pam_pkcs11 - 对等方的证书颁发者已被标记为不受用户信任

pam_pkcs11 - 对等方的证书颁发者已被标记为不受用户信任

每当我尝试通过智能卡使用 PAM 时,pam_pkcs11.so都会收到以下错误:

DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's ceritifacte issuer has been marked as not trusted by the user

我不确定为什么会收到此错误,因为我已从钥匙卡中提取了 CA 的公共证书,并将其作为(验证格式).pem文件放在/etc/pam_pkcs11/cacerts/.完整路径是/etc/pam_pkcs11/cacerts/X_CA_Class_B_03.pem.

我还手动创建了此文件夹中所需的符号链接,但最近通过该工具pkcs11_make_hash_link生成了X5f12asd.0指向我的X_CA_Class_B_03.pem文件的符号链接。

所有这些看起来都很好,所以现在进行配置。

/etc/pam_pkcs11/pam_pkcs11.conf

pam_pkcs11 {
    nullok = true;
    debug = ture;

    use_first_pass = false;

    use_athok = false;

    use_pkcs11_module = externalModule;

    pkcs11_module externalModule {
        module = /opt/extlib/libp11.so;
        description = "My SmartCard lib";

        slot = 2;

        ca_dir = /etc/pam_pkcs11/cacerts;
        crl_dir = /etc/pam_pkcs11/crls;

        cert_policy = ca, crl_off;
        crl_policy = none; # Just for the sake of it
    }

    user_mappers = ldap;

    mapper ldap {
        debug = true;
        module = "/usr/lib64/pam_pkcs11/ldap_mapper.so";

        ldaphost = "10.0.0.3";

        ldapport = ;

        URI = "";

        scope = 2;
        binddn = "dn=admin,dc=server,dc=world";
        paswd = "superSecretPasswort_nonotreally";

        base = "dc=server,dc=world";

        attribute = "userCertificate";
        filter = "(&(objectClass=posixAccount)(uid=%s))"

        ssl = off
    }
}

/etc/pam.d/sudo

auth    required    pam_pkcs11.so debug

我已经设置了一个用户名与证书相匹配的用户主题 x5000UniqueIDSerialNumber领域。
我将其与正确的 pin 和 sudo 结合使用来测试证书设置:

su testclient
sudo ls

这会生成以下输出:

DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_config.c:203: Invalid CRL policy: crl_off 
DEBUG:pkcs11_lib.c:187: Initializing NSS ...
DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:215: ... NSS Complete
DEBUG:pam_pkcs11.c:308: username = [testclient]
DEBUG:pam_pkcs11.c:319: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:227: Looking up module in list
DEBUG:pkcs11_lib.c:239: modList = 0x12412e0 next = 0x0

DEBUG:pkcs11_lib.c:231: dllName= <null>

DEBUG:pkcs11_lib.c:277: loading Module explictly, moduleSpec=<library="/opt/extlib/libp11.so" name="SmartCard"> module=/opt/extlib/libp11.so
DEBUG:pkcs11_lib.c:291: load module complete
DEBUG:pam_pkcs11.c:334: initialising pkcs #11 module...
Smart card found.
Welcome Smart Card!
Smart card PIN: ##########
DEBUG:pkcs11_lib.c:760: cert 0: found (Smart Card: aut + enc), "[email protected],OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM"
DEBUG:mapper_mgr.c:172: Retrieveing mapper module list
DEBUG:mapper_mgr.c:95: Loading dynamic module for mapper 'ldap'
DEBUG:ldap_mapper.c:1164: test ssltls = off
DEBUG:ldap_mapper.c:1166: LDAP mapper started.
DEBUG:ldap_mapper.c:1167: debug         = 1
DEBUG:ldap_mapper.c:1168: ignorecase    = 0
DEBUG:ldap_mapper.c:1169: ldaphost      = 10.0.0.3
DEBUG:ldap_mapper.c:1170: ldapport      = 0
DEBUG:ldap_mapper.c:1171: ldapURI       =
DEBUG:ldap_mapper.c:1172: scope         = 2
DEBUG:ldap_mapper.c:1173: binddn        = dn=admin,dc=server,dc=world
DEBUG:ldap_mapper.c:1174: passwd        = superSecretPasswort_nonotreally
DEBUG:ldap_mapper.c:1175: base          = dc=server,dc=world
DEBUG:ldap_mapper.c:1176: attribute     = userCertificate
DEBUG:ldap_mapper.c:1177: uid_attribute = (null)
DEBUG:ldap_mapper.c:1181: filter        = (&(objectClass=posixAccount)(uid=%s))
DEBUG:ldap_mapper.c:1182: searchtimeout = 20
DEBUG:ldap_mapper.c:1183: ssl_on        = 0
DEBUG:ldap_mapper.c:1185: tls_randfile  =
DEBUG:ldap_mapper.c:1186: tls_cacertfile=
DEBUG:ldap_mapper.c:1187: tls_cacertdir =
DEBUG:ldap_mapper.c:1188: tls_checkpeer = -1
DEBUG:ldap_mapper.c:1189: tls_ciphers   =
DEBUG:ldap_mapper.c:1190: tls_cert      =
DEBUG:ldap_mapper.c:1191: tls_key       =
DEBUG:mapper_mgr.c:196: Inserting mapper [ldap] into list
DEBUG:pam_pkcs11.c:551: verifying the certificate #1
verifying certificate
DEBUG:cert_vfy.c:34: Verifying Cert: Smart Card: aut + enc ([email protected],OID.1.3.3.11=#14981257125874433,serialNumber=testclient,CN=Company AB testclient /testclient,givenName=Company AB,SN=testclient,O=Corp,C=COM)
DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.
ERROR:pam_pkcs11.c:585: verify_certificate() failed:
ERROR:pam_pkcs11.c:646: no valid certificate which meets all requirements found
Error 2336: No matching certificate found
DEBUG:mapper_mgr.c:213: unloading mapper module list
DEBUG:mapper_mgr.c:137: calling mapper_module_end() ldap
DEBUG:mapper_mgr.c:145: unloading module ldap

现在这是很多信息,归结起来基本上是这样的(根据我的理解):

DEBUG:cert_vfy.c:38: Couldn't verify Cert: Peer's certificate issuer has been marked as not trusted by the user.

难道不应该通过从智能卡导出 CA、将其放入/etc/pam_pkcs11/cacerts/并创建正确的符号链接来解决这个问题吗?

(顺便说一句,它实际上连接到我的 LDAP 并预先询问一些东西。这与它有什么关系吗? pam_pkcs11 检查 LDAP 中的 CA 还是?)

我这哪里出错了?

答案1

您需要将证书添加到certutil位于您的案例中的数据库中,/etc/pam_pkcs11/nssdb并在以下位置进行哈希处理/etc/pam_pkcs11/cacerts

certutil -A -n nick_of_my_CA -t "TC,C,T" -d /etc/pam_pkcs11/nssdb -i my_ca.crt

相关内容