CentOS 上的智能卡身份验证

CentOS 上的智能卡身份验证

我尝试在 Samba4 域 (Samba AD) 中实现智能卡身份验证。目前我有两个域控制器 (CentOS)、一个文件服务器和多个客户端 (CentOS 和 Windows)。关于智能卡,我有一个“Téo by Xiring”读卡器和一个“Gemalto IDPrime 510 (.Net V3)”卡。我也有适当的驱动程序,我可以在 Windows 上使用智能卡进行身份验证,但在 CentOS 上无法实现。

CentOS 似乎识别了智能卡读卡器和卡(在 lsusb -v 中显示,插入卡会启动“智能卡管理器”,但会提示证书未知且卡未格式化)。但是使用模块libgtop11dotnet我可以使用 pkcs11-tool 读取证书,甚至可以使用相应的 PIN 进行连接(但我必须指定模块)。尽管如此,我还是无法使用智能卡登录 CentOS。即使强制使用智能卡登录,也没有任何反应。是否需要对 pam_pkcs11 或 Kerberos 进行特殊修改以指定使用哪个模块或将用户证书与域用户链接起来?

所有命令如:opensc-tool -n、pklogin_finder debug、pkcs11_inspect debug 和 pkcs11_listcerts debug 都会返回错误。

命令:

[MYDOMAIN\administrator@Client1 ~]$ pkcs11-tool --module=/usr/local/lib/libgtop11dotnet.so -l -O
Using slot 0 with a present token (0x0)
Logging in to ".NET #514CA4DC28D2DF4D".
Please enter User PIN:
Certificate Object; type = X.509 cert
  label:      a1b062f9-7bfd-af90-3d7e-61cfd2105a0a
  ID:         a1b062f97bfdaf903d7e61cfd2105a0a145fec47
Public Key Object; RSA 2048 bits
  label:      a1b062f9-7bfd-af90-3d7e-61cfd2105a0a
  ID:         a1b062f97bfdaf903d7e61cfd2105a0a145fec47
  Usage:      encrypt, verify
Private Key Object; RSA
  label:      a1b062f9-7bfd-af90-3d7e-61cfd2105a0a
  ID:         a1b062f97bfdaf903d7e61cfd2105a0a145fec47
  Usage:      decrypt, sign


[MYDOMAIN\administrator@Client1 ~]$ modutil -list -dbdir /etc/pki/nssdb
Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
         slots: 2 slots attached
        status: loaded

         slot: NSS Internal Cryptographic Services
        token: NSS Generic Crypto Services

         slot: NSS User Private Key and Certificate Services
        token: NSS Certificate DB

  2. libgtop11dotnet
        library name: /usr/local/lib/libgtop11dotnet.so
         slots: 5 slots attached
        status: loaded

         slot: XIRING Teo 00 00
        token: .NET #514CA4DC28D2DF4D

         slot: empty
        token:

         slot: empty
        token:

         slot: empty
        token:

         slot: empty
        token:
-----------------------------------------------------------


[MYDOMAIN\administrator@Client1 ~]$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             XIRING Teo 00 00


[MYDOMAIN\administrator@Client1 ~]$ pcsc_scan
PC/SC device scanner
V 1.4.25 (c) 2001-2011, Ludovic Rousseau <[email protected]>
Compiled with PC/SC lite version: 1.8.8
Using reader plug'n play mechanism
Scanning present readers...
0: XIRING Teo 00 00

Tue Sep 25 07:18:18 2018
Reader 0: XIRING Teo 00 00
  Card state: Card inserted, Shared Mode,
  ATR: 3B 16 96 41 73 74 72 69 64

ATR: 3B 16 96 41 73 74 72 69 64
+ TS = 3B --> Direct Convention
+ T0 = 16, Y(1): 0001, K: 6 (historical bytes)
  TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
    250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
+ Historical bytes: 41 73 74 72 69 64
  Category indicator byte: 41 (proprietary format)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 16 96 41 73 74 72 69 64
        Gemalto .NET v2.0


[MYDOMAIN\administrator@Client1 ~]$ opensc-tool -n
Using reader with a card: XIRING Teo 00 00
Unsupported card


[MYDOMAIN\administrator@Client1 ~]$ pkcs11_listcerts debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ...  NSS Complete
DEBUG:pkcs11_listcerts.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:235: Looking up module in list
DEBUG:pkcs11_lib.c:238: modList = 0x21a49c0 next = 0x21bf3c0

DEBUG:pkcs11_lib.c:239: dllName= <null>

DEBUG:pkcs11_lib.c:238: modList = 0x21bf3c0 next = 0x0

DEBUG:pkcs11_lib.c:239: dllName= libgtop11dotnet.so

DEBUG:pkcs11_listcerts.c:77: initialising pkcs #11 module...
DEBUG:pkcs11_listcerts.c:94: no token available

提前致谢。

相关内容