Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
PAM/xscreensaver/Authentification via MIFARE SMARTCARD
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware
View previous topic :: View next topic  
Author Message
ch64
Guru
Guru


Joined: 09 Jun 2010
Posts: 319

PostPosted: Wed Nov 15, 2017 11:07 pm    Post subject: PAM/xscreensaver/Authentification via MIFARE SMARTCARD Reply with quote

Hello.
I want to lock xscreensaver when removing a smartcard. That is working here.
I have the USB device: ACS ACR122U PICC Interface and a few MIFARE classic cards 1k.
So, if I start card_eventmgr .. IT is locking via xscreensaver. -> Very nice.
But if I put the card back near the NFC reader xscreensaver is telling me: "error 2304 - Error Initializing the PKCS#11 module"
I have a pam for that, where it only needs a user. Xscreensaver tries as this user. But I have error 2304.
So, tail /var/log/messages is telling me:

Code:
Nov 15 22:52:03 dualcore xscreensaver[5077]: username = [flash]
Nov 15 22:52:03 dualcore xscreensaver[5077]: loading pkcs #11 module...
Nov 15 22:52:03 dualcore xscreensaver[5077]: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]
Nov 15 22:52:03 dualcore xscreensaver[5077]: module permissions: uid = 0, gid = 0, mode = 755
Nov 15 22:52:03 dualcore xscreensaver[5077]: loading module /usr/lib/opensc-pkcs11.so
Nov 15 22:52:03 dualcore xscreensaver[5077]: getting function list
Nov 15 22:52:03 dualcore xscreensaver[5077]: initialising pkcs #11 module...
Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/auth.c:137:IsClientAuthorized() Process 5077 (user: 1000) is NOT authorized for action: access_pcsc
Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Nov 15 22:52:03 dualcore xscreensaver[5077]: module information:
Nov 15 22:52:03 dualcore xscreensaver[5077]: - version: 2.20
Nov 15 22:52:03 dualcore xscreensaver[5077]: - manufacturer: OpenSC Project                 
Nov 15 22:52:03 dualcore xscreensaver[5077]: - flags: 0000
Nov 15 22:52:03 dualcore xscreensaver[5077]: - library description: OpenSC smartcard framework     
Nov 15 22:52:03 dualcore xscreensaver[5077]: - library version: 0.16
Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/auth.c:137:IsClientAuthorized() Process 5077 (user: 1000) is NOT authorized for action: access_pcsc
Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/auth.c:137:IsClientAuthorized() Process 5077 (user: 1000) is NOT authorized for action: access_pcsc
Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Nov 15 22:52:03 dualcore xscreensaver[5077]: number of slots (a): 0
Nov 15 22:52:03 dualcore xscreensaver[5077]: init_pkcs11_module() failed: there are no slots available
Nov 15 22:52:03 dualcore xscreensaver[5077]: pam_pkcs11(xscreensaver:auth): init_pkcs11_module() failed: there are no slots available
Nov 15 22:52:14 dualcore xscreensaver[5077]: FAILED LOGIN 1 ON DISPLAY ":0", FOR "flash"
Nov 15 22:52:19 dualcore su[5126]: pam_unix(su:session): session closed for user root


IT is the first time, iam trying that. can somebody help? :wink:
Also opensc is telling me, that the card is not compatible.
Code:
dualcore ~ # nfc-list
nfc-list uses libnfc 1.7.1
NFC device: ACS / ACR122U PICC Interface opened
1 ISO14443A passive target(s) found:
ISO/IEC 14443A (106 kbps) target:
    ATQA (SENS_RES): 00  04
       UID (NFCID1): b3  73  99  d5
      SAK (SEL_RES): 08

The command where IT is telling me, that IT's a MIFARE CLASSIC 1k I now do not remember right... :)
Also i think, that I have to use pam_pkcs11 module and not opensc! So I'm a bit confused.
Back to top
View user's profile Send private message
ch64
Guru
Guru


Joined: 09 Jun 2010
Posts: 319

PostPosted: Fri Nov 17, 2017 3:33 am    Post subject: Reply with quote

Does this error come from a wrong polkit configuration?
Quote:
Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/auth.c:137:IsClientAuthorized() Process 5077 (user: 1000) is NOT authorized for action: access_pcsc
Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/auth.c:137:IsClientAuthorized() Process 5077 (user: 1000) is NOT authorized for action: access_pcsc
Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client

