Anyone working with/using it? One thing that's driving me nuts is that it keeps spitting garbage into the logs (card absent or mute!!!). I just tried editing /etc/init.d/pcscd - there's *no* way to pass parms from the config file - and set the logging level to --error, and it's still doing it.
Clues for the poor, to shut it up?
mark
m.roth@5-cent.us wrote, On 11/22/2010 02:21 PM:
Anyone working with/using it? One thing that's driving me nuts is that it keeps spitting garbage into the logs (card absent or mute!!!). I just tried editing /etc/init.d/pcscd - there's *no* way to pass parms from the config file - and set the logging level to --error, and it's still doing it.
Clues for the poor, to shut it up?
mark
Did you try --critical ??
Did someone make the mistake of having both pcsc and openct loaded on the same machine?
Did someone load ctapi-cyberjack with out having one of those readers? [I have had this ifd-handler cause a LOT of trouble that seemed similar to yours, before I learned not to install it.]
BTW if the card reader thinks there is a card, but pcscd can't establish communication with the card then that is an error or critical. IIRC you only get the messages like you showed when pcscd thinks there should be a card physically present.
Does anyone use a smart card with the machine? * If no, then either `chkconfig pcscd off` or `yum remove pcsc-lite`
* If yes, ask your question over on the muscle list, which is where the fellow who maintains pcsc hangs out and he may have some incantation for you. http://lists.drizzle.com/mailman/listinfo/muscle
Hope this helps.
Todd Denniston wrote:
m.roth@5-cent.us wrote, On 11/22/2010 02:21 PM:
Anyone working with/using it? One thing that's driving me nuts is that it keeps spitting garbage into the logs (card absent or mute!!!). I just tried editing /etc/init.d/pcscd - there's *no* way to pass parms from the config file - and set the logging level to --error, and it's still
doing
it.
Clues for the poor, to shut it up?
Did you try --critical ??
No, I haven't. I was hoping for something useful in the logs that might help me on other things.
Did someone make the mistake of having both pcsc and openct loaded on the same machine?
Um, say *wha*? My manager told me to load both. I've got pcsc-lite, pcsc-lite-libs, and openct. I can read the card, but when I stick it into a reader, it brings up two windows, one after the other: the first wants the phone home URL, and I tell it close, and then the one to "manage smart cards". It should not phone home.
Did someone load ctapi-cyberjack with out having one of those readers? [I
Nope. <snip>
BTW if the card reader thinks there is a card, but pcscd can't establish communication with the card then that is an error or critical. IIRC you
only
get the messages like you showed when pcscd thinks there should be a
card physically
present.
Hmmm... it does show problems: card not transacted: 612.
Does anyone use a smart card with the machine?
<snip>
- If yes, ask your question over on the muscle list, which is where the
fellow who maintains pcsc hangs out and he may have some incantation for you. http://lists.drizzle.com/mailman/listinfo/muscle
Thanks. My manager did get it working on his machine (FC, now 14). I may have to rebuild sshd with smartcard support, *if* I can find the source.
Hope this helps.
It leads to questions I didn't know to ask. Thanks!
mark
m.roth@5-cent.us wrote, On 11/29/2010 05:20 PM:
Todd Denniston wrote:
m.roth@5-cent.us wrote, On 11/22/2010 02:21 PM:
Anyone working with/using it? One thing that's driving me nuts is that it keeps spitting garbage into the logs (card absent or mute!!!). I just tried editing /etc/init.d/pcscd - there's *no* way to pass parms from the config file - and set the logging level to --error, and it's still
doing
it.
Clues for the poor, to shut it up?
Did someone make the mistake of having both pcsc and openct loaded on the same machine?
Um, say *wha*? My manager told me to load both. I've got pcsc-lite, pcsc-lite-libs, and openct.
Known issue, they both (pcscd and openct) need exclusive access to the card reader. load one or the other. [Yes, I have been there, and got the T-shirt.]
BTW (IIRC you were working for a leg of the government in your spare time) if you are working with a CAC, then pcscd and coolkey* are enough. *note if you are working with the latest transitional CAC/PIV you'll need a more current coolkey such as coolkey-1.1.0-16.el6.src.rpm from RH. https://bugzilla.redhat.com/show_bug.cgi?id=622916 https://bugzilla.redhat.com/show_bug.cgi?id=534172#c67
It was rumored (by some one I would trust to know) at one time (on the muscle list) that openct and a different pkcs11 lib would be needed for the full on PIV, I don't know if this update to coolkey makes that disappear.
I can read the card, but when I stick it into a reader, it brings up two windows, one after the other: the first wants the phone home URL, and I tell it close, and then the one to "manage smart cards". It should not phone home.
[I won't be here to answer for a while, but the answer to this question will help anyone trying to answer yours.] Which product is bringing up the windows? ESC (Enterprise Security Client Smart Card Client)? This may be an effect of the offending product not being able to read the card because the daemon it is asking can't gain exclusive access to the card reader, and thus it can not identify a card that already has an applet on it.
<snip> > * If yes, ask your question over on the muscle list, which is where the > fellow who maintains pcsc > hangs out and he may have some incantation for you. > http://lists.drizzle.com/mailman/listinfo/muscle > Thanks. My manager did get it working on his machine (FC, now 14). I may have to rebuild sshd with smartcard support, *if* I can find the source. > Hope this helps.
the sshd that ships with CentOS does work with smart cards. Things have changed a little since https://bugzilla.redhat.com/show_bug.cgi?id=186469#c8 https://bugzilla.redhat.com/show_bug.cgi?id=186469#c15
Unfortunately the best README.nss I can get you is in http://www.redhat.com/archives/fedora-extras-commits/2007-September/msg01179...
now days you should (after getting the daemons and pkcs11 sorted out, `pkcs11_inspect --debug` [with no one looking over your shoulder] will become a friend) be able to to do the following (at least with a cac): get nssdb filled with the CAs in ~/.ssh/ ssh-add -n #give pin ssh-add -L > authorized_keys ssh othermachinereadingaboveAKfile
It leads to questions I didn't know to ask. Thanks!
mark
-
m.roth@5-cent.us -
Todd Denniston