Thx for your input, see my replies in-line :
2011/1/30 Martin Paljak <martin@xxxxxxxxxxxxxxxx>
Hello,
On Jan 30, 2011, at 8:20 PM, guy zelck wrote:
> I'm trying to use my Actividentity ACTIVEKEY SIM (a usb stick) in order to authenticate myself in various domains (pam_pkcs11, company vpn, websites via Firefox).
> With the stock opensuse 11.3 setup I couldn't get pkcs11_inspect (from pam_pkcs11 pkg) to work. The sim has a number-only password but I'm never asked for it.
> So I decided to upgrade to all the latest packages.
> Result is that it still doesn't work, neither pksc11_inpspect nor Firefox seem to be happy (the latter freezes for a minute or more).
I've heard that opensuse has Problems with smart card readers and/or openssl, which the same software on Fedora or Ubuntu does not have. Nevertheless, your problems are quite generic.
First, coolkey and OpenSC are different things. You should figure out which one you want to use first. Don't expect same results from different software, even though in theory they could be interchangeable.
As long as one of them works I have no preference. It used to work with coolkey in my older opensuse 11.0 setup so it was logical to use coolkey and from your comments it seems that my Activekey won't work at all with opensc since unsupported.
For a laymen it's not easy to know how all these different parts interact but it's getting a bit clearer.
Â
For a laymen it's not easy to know how all these different parts interact but it's getting a bit clearer.
Â
> Opensuse 11.3 had just recently released rpm packages with all the latest opensc, pcsc-lite, ... versions, including the latest coolkey build (there where some issues : https://bugzilla.novell.com/show_bug.cgi?id=661643#c4).
> I've downloaded the source packages and compiled them to make sure they complied with my system (http://download.opensuse.org/source/distribution/11.3/repo/oss/suse/src/).
>
> These are the packages I've installed :
>
> coolkey-1.1.0-259.1.src.rpm
Either this or OpenSC
Ok.
Â
Â
> engine_pkcs11-0.1.8-8.1.src.rpm
> libp11-0.2.7-17.1.src.rpm
> openct-0.6.20-21.1.src.rpm
Don't use OpenCT, you don't need it.
Ok.
Â
Â
> opensc-0.12.0-27.1.src.rpm
> pam_p11-0.1.5-13.1.src.rpm
> pam_pkcs11-0.6.6-11.1.src.rpm
> pcsc-ccid-1.4.1-18.1.src.rpm
> pcsc-lite-1.6.6-41.1.src.rpm
> pcsc-perl-1.4.11.tar.bz2
> pcsc-tools-1.4.17.tar.gz
>
> The pcscd daemon starts up from withing /etc/init.d but then shuts itself down (light = red) Âand comes on (light = green) on demand since the latest pcsc-lite version and I can get some information using the various tool commands but I'm unable to retrieve the key from it.
pcscd is a lowlevel daemon, it knows nothing about keys or how to retrieve them.
Ok.
> # pkcs11-tool Â--module /usr/lib/libcoolkeypk11.so --list-slots (--pin xxxxxx) supplying pin makes no difference.
Listing slots does not require a PIN so supplying it is not necessary (and must not make a difference)
Ok.
>
> (Why these different results?)
See above. This is expected - they are different packages (without --module pkcs11-tool defaults to /usr/lib/opensc-pkcs11.so, see OpenSC ticket #307 [1]
Ok.
> # opensc-tool -list-readers
> opensc 0.12.0 [gcc Â4.5.0 20100604 [gcc-4_5-branch revision 160292]]
> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
> # Detected readers (pcsc)
> Nr. ÂCard ÂFeatures ÂName
> 0  ÂYes       Activkey Sim 00 00
> Using reader with a card: Activkey Sim 00 00
> APDU too short (must be at least 4 bytes).
>
> Never is there any request for a password at any time
Software does not seem to support your card. Nor should listing smart card readers request a PIN code.
> I've upgrade libusb-1 too :
> libusbmuxd1-1.0.4-1.6.i586
> libusb-0_1-4-0.1.13-6.1.i586
> libusb-1_0-devel-1.0.8-3.9.i586
> libusb-1_0-0-1.0.8-3.9.i586
> libusbmuxd-devel-1.0.4-1.6.i586
> libusb-compat-devel-0.1.3-6.1.i586
I assume everything is working fine on USB level as well as reader level. Your card itself is not supported properly by Coolkey (or at least with OpenSC, which I know better than Coolkey, which I don't know at all)
[1] http://www.opensc-project.org/opensc/ticket/307
--
That's why I'm hoping the coolkey developers can make this work. It would be a pitty having to switch to a different distro just because of this issue. I'll hang on a little longer, sth must come out of this.
Thx for the link to the ticket.
Guy.
Thx for the link to the ticket.
Guy.
_______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel
