Tue Jul 26 21:17:40 UTC 2016, m.roth at 5-cent.us wrote:
I could try the reinstall, but it's very odd - everything worked, and now, after the upgrade, it doesn't. Oh, and here's another twist on this: Under 6.7, if I'd logged into my webmail via firefox, and while that was happening, I stuck my AA ("Logical token" card) into the keyboard slot, and used it in logging onto one server (using sccr), it just chugged along. Now, at 6.8, *everything* in firefox hangs - even a google search, until I pull the card out of the keyboard. It's clearly trying to authenticate the client, not just the server....
rpm -qa --last *pcsc* *cool* *nss-* *ssh* ccid*
in 6.7 the last nss was 3.21.0-0.3.el6_7 in 6.8 it is 3.21.0-8.el6 --changelog is confusing, as there is no 3.21.0-0.3, and there is a "Rebase RHEL 6.8 to NSS 3.21" even though we where ALREADY on 3.21?
--changelog ccid shows changes the Omnikey 3022 behavior, and added more ccids and "Allow longer ccid messages"
Fortunately/Unfortunately the problems you are seeing are not affecting me on the RHEL box I am currently using with the nss access method I sent the other day, and I don't have an AA card, so it is a little hard to figure out what broke.
I suspect that for us to figure out what exactly happened (which I would like to know) we would have downgrade some components back to their 6.7 state on your box and see which component had the bad change. And then figure out what those changes were. I've done it before to help RH get CAC with ssh going again in 6.x series (6.[34] IIRC, broke something).
Remember the software stack is IIRC: firefox nss coolkey pcscd ccid
I think your use of openssh -s libcoolkeypk11.so makes it look like: ssh coolkey pcscd ccid
and for your sccr script probably looks a bit like: sccr ?nss??openssl? coolkey pcscd ccid
I would likely** yum downgrade ccid pcscd coolkey and then see if the lock still happened between sccr and firefox, then kick nss (or do douwngrade in the other order). After it is working, I would upgrade each of those components until it broke again... and depending on how pedantic I was being I might downgrade just the component that I think broke it and upgrade the rest.
**downgrade is a little trickier using CentOS when crossing point releases... you may need to build your own 'updates' repo, containing all the 6.7 updates and the 6.8 stuff.
Good hunting.
BTW: if you drop us/me the whole ssh invocation using -s, I might give that a go here and see if it works here on RHEL compared to my normal nss invocation.
Even when this disclaimer is not here: I am not a contracting officer. I do not have authority to make or modify the terms of any contract.