New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

authenticating with rutoken ecp – unexpected behaviour #3

Open
beelze opened this Issue Oct 8, 2014 · 13 comments

Comments

Projects
None yet
3 participants
@beelze

beelze commented Oct 8, 2014

Using this configuration,

auth required pam_env.so
auth sufficient pam_p11_opensc.so /usr/lib/opensc-pkcs11.so
auth required pam_unix.so try_first_pass likeauth nullok
auth optional pam_permit.so

I've noticed that slimlock (X screen locker from https://sourceforge.net/projects/slim.berlios/) behave differently if token was not inserted when slimlock started – I can authenticate with token pin only on second try. Looking inside slimlock code I found that pam_start is called once but pam_authenticate – inside a loop until proper requisites are given.

Tried to investigate further I took this (http://atlee.ca/software/pam/pam.py.html) python module and altered to get same loop logic. Here's test results:

test 1. token inserted before running script:
password asked, I can enter either user's password or token pin, auth is successful on first iteration

test 2. token inserted after script launched:
password asked, entering pin for first time – auth failed, second – passed. In syslog I see:

unix_chkpwd[21804]: password check failed for user (beelze)
python2: pam_unix(login:auth): authentication failure; logname=beelze uid=1000 euid=1000 tty= ruser= rhost= user=beelze

seems that first iteration passed without pam_p11_opensc.so interaction…

test 3. token inserted before launching script but reinserted before entering password:
both first and second tries are failed, third was successful. syslog:

python2: pam_p11_opensc(login:auth): PKCS11_login failed
unix_chkpwd[24143]: password check failed for user (beelze)
python2: pam_unix(login:auth): authentication failure; logname=beelze uid=1000 euid=1000 tty= ruser= rhost= user=beelze

why PKCS11_login was failed? I don't understand – at this moment token was inserted again…

I'm not sure there is a bug in pam_p11 – maybe pam logic is broken ot even (though unlikely) rutoken problem.

@frankmorgner

This comment has been minimized.

Member

frankmorgner commented May 16, 2018

Please verify if this problem is still present in the new release.

@beelze

This comment has been minimized.

beelze commented Jun 7, 2018

After installing new release I've changed system-auth to auth sufficient pam_p11.so /opt/rutoken/librtpkcs11ecp.so but with no luck. Running sudo (or anything trying to auth) leads to uninterruptible process state (I can only kill -9 $pid), syslog says

pam_p11(login:auth): Searching <mytokenname> for keys

Please notice the previous pam_p11 version forks fine with librtpkcs11ecp.so.

Well, I've tried auth sufficient pam_p11.so /usr/lib64/pkcs11/opensc-pkcs11.so, and it not working too, but in different way:

pam_p11(login:auth): Searching <mytokenname> (Rutoken ECP) for keys
pam_p11(login:auth): No authorized key found

I've checked certificate:

pkcs11-tool --read-object --type cert --id 8aec1878a6fe1ad54190888186aabb82b9f00b2e --module /opt/rutoken/librtpkcs11ecp.so --output-file /tmp/cert.cer
openssl x509 -inform DER -in /tmp/cert.cer -outform PEM

and compared it with $HOME/.eid/authorized_certificates. No difference.

How can I help to debug this issue?

@frankmorgner

This comment has been minimized.

Member

frankmorgner commented Jun 8, 2018

run libtool --mode=execute gdb src/test-login and use gdbas follows:

  • run /opt/rutoken/librtpkcs11ecp.so
  • press Ctrl + C when the program doesn't respond anymore
  • paste the output of backtrace here

Please also post the output of pkcs11-tool --list-objects --module=/opt/rutoken/librtpkcs11ecp.so.

Do the same for opensc-pkcs11.so.

@beelze

This comment has been minimized.

beelze commented Jun 8, 2018

(gdb) run /opt/rutoken/librtpkcs11ecp.so
Starting program: /var/tmp/portage/sys-auth/pam_p11-0.2.0/work/pam_p11-0.2.0/src/test-login /opt/rutoken/librtpkcs11ecp.so
Using '/opt/rutoken/librtpkcs11ecp.so' for 'beelze'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

^C
Program received signal SIGINT, Interrupt.
0x00007ffff70b4d0b in select () from /lib64/libc.so.6
(gdb) backtrace
#0  0x00007ffff70b4d0b in select () from /lib64/libc.so.6
#1  0x00007ffff5dd62f5 in ?? () from /usr/lib64/libpcsclite.so.1
#2  0x00007ffff5dd3274 in SCardTransmit () from /usr/lib64/libpcsclite.so.1
#3  0x00007ffff605e0df in ?? () from /opt/rutoken/librtpkcs11ecp.so
#4  0x00007ffff605e192 in ?? () from /opt/rutoken/librtpkcs11ecp.so
#5  0x00007ffff6032a68 in ?? () from /opt/rutoken/librtpkcs11ecp.so
#6  0x00007ffff604dfea in ?? () from /opt/rutoken/librtpkcs11ecp.so
#7  0x00007ffff60689ad in ?? () from /opt/rutoken/librtpkcs11ecp.so
#8  0x00007ffff606938f in ?? () from /opt/rutoken/librtpkcs11ecp.so
#9  0x00007ffff607fb30 in ?? () from /opt/rutoken/librtpkcs11ecp.so
#10 0x00007ffff6087817 in C_FindObjects () from /opt/rutoken/librtpkcs11ecp.so
#11 0x00007ffff759239b in ?? () from /usr/lib64/libp11.so.2
#12 0x00007ffff7591c53 in ?? () from /usr/lib64/libp11.so.2
#13 0x00005555555566f7 in key_find.part ()
#14 0x0000555555556f0a in pam_sm_authenticate ()
#15 0x000055555555638a in pam_sm_test ()
#16 0x0000555555556229 in main ()
(gdb) 
# pkcs11-tool --list-objects --module=/opt/rutoken/librtpkcs11ecp.so
Using slot 0 with a present token (0x0)
Public Key Object; RSA 2048 bits
  label:      
  ID:         f9af2480fba75bda89006f330eabc7d675de72fa
  Usage:      encrypt, verify, wrap
Public Key Object; RSA 2048 bits
  label:      mgs2016
  Usage:      encrypt, verify
Certificate Object; type = X.509 cert
  label:      Software Security Device:WM id: **********'s WM Transfer Ltd ID
  subject:    DN: O=WebMoney Transfer, OU=WebMoney Certification Center, CN=WM id: ************/emailAddress=****************
  ID:         f9af2480fba75bda89006f330eabc7d675de72fa
Certificate Object; type = X.509 cert
  label:      pam_p11
  subject:    DN: CN=beelze, OU=home, O=home, C=KZ/emailAddress=**********************
  ID:         8aec1878a6fe1ad54190888186aabb82b9f00b2e

and oops...

 pkcs11-tool --list-objects --module=/usr/lib64/pkcs11/opensc-pkcs11.so
Using slot 0 with a present token (0x0)
....
@frankmorgner

This comment has been minimized.

Member

frankmorgner commented Jun 8, 2018

You should compile with debug symbols (CFLAGS="-g -O0) to see the exact line of code.

I think your problem with librtpkcs11ecp.so is a bug in the PKCS#11 library. libp11 calls C_FindObjects() repeatedly, which - by definition of PKCS#11 - should finally exhaust all the available keys. For your token, however, this seems to always return some key (hence, the search continues in an infinite loop).

Regarding opensc-pkcs11.so, you should use the OpenSC library for all steps of debugging.

@beelze

This comment has been minimized.

beelze commented Jun 9, 2018

(gdb) run /opt/rutoken/librtpkcs11ecp.so
Starting program: /var/tmp/portage/sys-auth/pam_p11-0.2.0/work/pam_p11-0.2.0/src/test-login /opt/rutoken/librtpkcs11ecp.so
Using '/opt/rutoken/librtpkcs11ecp.so' for 'beelze'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".

^C
Program received signal SIGINT, Interrupt.
0x00007ffff7089135 in nanosleep () from /lib64/libc.so.6
(gdb) backtrace
#0  0x00007ffff7089135 in nanosleep () from /lib64/libc.so.6
#1  0x00007ffff5dd5651 in ?? () from /usr/lib64/libpcsclite.so.1
#2  0x00007ffff5dd2003 in SCardEndTransaction () from /usr/lib64/libpcsclite.so.1
#3  0x00007ffff605dec3 in ?? () from /opt/rutoken/librtpkcs11ecp.so
#4  0x00007ffff606bccb in ?? () from /opt/rutoken/librtpkcs11ecp.so
#5  0x00007ffff608784f in C_FindObjects () from /opt/rutoken/librtpkcs11ecp.so
#6  0x00007ffff759239b in ?? () from /usr/lib64/libp11.so.2
#7  0x00007ffff7591c53 in ?? () from /usr/lib64/libp11.so.2
#8  0x0000555555557428 in key_find (pamh=0x55555575c020, flags=0, user=0x55555575c1c0 "beelze", 
    ctx=0x55555576ee40, slots=0x55555581d3e0, nslots=15, authslot=0x7fffffffc6d8, authkey=0x7fffffffc6c8)
    at pam_p11.c:518
#9  0x000055555555795a in pam_sm_authenticate (pamh=0x55555575c020, flags=0, argc=1, argv=0x7fffffffc778)
    at pam_p11.c:631
#10 0x0000555555556430 in pam_sm_test (pamh=0x55555575c020, flags=0, argc=1, argv=0x7fffffffc778)
    at login.c:31
#11 0x0000555555556379 in main (argc=2, argv=0x7fffffffd898) at test.c:80

nothing useful with /usr/lib64/pkcs11/opensc-pkcs11.so:

(gdb) run /usr/lib64/pkcs11/opensc-pkcs11.so
Starting program: /var/tmp/portage/sys-auth/pam_p11-0.2.0/work/pam_p11-0.2.0/src/test-login /usr/lib64/pkcs11/opensc-pkcs11.so
Using '/usr/lib64/pkcs11/opensc-pkcs11.so' for 'beelze'
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib64/libthread_db.so.1".
[New Thread 0x7ffff4277700 (LWP 22511)]
[New Thread 0x7ffff3a76700 (LWP 22513)]
No authorized keys on token
Error: Authentication service cannot retrieve authentication info
[Thread 0x7ffff4277700 (LWP 22511) exited]
[Thread 0x7ffff7fbe740 (LWP 22507) exited]
[Inferior 1 (process 22507) exited with code 01]

It seems to me that librtpkcs11ecp.so creating data structures which can not be read by opensc-pkcs11.so. From the same beginning I experienced frequent strange problems with my Rutoken ECP token which are gone after I switched to librtpkcs11ecp.so.

FYI: previous version of pam-p11 worked fine with the same librtpkcs11ecp.so and same token at least couple of years.

@frankmorgner

This comment has been minimized.

Member

frankmorgner commented Jun 11, 2018

With OpenSC please...

With librtpkcs11ecp.so, however, you need to debug the program flow yourself (e.g. with gdb); from afar I cannot see the problem.

@beelze

This comment has been minimized.

beelze commented Jun 11, 2018

Well, I've got a point, but:

  1. I do believe that «only-opensc» tests will succeed, though I can't run them right now (because I need a second rutoken ecp for it). It can be done within a week.
  2. Now I more interested in librtpkcs11ecp.so because retoken ecp support in opensc seems incomplete (though I guess it is intended, thanks rutoken guys)
  3. pam_p11-0.1.6 is working with librtpkcs11ecp.so, but pam_p11-0.2.0 is not. (same librtpkcs11ecp.so, same token, same everything):
    I've build pam_p11-0.1.6 in sandbox and tried to auth (auth sufficient /var/tmp/portage/sys-auth/pam_p11-0.1.6/image/lib64/security/pam_p11_opensc.so /opt/rutoken/librtpkcs11ecp.so, and it succeed, while using pam_p11.so from pam_p11-0.2.0 hangs. It is obvious that something has been changed in 0.2 version.
@frankmorgner

This comment has been minimized.

Member

frankmorgner commented Jun 11, 2018

The changes are obvious by looking at the log or the changes.

The question is what to do with this data. You need to do the debugging to find out what is going wrong! I told you what to do for this in terms of OpenSC, but in terms of librtpkcs11ecp.so, you maybe need to contact the card's vendor.

@frankmorgner frankmorgner added the bug label Jun 11, 2018

@beelze

This comment has been minimized.

beelze commented Jun 11, 2018

Well, I need to do debugging. Please explain how it can be done. Do I need librtpkcs11ecp.so compiled with debug info? Ok, I'll ask rutoken guys, but what should I say? «pam_p11-0.2.0 has stopped working with librtpkcs11ecp.so so I expecting from you to do something»? Pathetic. I need to be more convincing to force rutoken team to do something.
Anyway, I'll try to get something from rutoken support, but obviously I need to be more specific.

@Neraverin

This comment has been minimized.

Neraverin commented Jun 15, 2018

@frankmorgner Hello. I'm the product manager for Rutoken. We will look at this problem from our side. If the problem is really in librtpkcs121ecp, then we will fix it and let you know here.

@frankmorgner

This comment has been minimized.

Member

frankmorgner commented Aug 20, 2018

@Neraverin is there any update?

@Neraverin

This comment has been minimized.

Neraverin commented Aug 21, 2018

@frankmorgner Thank you for reminding. We could not reproduce the problem. pam_p11-0.2.0 works successfully with the latest release librtpkcs11ecp.so (1.8.2.0)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment