Public bug reported:
I was following the Ubuntu white paper for setting up smart cards
(SmartCardLogin_WhitePapaer_04.03.20.pdf) and ran into an issue with CRL
checking.
Running on 18.04 server minimal install using package version
0.6.9-2build2
I performed the following steps to install and setup:
* Installed the packages required in the white paper
* Added my Root and Intermediate certificates to /etc/pam_pkcs11/cacerts and
ran pkcs11_make_hash_link
* Installed local versions of the CRLs in /etc/pam_pkcs11/crls and ran
pkcs11_make_hash_link
* Copied and unziped the example config file from
/usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz to
/etc/pam_pkcs11/pam_pkcs11.conf
* Modified /etc/pam_pkcs11/pam_pkcs11.conf to use the subject mapper and added
crl_auto to the cert_policy
* Added a subject to the /etc/pam_pkcs11/subject_mapping file
When I try to login as the user I get a segmentation fault and when
running pkcs11_inspect I also get the same fault.
With debugging enabled in the pam config file it tries first to download
the CRLs of the cert and fails it then attempts to use the local crls
and that where it fails.
# pkcs11_inspect
DEBUG:cert_vfy.c:229: looking for and dedicated local crl
If is remove crl_auto from the pam config I can authenticate with the user just
fine but there is no crl checking being done.
If I perform a strace of pkcs11_inspect it looks like it is trying to
load a crl that does not exist and fails. There is a recent patch
upstream that seems to address this issue.
#strace pkcs11_inspect
stat("/etc/pam_pkcs11/cacerts/37f834c3.r0", 0x7ffecea217b0) = -1 ENOENT (No
such file or directory)
stat("/etc/pam_pkcs11/crls/37f834c3.r0", {st_mode=S_IFREG|0644, st_size=1105,
...}) = 0
openat(AT_FDCWD, "/etc/pam_pkcs11/crls/37f834c3.r0", O_RDONLY) = 4
fstat(4, {st_mode=S_IFREG|0644, st_size=1105, ...}) = 0
read(4, "-BEGIN X509 CRL-\nMIIDBjC"..., 4096) = 1105
read(4, "", 4096) = 0
close(4)= 0
stat("/etc/pam_pkcs11/crls/37f834c3.r1", 0x7ffecea217b0) = -1 ENOENT (No such
file or directory)
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
+++ killed by SIGSEGV (core dumped) +++
As seen in the logs it inspects crl 37f834c3.r0 but then tries to inspect
37f834c3.r1 which does not exist.
Here is an upstream bug report
https://github.com/OpenSC/pam_pkcs11/issues/43
Here is an upstream pull request
https://github.com/OpenSC/pam_pkcs11/pull/45
#lsb_release -rd
Descripton:Ubuntu 10.04.5 LTS
Release: 18.04
#apt-cache policy pkgname
libpam-pkcs11:
Installed: 0.6.9-2build2
Candidate: 0.6.9-2build2
Version table:
*** 0.6.9-2build2 500
500 http://us.archive.ubuntu.com/ubuntu bionic/universe amd64 Packages
100 /var/lib/dpkg/status
** Affects: pam-pkcs11 (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1907465
Title:
CRL checking of smart card causes Segmentation Fault
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/pam-pkcs11/+bug/1907465/+subscriptions
--
ubuntu-bugs mailing list
ubuntu-bugs@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs