Unassigned

Bug Description

[ Impact ]

It's potentially not possible to use smartcard authentication if a reader has not a token inserted.

So all the p11kit modules (see p11-kit list-modules) could not be checked for tokens, as visible by this log p11_child fails early with a "Token not present error", without going through all the installed modules (p11-kit-trust.so, opensc-pkcs11.so and libsofthsm2.so):

sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --nssdb=/dev/null --verify=no_verification
(Tue Jan 24 18:51:09:700740 2023) [p11_child[205220]] [main] (0x0400): p11_child started.
(Tue Jan 24 18:51:09:701162 2023) [p11_child[205220]] [main] (0x2000): Running in [pre-auth] mode.
(Tue Jan 24 18:51:09:701330 2023) [p11_child[205220]] [main] (0x2000): Running with effective IDs: [0][0].
(Tue Jan 24 18:51:09:701584 2023) [p11_child[205220]] [main] (0x2000): Running with real IDs [0][0].
(Tue Jan 24 18:51:09:701811 2023) [p11_child[205220]] [parse_cert_verify_opts] (0x0020): Found 'no_verification' option, disabling verification completely. This should not be used in production.
(Tue Jan 24 18:51:09:714943 2023) [p11_child[205220]] [do_card] (0x4000): Module List:
(Tue Jan 24 18:51:09:715417 2023) [p11_child[205220]] [do_card] (0x4000): common name: [p11-kit-trust].
(Tue Jan 24 18:51:09:715669 2023) [p11_child[205220]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so].
(Tue Jan 24 18:51:09:715934 2023) [p11_child[205220]] [do_card] (0x4000): Description [/etc/ssl/certs/ca-certificates.crt PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true].
(Tue Jan 24 18:51:09:716190 2023) [p11_child[205220]] [do_card] (0x4000): common name: [opensc-pkcs11].
(Tue Jan 24 18:51:09:716470 2023) [p11_child[205220]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
(Tue Jan 24 18:51:09:721500 2023) [p11_child[205220]] [do_card] (0x4000): Description [VMware Virtual USB CCID 00 00 VMware ] Manufacturer [VMware ] flags [6] removable [true] token present [false].
(Tue Jan 24 18:51:09:721876 2023) [p11_child[205220]] [do_card] (0x4000): Token not present.
(Tue Jan 24 18:51:09:722705 2023) [p11_child[205220]] [main] (0x0040): do_work failed.
(Tue Jan 24 18:51:09:723040 2023) [p11_child[205220]] [main] (0x0020): p11_child failed!

See also: https://github.com/SSSD/sssd/issues/5025

[ Test case ]

While it's possible to test this in the real world using multiple readers of different types, the simplest way to reproduce is using ubuntu under vmware, as it creates a virtual reader that easily allows to add and insert tokens:

1. Connect a smartcard reader (without any card inserted), enabling the device pass-through it in the virtual machine

1a. Ensure that all the p11-kit modules are visible (install multiple such as softhsm2 and opensc-pkcs11 to be sure):

$ p11-kit list-modules
p11-kit-trust: p11-kit-trust.so
opensc-pkcs11: opensc-pkcs11.so
softhsm2: /usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so

2. Now, simulate a verification event:
  sudo /usr/libexec/sssd/p11_child --pre -d 10 --debug-fd=2 --nssdb=/dev/null --verify=no_verification

3. p11_child should fail after having tried all the possible modules,
   as listed by `p11-kit list-modules`, not with a "Token not present" error.

For example:

(Tue Jan 24 18:40:15:229939 2023) [p11_child[204666]] [main] (0x0400): p11_child started.
(Tue Jan 24 18:40:15:230069 2023) [p11_child[204666]] [main] (0x2000): Running in [pre-auth] mode.
(Tue Jan 24 18:40:15:230088 2023) [p11_child[204666]] [main] (0x2000): Running with effective IDs: [0][0].
(Tue Jan 24 18:40:15:230099 2023) [p11_child[204666]] [main] (0x2000): Running with real IDs [0][0].
(Tue Jan 24 18:40:15:230117 2023) [p11_child[204666]] [parse_cert_verify_opts] (0x0020): Found 'no_verification' option, disabling verification completely. This should not be used in production.
(Tue Jan 24 18:40:15:259036 2023) [p11_child[204666]] [do_card] (0x4000): Module List:
(Tue Jan 24 18:40:15:259097 2023) [p11_child[204666]] [do_card] (0x4000): common name: [p11-kit-trust].
(Tue Jan 24 18:40:15:259129 2023) [p11_child[204666]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so].
(Tue Jan 24 18:40:15:259175 2023) [p11_child[204666]] [do_card] (0x4000): Description [/etc/ssl/certs/ca-certificates.crt PKCS#11 Kit ] Manufacturer [PKCS#11 Kit ] flags [1] removable [false] token present [true].
(Tue Jan 24 18:40:15:259193 2023) [p11_child[204666]] [do_card] (0x4000): common name: [opensc-pkcs11].
(Tue Jan 24 18:40:15:259200 2023) [p11_child[204666]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so].
(Tue Jan 24 18:40:15:259213 2023) [p11_child[204666]] [do_card] (0x4000): common name: [softhsm2].
(Tue Jan 24 18:40:15:259220 2023) [p11_child[204666]] [do_card] (0x4000): dll name: [/usr/lib/x86_64-linux-gnu/softhsm/libsofthsm2.so].
(Tue Jan 24 18:40:15:259401 2023) [p11_child[204666]] [do_card] (0x4000): Description [SoftHSM slot ID 0x0 SoftHSM project ] Manufacturer [SoftHSM project ] flags [1] removable [false] token present [true].
(Tue Jan 24 18:40:15:259444 2023) [p11_child[204666]] [do_card] (0x0040): No removable slots found.
(Tue Jan 24 18:40:15:260396 2023) [p11_child[204666]] [main] (0x0040): do_work failed.
(Tue Jan 24 18:40:15:260484 2023) [p11_child[204666]] [main] (0x0020): p11_child failed!

[ Regression Potential ]

Waiting for card won't work, or other card errors are not handler properly.

Related branches

~3v1n0/ubuntu/+source/sssd:ubuntu/focal-devel
Sergio Durigan Junior (community): Approve
Diff: 3411 lines (+3266/-3)
18 files modified
debian/changelog (+25/-0)
debian/patches/add-tests-multiple-certs-same-id.patch (+267/-0)
debian/patches/authtok-add-label-to-Smartcard-token.patch (+1086/-0)
debian/patches/p11_child-Add-support-for-partial_chain-certificate_verif.patch (+410/-0)
debian/patches/p11_child-Restore-functionality-of-wait_for_card.patch (+89/-0)
debian/patches/p11_child-do_card-partially-fix-loop-exit-condition-when-.patch (+36/-0)
debian/patches/p11_child_openssl-Free-X509_VERIFY_PARAM-if-initialized.patch (+28/-0)
debian/patches/pam-Add-custom-pam_cert_verification-setting-to-override-.patch (+222/-0)
debian/patches/pam_sss-add-SERVICE_IS_GDM_SMARTCARD.patch (+37/-0)
debian/patches/pam_sss-add-certificate-label-to-reply-to-pam_sss.patch (+209/-0)
debian/patches/pam_sss-fix-missing-initializer-warning.patch (+33/-0)
debian/patches/pam_sss-fix-missing-initializer.patch (+42/-0)
debian/patches/pam_sss-make-sure-old-certificate-data-is-removed-before-.patch (+35/-0)
debian/patches/pam_sss-special-handling-for-gdm-smartcard.patch (+80/-0)
debian/patches/pam_sss-use-unique-id-for-gdm-choice-list.patch (+68/-0)
debian/patches/series (+15/-0)
debian/patches/test_pam_srv-Add-test-for-CA-certificate-check-using-inte.patch (+530/-0)
debian/sssd-common.postinst (+54/-3)
Revision history for this message
Marco Trevisan (Treviño) (3v1n0) wrote :

This was fixed in SSSD 2.6.0, that is included in Jammy, but it still affects 20.04

Changed in sssd (Ubuntu):
status: In Progress → Fix Released
Changed in sssd (Ubuntu Focal):
status: New → Fix Released
status: Fix Released → In Progress
Changed in sssd (Ubuntu Jammy):
status: New → Fix Released
Changed in sssd (Ubuntu Focal):
importance: Undecided → Medium
Changed in sssd (Ubuntu Jammy):
importance: Undecided → Medium
Changed in sssd (Ubuntu Focal):
assignee: nobody → Marco Trevisan (Treviño) (3v1n0)
Changed in sssd (Ubuntu):
assignee: Marco Trevisan (Treviño) (3v1n0) → nobody
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.