On Fri, Nov 09, 2018 at 08:02:05AM +0100, Natxo Asenjo via FreeIPA-users wrote: > hi, > > trying to get smart card authentication using a yubikey. > > I follow the > > $ opensc-tool --list-readers > # Detected readers (pcsc) > Nr. Card Features Name > 0 Yes Yubico Yubikey NEO OTP+U2F+CCID 00 00 > > I managed to import a key and certificate (generated by openssl): > > $ yubico-piv-tool -a status -v > trying to connect to reader 'Yubico Yubikey NEO OTP+U2F+CCID 00 00'. > Action 'status' does not need authentication. > Now processing for action 'status'. > CHUID: No data available > CCC: No data available > Slot 9a: > Algorithm: RSA2048 > Subject DN: O=UNIX.ASENJO.NL, CN=user50 > Issuer DN: O=UNIX.ASENJO.NL, CN=Certificate Authority > Fingerprint: > dce33717ab7b9e13e8c5a54eb6ccc8aa5c12696af390fb1db20d2b01739922f9 > Not Before: Nov 8 22:40:02 2018 GMT > Not After: Nov 8 22:40:02 2020 GMT > PIN tries left: 3 > > And this user50 has this certificate in ipa. > > My trouble starts when running this step on the client: > > # modutil -dbdir /etc/pki/nssdb -add "OpenSC" -libfile opensc-pkcs11.so > -force > ERROR: Failed to add module "OpenSC". Probable cause : "Unknown PKCS #11 > error." > > I have tried using full paths (/usr/lib64/opensc-pkcs11.so, > /usr/lib64/pkcs11/opensc-pkcs11.so), all met with same errors. > > So, basically, I'm stuck now :(, because without this piece opensc cannot > work apparently. > > This is a fedora 29 host, by the way. > > Any clues?
Can you check with 'modutil -dbdir /etc/pki/nssdb -list' if p11-kit-proxy is installed? Iirc the idea with recent NSS setups is that p11-kit-proxy is added by default to the NSS databases and the PKCS#11 modules only register with p11-kit. HTH bye, Sumit > > -- > regards, > Natxo > -- > Groeten, > natxo > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org