Bug#1051785: gdm3 won't allow logins when a smarcard with a x.509 credential is plugged in

Paul Tagliamonte paultag at gmail.com
Tue Sep 12 17:40:46 BST 2023 

On Tue, Sep 12, 2023 at 05:27:15PM +0100, Simon McVittie wrote:
> On Tue, 12 Sep 2023 at 10:52:16 -0400, Paul Tagliamonte wrote:
> > I have NSS set up to talk with OpenSC
> 
> "NSS" is unfortunately ambiguous in this context. Is this the glibc Name
> Service Switch (the thing that for example libnss-systemd integrates
> with), or Mozilla's Netscape Security Services (libnss3), or some secret
> third thing also named NSS?

Ah, very sorry. libnss3.

I usually use OpenSC in the following configuration:

```
modutil -add "OpenSC" \
  -libfile /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so \
  -dbdir sql:$HOME/.pki/nssdb
```

However, when I went to confirm my notes[1] against my running system, I
found it to be in a different state (using onepin-opensc-pkcs11.so,
which is new to me):

| An aside:
|
| [1]: My notes are in the form of manpages for stuf I do infrequently but
| want to remember. Here's a markdon of the yubkey manpage when I noodle
| with using it in OpenSC mode, in case this is helpful for more
| information: https://gist.github.com/paultag/2c35b62e85a032856c2cb97345c3d24d
|
| That's from 2017, so the world has changed quite a bit, and some of it
| is bad / outdated advice, so I'd just use it to help understand likely
| system configuration than best practice -- for instance, don't use
| pkcs#11 for ssh keys anymore pls :)

Related output when using `modutil -list -dbdir sql:$HOME/.pki/nssdb`

I'm seeing a slightly different configuration (hurmm, odd):

```
  2. OpenSC smartcard framework (0.22)
	library name: /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
	   uri: pkcs11:library-manufacturer=OpenSC%20Project;library-description=OpenSC%20smartcard%20framework;library-version=0.23
	 slots: 1 slot attached
	status: loaded

	 slot:
	token:
	  uri: pkcs11:
```

dpkg output from the packages I know about off the top of my head that
would be involved that aren't in the last report:

ii  opensc                                           0.23.0-1                                  amd64        Smart card utilities with support for PKCS#15 compatible cards
ii  opensc-pkcs11:amd64                              0.23.0-1                                  amd64        Smart card utilities (PKCS#11 module)
ii  libnss3:amd64                                    2:3.92-1                                  amd64        Network Security Service libraries
ii  libnss3-dev:amd64                                2:3.92-1                                  amd64        Development files for the Network Security Service libraries
ii  libnss3-tools                                    2:3.92-1                                  amd64        Network Security Service tools
ii  libykpiv-dev:amd64                               2.2.0-1.1                                 amd64        Development files for the YubiKey PIV Library
ii  libykpiv2:amd64                                  2.2.0-1.1                                 amd64        Library for communication with the YubiKey PIV smartcard
ii  pcscd                                            2.0.0-1                                   amd64        Middleware to access a smart card using PC/SC (daemon side)
ii  libccid                                          1.5.2-1                                   amd64        PC/SC driver for USB CCID smart card readers

-- 
:wq
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://alioth-lists.debian.net/pipermail/pkg-gnome-maintainers/attachments/20230912/cba06ab8/attachment.sig>

More information about the pkg-gnome-maintainers mailing list