Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Pinpad card reader for login authentication yet you are asked also enter pin on pc keyboard #5371

Open
ngpsteen opened this issue Oct 15, 2020 · 1 comment
Assignees
Labels

Comments

@ngpsteen
Copy link

Hello Folks!

This is simply and announcement about one issue regarding pinpad smartcard reader where you are asked also to enter pin on the pc keyboard, mostly so it don't fall between chairs. I can arrange pinpad reader and smartcard if needed to solve this issue. It is okey to remove this issue if you like since it is also filed at bugzilla.redhat.com!

The opened bugzilla about the issue, with exact details on how it was setup step by step:
https://bugzilla.redhat.com/show_bug.cgi?id=1886841 and

Originally filed about the issue:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/FLLIA5RLHT3MO4NI2F3MJNMBBNGGZA4Z/

Summary:
We are working on getting smart card authentication working using pinpad card readers for improved security.

To do this we use:
FreeIPA Server is running on Fedora 32 with latest updates.
FreeIPA Clients is Fedora 32 Workstation installed on pc with latest updates with connected usb card reader.

The card reader is Gemalto CT700 with pinpad, we use several user individual SmartCard HSM 4K with FreeIPA signed certificates on them. We have tested also other pinpads and smart cards on different PC:s and also laptops with builtin smartcard reader, with the same result, pinpad is working but you are asked to enter pin by PC keyboard as well, then you are logged in. Disabling pinpad in opensc.conf results you are logged in directly after entering pincode on pc keyboard.

FreeIPA Clients run OpenSC and are configured to use smartcard certificate based authentication, setup per Smart HSM best practice. All per default setup, no additional settings.

Further clients are using SSSD and not PAM_PKCS#11.
As a parentheses it is worth mentioning we used also centos7 and centos8 with same result as Fedora32, we have not tested Fedora33 or compiled SSSD from source, yet.

As even more distant parentheses and annoyingly enough, Ubuntu 20.04LTS actually works, but that uses PAM_PKCS#11 which is another technologies that does not live up to our needs.

Again, it is off-course perfectly okey to remove this report if you feel it is enough with the errata at redhat!

Thank you in advance!

@ngpsteen
Copy link
Author

ngpsteen commented Dec 3, 2020

Hello Folks!

We have now tested this on Fedora 33 and the issue remains.

  1. Fedora 33 workstation GDM menu prompts a few users that can login
  2. Smartcard is inserted in reader
  3. GDM blanks out the screen and smartcard reader prompts to enter PIN.
  4. Entering pin on smartcard reader followed by pressing ok button on smartcard reader at getting result Pin OK in reader display.
  5. GDM now prompts for entering PIN on keyboard, this is unexpected, instead of being logged in to the window manager, here Gnome or xfce.
  6. Any number can be entered, it does not matter, followed by hitting enter.
  7. Once again smartcard reader now prompts for PIN.
  8. Entering PIN on the smartcard pinpad reader followed by pressing pinpad ok button.
  9. You are now logged in, and all is normal. If ripping out the smartcard from reader the screen locks, as expected.

We also tested it on a few more pinpad readers Gemalto CT700, Gemalto idBridge CT710 and ACS APG8201-B2 plus ACS AGP8201 Pinhandy. All with same result.

Can we help solving, contribute this in a way ?

Thank you in advance!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

3 participants