m.roth at 5-cent.us wrote, On 11/29/2010 05:20 PM: > Todd Denniston wrote: >> m.roth at 5-cent.us wrote, On 11/22/2010 02:21 PM: >>> Anyone working with/using it? One thing that's driving me nuts is that >>> it keeps spitting garbage into the logs (card absent or mute!!!). I just >>> tried editing /etc/init.d/pcscd - there's *no* way to pass parms from >>> the config file - and set the logging level to --error, and it's still > doing >>> it. >>> >>> Clues for the poor, to shut it up? >> Did someone make the mistake of having both pcsc and openct loaded on the >> same machine? > > Um, say *wha*? My manager told me to load both. I've got pcsc-lite, > pcsc-lite-libs, and openct. Known issue, they both (pcscd and openct) need exclusive access to the card reader. load one or the other. [Yes, I have been there, and got the T-shirt.] BTW (IIRC you were working for a leg of the government in your spare time) if you are working with a CAC, then pcscd and coolkey* are enough. *note if you are working with the latest transitional CAC/PIV you'll need a more current coolkey such as coolkey-1.1.0-16.el6.src.rpm from RH. https://bugzilla.redhat.com/show_bug.cgi?id=622916 https://bugzilla.redhat.com/show_bug.cgi?id=534172#c67 It was rumored (by some one I would trust to know) at one time (on the muscle list) that openct and a different pkcs11 lib would be needed for the full on PIV, I don't know if this update to coolkey makes that disappear. > I can read the card, but when I stick it into > a reader, it brings up two windows, one after the other: the first wants > the phone home URL, and I tell it close, and then the one to "manage smart > cards". It should not phone home. [I won't be here to answer for a while, but the answer to this question will help anyone trying to answer yours.] Which product is bringing up the windows? ESC (Enterprise Security Client Smart Card Client)? This may be an effect of the offending product not being able to read the card because the daemon it is asking can't gain exclusive access to the card reader, and thus it can not identify a card that already has an applet on it. > <snip> >> * If yes, ask your question over on the muscle list, which is where the >> fellow who maintains pcsc >> hangs out and he may have some incantation for you. >> http://lists.drizzle.com/mailman/listinfo/muscle >> > Thanks. My manager did get it working on his machine (FC, now 14). I may > have to rebuild sshd with smartcard support, *if* I can find the source. >> Hope this helps. the sshd that ships with CentOS does work with smart cards. Things have changed a little since https://bugzilla.redhat.com/show_bug.cgi?id=186469#c8 https://bugzilla.redhat.com/show_bug.cgi?id=186469#c15 Unfortunately the best README.nss I can get you is in http://www.redhat.com/archives/fedora-extras-commits/2007-September/msg01179.html now days you should (after getting the daemons and pkcs11 sorted out, `pkcs11_inspect --debug` [with no one looking over your shoulder] will become a friend) be able to to do the following (at least with a cac): get nssdb filled with the CAs in ~/.ssh/ ssh-add -n #give pin ssh-add -L > authorized_keys ssh othermachinereadingaboveAKfile > > It leads to questions I didn't know to ask. Thanks! > > mark -- Todd Denniston Crane Division, Naval Surface Warfare Center (NSWC Crane) Harnessing the Power of Technology for the Warfighter -------------- next part -------------- A non-text attachment was scrubbed... Name: stddisclamer.h Type: text/x-chdr Size: 356 bytes Desc: not available URL: <http://lists.centos.org/pipermail/centos/attachments/20101129/41919ead/attachment-0005.bin>