subject:"Bug#927158\: strongswan\-nm\: charon\-nm reports no usable smartcard found despite the smartcard working with charon as called by swanctl"

Bug#927158: [Pkg-swan-devel] Bug#927158: strongswan-nm: charon-nm reports no usable smartcard found despite the smartcard working with charon as called by swanctl

2019-04-16 Thread Yves-Alexis Perez

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On Tue, 2019-04-16 at 09:15 -0400, robert.grizz...@quoininc.com wrote:
> >Configure the plugin's settings directly in
> > strongswan.conf in the charon-nm.plugins.pkcs11 section (or set them in
> > the libstrongswan section so they apply to both daemons).
> 
> Copying the pkcs11 configuration from /etc/strongswan.d/charon/pkcs11.conf to 
> the libstrongswan.plugins.pkcs11 section in strongswan.conf solved the 
> problem.

Thanks Tobias for providing the help.

Robert, since it doesn't seems to be a bug in strongSwan in the end, I'm
closing the bug.

Regards,
- -- 
Yves-Alexis
-BEGIN PGP SIGNATURE-

iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAly2AvYACgkQ3rYcyPpX
RFsaygf8DhBrzeyPiXgsKt6oFjuUB46eeV7lChaM93jLTVubuSvbWMO9BQ+izHxG
rt2AFO3H0i+YpZAgO4rjWpeK5iaK6gCwxgMx36To4HRBNZ/k3pnUTW70m+VtNz5b
Hsme+4dqeccEIUNSZSsIy4vecFZS9eRUuklwIaDV0hJK1JzcqgGwgp9/vEzaXusE
J+SJli3e/nIKZg5KE0J0jn2++JNbcHKJy/3HR7JiUN9UvU34WmwnBFTBqok7zo4G
mCO2AoJSggBjxy0BNgDQHok6svgwLL73FhI48sejvX75xIDez8Ujcll50sP8N+sV
/HQjQfGZNkiYT78ghyJftnCxE0dOJQ==
=J2Ve
-END PGP SIGNATURE-

Bug#927158: strongswan-nm: charon-nm reports no usable smartcard found despite the smartcard working with charon as called by swanctl

2019-04-16 Thread robert . grizzard

On Tuesday, April 16, 2019 4:01:57 AM EDT Tobias Brunner wrote:

Hi Tobias,

>Configure the plugin's settings directly in
> strongswan.conf in the charon-nm.plugins.pkcs11 section (or set them in
> the libstrongswan section so they apply to both daemons).

Copying the pkcs11 configuration from /etc/strongswan.d/charon/pkcs11.conf to 
the libstrongswan.plugins.pkcs11 section in strongswan.conf solved the 
problem.

Many thanks,
-- 
RG

signature.asc
Description: This is a digitally signed message part.

Bug#927158: strongswan-nm: charon-nm reports no usable smartcard found despite the smartcard working with charon as called by swanctl

2019-04-16 Thread Tobias Brunner

Hi Robert,

> The contents of /etc/strongswan.d/charon/pkcs11.conf are:
> pkcs11 {

The contents of that file are not relevant to charon-nm (unless you
changed strongswan.conf).  Configure the plugin's settings directly in
strongswan.conf in the charon-nm.plugins.pkcs11 section (or set them in
the libstrongswan section so they apply to both daemons).

Regards,
Tobias

Bug#927158: strongswan-nm: charon-nm reports no usable smartcard found despite the smartcard working with charon as called by swanctl

2019-04-15 Thread Grizzard, Robert

Package: strongswan-nm
Version: 5.7.2-1
Severity: important
Tags: upstream

Dear Maintainer,

When using a yubikey 4 smartcard device with strongswan configured according to 
the instructions for smartcard
usage (https://wiki.strongswan.org/projects/strongswan/wiki/
SmartCards#strongSwan-configuration) with 
network-manager-strongswan and strongswan-nm, network manager fails to 
authenticate.  
Using the smartcard with swanctl works properly.
Using the same certificate and key that were loaded onto the smartcard with the 
network manager Authentication option "Certificate/private key" authenticates 
correctly.  

The complete output when using the "Smartcard" option in network manager seen 
in /var/log/syslog is:
Apr 15 12:31:33 qir9rgyf8 NetworkManager[624]:   [1555345893.6013] vpn-
connection[0x55af49452780,f8d08eec-07
52-4309-9a9a-fc5f27a6d376,"New vpn connection",0]: Saw the service appear; 
activating connection
Apr 15 12:31:33 qir9rgyf8 charon-nm: 04[CFG] received initiate for 
NetworkManager connection New vpn connection
Apr 15 12:31:33 qir9rgyf8 charon-nm: 04[CFG] using CA certificate, gateway 
identity 'openbsd.lan.domain'
Apr 15 12:31:33 qir9rgyf8 NetworkManager[624]:   [1555345893.6077] vpn-
connection[0x55af49452780,f8d08eec-07
52-4309-9a9a-fc5f27a6d376,"New vpn connection",0]: VPN connection: failed to 
connect: 'no usable smartcard certificate found.'


The relevant output seen in /var/log/syslog when using swanctl with the 
smartcard is:
Apr 15 12:43:12 qir9rgyf8 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2 
daemon using ipsec.conf.
Apr 15 12:43:12 qir9rgyf8 ipsec[7908]: Starting strongSwan 5.7.2 IPsec 
[starter]...
Apr 15 12:43:12 qir9rgyf8 charon: 00[DMN] Starting IKE charon daemon 
(strongSwan 5.7.2, Linux 4.19.0-4-amd64, x86_64)
Apr 15 12:43:12 qir9rgyf8 charon: 00[CFG] loaded PKCS#11 v2.20 library 
'opensc' (/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so)
Apr 15 12:43:12 qir9rgyf8 charon: 00[CFG]   OpenSC Project: OpenSC smartcard 
framework v0.19
Apr 15 12:43:12 qir9rgyf8 charon: 00[CFG]   found token in slot 'opensc':0 
(Yubico YubiKey OTP+FIDO+CCID 00 00)

The contents of /etc/strongswan.d/charon/pkcs11.conf are:
pkcs11 {

# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes

# Reload certificates from all tokens if charon receives a SIGHUP.
# reload_certs = no

# Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc
# option).
# use_dh = no

# Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
# operations. ECDSA private keys can be used regardless of this option.
# use_ecc = no

# Whether the PKCS#11 modules should be used to hash data.
# use_hasher = no

# Whether the PKCS#11 modules should be used for public key operations, 
even
# for keys not stored on tokens.
# use_pubkey = no

# Whether the PKCS#11 modules should be used as RNG.
# use_rng = no

# List of available PKCS#11 modules.
modules {

opensc {

# Whether to automatically load certificates from tokens.
# load_certs = yes

# Whether OS locking should be enabled for this module.
# os_locking = no

# Full path to the shared object file of this PKCS#11 module.
 path = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

}

}

}


-- System Information:
Debian Release: buster/sid
  APT prefers testing
  APT policy: (500, 'testing'), (3, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE= 
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages strongswan-nm depends on:
ii  libc6 2.28-8
ii  libglib2.0-0  2.58.3-1
ii  libnm01.14.6-2
ii  libstrongswan 5.7.2-1
ii  strongswan-libcharon  5.7.2-1

Versions of packages strongswan-nm recommends:
ii  network-manager-strongswan  1.4.4-2

strongswan-nm suggests no packages.

-- no debconf information


signature.asc
Description: This is a digitally signed message part.

Bug#927158: [Pkg-swan-devel] Bug#927158: strongswan-nm: charon-nm reports no usable smartcard found despite the smartcard working with charon as called by swanctl

Bug#927158: strongswan-nm: charon-nm reports no usable smartcard found despite the smartcard working with charon as called by swanctl

Bug#927158: strongswan-nm: charon-nm reports no usable smartcard found despite the smartcard working with charon as called by swanctl

Bug#927158: strongswan-nm: charon-nm reports no usable smartcard found despite the smartcard working with charon as called by swanctl

4 matches

Site Navigation

Mail list logo

Footer information