Quote:
# opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes ACS ACR122U PICC Interface 00 00
# pcsc_scan
PC/SC device scanner
V 1.4.27 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.22
Using reader plug'n play mechanism
Scanning present readers...
0: ACS ACR122U PICC Interface 00 00

Fri Nov 17 05:23:41 2017
Reader 0: ACS ACR122U PICC Interface 00 00
Card state: Card inserted,
ATR: 3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 01 00 00 00 00 6A

ATR: 3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 01 00 00 00 00 6A
+ TS = 3B --> Direct Convention
+ T0 = 8F, Y(1): 1000, K: 15 (historical bytes)
TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0
-----
TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1
-----
+ Historical bytes: 80 4F 0C A0 00 00 03 06 03 00 01 00 00 00 00
Category indicator byte: 80 (compact TLV data object)
Tag: 4, len: F (initial access data)
Initial access data: 0C A0 00 00 03 06 03 00 01 00 00 00 00
+ TCK = 6A (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 01 00 00 00 00 6A
3B 8F 80 01 80 4F 0C A0 00 00 03 06 .. 00 01 00 00 00 00 ..
Mifare Standard 1K (as per PCSC std part3)
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 01 00 00 00 00 6A
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 .. .. 00 00 00 00 ..
RFID - ISO 14443 Type A Part 3 (as per PCSC std part3)
3B 8F 80 01 80 4F 0C A0 00 00 03 06 03 00 01 00 00 00 00 6A
Philips MIFARE Standard (1 Kbytes EEPROM)
http://www.nxp.com/#/pip/pip=[pfp=41863]|pp=[t=pfp,i=41863]
RFID - ISO 14443 Type A - Transport for London Oyster
ACOS5/1k Mirfare
RFID - ISO 14443 Type A - NXP Mifare card with 1k EEPROM
vivotech ViVOcard Contactless Test Card
Bangkok BTS Sky SmartPass


Quote:
Nov 17 05:36:44 dualcore xscreensaver[2174]: pam_pkcs11(xscreensaver:auth): no suitable token available
Nov 17 05:36:55 dualcore syslog-ng[5170]: Log statistics; processed='center(received)=1269', processed='center(queued)=2538', processed='src.none()=0', stamp='src.none()=0', processed='source(src)=1269', processed='destination(messages)=1269', processed='global(payload_reallocs)=1173', processed='global(sdata_updates)=0', processed='destination(console_all)=1269', processed='global(msg_clones)=0', processed='src.internal(src#2)=4', stamp='src.internal(src#2)=1510850215', processed='global(internal_queue_length)=0'
Nov 17 05:37:00 dualcore xscreensaver[2174]: FAILED LOGIN 1 ON DISPLAY ":0", FOR "flash"
Nov 17 05:37:03 dualcore xscreensaver[2174]: username = [flash]
Nov 17 05:37:03 dualcore xscreensaver[2174]: loading pkcs #11 module...
Nov 17 05:37:03 dualcore xscreensaver[2174]: PKCS #11 module = [/usr/lib/pkcs11/opensc-pkcs11.so]
Nov 17 05:37:03 dualcore xscreensaver[2174]: module permissions: uid = 0, gid = 0, mode = 755
Nov 17 05:37:03 dualcore xscreensaver[2174]: loading module /usr/lib/pkcs11/opensc-pkcs11.so
Nov 17 05:37:03 dualcore xscreensaver[2174]: getting function list
Nov 17 05:37:03 dualcore xscreensaver[2174]: initialising pkcs #11 module...
Nov 17 05:37:03 dualcore xscreensaver[2174]: module information:
Nov 17 05:37:03 dualcore xscreensaver[2174]: - version: 2.20
Nov 17 05:37:03 dualcore xscreensaver[2174]: - manufacturer: OpenSC Project
Nov 17 05:37:03 dualcore xscreensaver[2174]: - flags: 0000
Nov 17 05:37:03 dualcore xscreensaver[2174]: - library description: OpenSC smartcard framework
Nov 17 05:37:03 dualcore xscreensaver[2174]: - library version: 0.16
Nov 17 05:37:03 dualcore xscreensaver[2174]: number of slots (a): 1
Nov 17 05:37:03 dualcore xscreensaver[2174]: number of slots (b): 1
Nov 17 05:37:03 dualcore xscreensaver[2174]: slot 1:
Nov 17 05:37:03 dualcore xscreensaver[2174]: - description: ACS ACR122U PICC Interface 00 00
Nov 17 05:37:03 dualcore xscreensaver[2174]: - manufacturer: ACS
Nov 17 05:37:03 dualcore xscreensaver[2174]: - flags: 0006
Nov 17 05:37:03 dualcore xscreensaver[2174]: no suitable token available
Nov 17 05:37:03 dualcore xscreensaver[2174]: pam_pkcs11(xscreensaver:auth): no suitable token available
Nov 17 05:37:05 dualcore xscreensaver[2174]: FAILED LOGIN 2 ON DISPLAY ":0", FOR "flash"


Last edited by ch64 on Fri Nov 17, 2017 4:40 am; edited 1 time in total
Back to top
View user's profile Send private message
ch64
Guru
Guru


Joined: 09 Jun 2010
Posts: 319

PostPosted: Fri Nov 17, 2017 4:31 am    Post subject: Reply with quote

Now i added the following to polkit:
Quote:
polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
subject.user == "flash") {
return polkit.Result.YES;
}
});

polkit.addRule(function(action, subject) {
if (action.id == "org.debian.pcsc-lite.access_card" &&
action.lookup("reader") == 'ACS ACR122U PICC Interface 00 00' &&
subject.user == "flash") {
return polkit.Result.YES; }
});


The next Error I have IS, "no suitable token found"
So, I don't really know how to.. :roll:
Back to top
View user's profile Send private message
ch64
Guru
Guru


Joined: 09 Jun 2010
Posts: 319

PostPosted: Sat Nov 18, 2017 10:50 pm    Post subject: Reply with quote

Now with coolkey module IT starts and (KILLS) the xscreensaver right. When removing and adding the card.
But there is this:
Quote:
Nov 18 23:36:02 dualcore xscreensaver[8184]: Error setting configuration parameters
Nov 18 23:36:02 dualcore xscreensaver[8184]: FAILED LOGIN 1 ON DISPLAY ":0", FOR "flash"
Nov 18 23:36:26 dualcore xscreensaver[8184]: Error setting configuration parameters
Nov 18 23:36:26 dualcore xscreensaver[8184]: FAILED LOGIN 2 ON DISPLAY ":0", FOR "flash"
Nov 18 23:36:30 dualcore xscreensaver[8184]: Error setting configuration parameters
Nov 18 23:36:30 dualcore xscreensaver[8184]: FAILED LOGIN 3 ON DISPLAY ":0", FOR "flash"
Nov 18 23:40:01 dualcore cron[8363]: (root) CMD (test -x /usr/sbin/run-crons && /usr/sbin/run-crons)


The "xscreensaver-command -deactivate" does not deactivate the screensaver.
When I try as root, IT comes, that there is no such display. When i add -display :0 it comes: the MAGIC COOKIE message.
I then exported ~user/.Xauthority to root.
It only stands: "deactivating from xscreensaver log.. But xscreensaver in the real world, doesn't deactivate.
It only says: AUTH failed.
But killall xscreensaver is doing well!
So: What is this "Error setting configuration parameters" ?[/quote]
Back to top
View user's profile Send private message
ch64
Guru
Guru


Joined: 09 Jun 2010
Posts: 319

PostPosted: Wed Nov 22, 2017 12:25 am    Post subject: Reply with quote

When I started to configure pam_pkcs11 module, the sys-auth/pam_pkcs-0.6.9 was removed from the Gentoo tree!
Just before I started! :cry:
_________________
https://lab.spacecourt.org/06_nothing_fails.mp3 (Madonna - Nothing Fails) ❤
_______________________________________________
The answers are in *YOU, Alice said as she walked through the _mirror.
Lewis Carroll - Alice in wonderland
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Kernel & Hardware All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum