I'm trying to configure the SafeNet eToken 5110 for 2FA login authentication on RHEL7.9.
- Operating System: RHEL Workstation 7.9
- SafeNet Authentication Client 10.7.77.0
My system is air-gapped, and thus will be using a self-signed X509 certificate for local authentication.
However, after loading my certs and configuring my system accordingly, I am able to view my loaded cert on the token via the SafeNet Authentication Client, but pkcs11 does not seem to be able to find/verify my cert when used to login.
Any advice on how to proceed would be greatly appreciated!
I've included my CA cert in /etc/pam_pkcs11/cacerts as well as in /etc/pki/ca-trust/source/anchors
I've updated the cn_map in /etc/pamkcs11/cn_map to map my user (admin) to the common name of my cert (admin) as follows: cn_map
admin -> admin
Added my module and configured to use CN mapper pam_pkcs11.conf
#
# Configuration file for pam_pkcs11 module
#
# Version 0.4
# Author: Juan Antonio Martinez <[email protected]>
#
pam_pkcs11 {
# Allow empty passwords
nullok = true;
# Enable debugging support.
debug = true;
# If the smart card is inserted, only use it
card_only = true;
# Do not prompt the user for the passwords but take them from the
# PAM_ items instead.
use_first_pass = false;
# Do not prompt the user for the passwords unless PAM_(OLD)AUTHTOK
# is unset.
try_first_pass = false;
# Like try_first_pass, but fail if the new PAM_AUTHTOK has not been
# previously set (intended for stacking password modules only).
use_authtok = false;
# Filename of the PKCS #11 module. The default value is "default"
use_pkcs11_module = eToken;
screen_savers = "gnome-screensaver", xscreensaver, kscreensaver;
pkcs11_module eToken {
#module = /usr/lib64/libIDPrimePKCS11.so;
module = /usr/lib64/libeTPkcs11.so;
description = "eToken";
slot_num = 0;
support_threads = true;
ca_dir = /etc/pam_pkcs11/cacerts;
nss_dir = /etc/pki/nssdb;
cert_policy = none;
}
# Which mappers ( Cert to login ) to use?
# you can use several mappers:
#
# subject - Cert Subject to login file based mapper
# pwent - CN to getpwent() login or gecos fields mapper
# ldap - LDAP mapper
# opensc - Search certificate in ${HOME}/.eid/authorized_certificates
# openssh - Search certificate public key in ${HOME}/.ssh/authorized_keys
# mail - Compare email fields from certificate
# ms - Use Microsoft Universal Principal Name extension
# krb - Compare againts Kerberos Principal Name
# cn - Compare Common Name (CN)
# uid - Compare Unique Identifier
# digest - Certificate digest to login (mapfile based) mapper
# generic - User defined certificate contents mapped
# null - blind access/deny mapper
#
# You can select a comma-separated mapper list.
# If used null mapper should be the last in the list :-)
# Also you should select at least one mapper, otherwise
# certificate will not match :-)
use_mappers = cn;
# When no absolute path or module info is provided, use this
# value as module search path
# TODO:
# This is not still functional: use absolute pathnames or LD_LIBRARY_PATH
mapper_search_path = "/usr/$LIB/pam_pkcs11";
# Assume common name (CN) to be the login
mapper cn {
debug = false;
module = internal;
# module = /usr/$LIB/pam_pkcs11/cn_mapper.so;
ignorecase = false;
mapfile = "file:///etc/pam_pkcs11/cn_map";
}
}
I've also added my module to the NSS database
# modutil -dbdir /etc/pki/nssdb/ -list
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=NSS%20Internal%20Crypto%20Services;library-version=3.44
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
uri: pkcs11:token=NSS%20Generic%20Crypto%20Services;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
uri: pkcs11:token=NSS%20Certificate%20DB;manufacturer=Mozilla%20Foundation;serial=0000000000000000;model=NSS%203
2. CoolKey PKCS #11 Module
library name: libcoolkeypk11.so
uri: pkcs11:library-manufacturer=Mozilla%20Foundation;library-description=CoolKey%20PKCS%20%2311%20Module%20%20%20%20%20;library-version=1.0
slots: 1 slot attached
status: loaded
slot: VMware Virtual USB CCID 00 00
token:
uri: pkcs11:
3. SafeNet eToken
library name: /usr/lib64/libeTPkcs11.so
uri: pkcs11:library-manufacturer=SafeNet,%20Inc.;library-description=SafeNet%20eToken%20PKCS%2311;library-version=10.7
slots: 8 slots attached
status: loaded
slot: VMware Virtual USB CCID 00 00
token: SafeNet Token
uri: pkcs11:token=SafeNet%20Token;manufacturer=SafeNet,%20Inc.;serial=02956a8d;model=eToken
slot:
token:
uri: pkcs11:
slot:
token:
uri: pkcs11:
slot:
token:
uri: pkcs11:
slot:
token:
uri: pkcs11:
slot:
token:
uri: pkcs11:
slot:
token:
uri: pkcs11:
slot:
token:
uri: pkcs11:
Terminal Output
pkcs11_inspect debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:212: ... NSS Complete
DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:237: Looking up module in list
DEBUG:pkcs11_lib.c:240: modList = 0x79aae0 next = 0x7a9760
DEBUG:pkcs11_lib.c:241: dllName= <null>
DEBUG:pkcs11_lib.c:240: modList = 0x7a9760 next = 0x7d5b80
DEBUG:pkcs11_lib.c:241: dllName= libcoolkeypk11.so
DEBUG:pkcs11_lib.c:240: modList = 0x7d5b80 next = 0x0
DEBUG:pkcs11_lib.c:241: dllName= libeTPkcs11.so
DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module...
PIN for token:
DEBUG:pkcs11_lib.c:48: PIN = [PASSWORD]
DEBUG:pkcs11_lib.c:768: no certs found found
ERROR:pkcs11_inspect.c:120: get_certificates() failed:
I am expecting that after keying in the correct PIN for the configured token, the cert should be verified and I am able to login.