P11_CHILD: Make p11_child iterate over all slots

[georgij-sudo]

Resolves: #5905

[alexey-tikhonov]

@spoore1, do we have facilities to test this PR?
IIUC, ideally it requires multiple readers with multiple cards... (see #5905 for RFE description)

[spoore1]

@spoore1, do we have facilities to test this PR? IIUC, ideally it requires multiple readers with multiple cards... (see #5905 for RFE description)

@alexey-tikhonov I might be able to manually test with my card reader and a yubikey but, I don't have two separate readers and cards. And our test systems don't have multiple readers with cards to test this type of scenario. I'm looking into our virtual testing solutions to see if one will work for this.

[alexey-tikhonov]

I don't have two separate readers and cards. And our test systems don't have multiple readers with cards to test this type of scenario. I'm looking into our virtual testing solutions to see if one will work for this.

Maybe a combination of physical + virtual readers..?

[alexey-tikhonov]

@georgij-sudo, could you please also rebase on the latest 'master'?

[spoore1]

I don't have two separate readers and cards. And our test systems don't have multiple readers with cards to test this type of scenario. I'm looking into our virtual testing solutions to see if one will work for this.

Maybe a combination of physical + virtual readers..?

That may work. I'll look into that today.

[spoore1]

I don't have two separate readers and cards. And our test systems don't have multiple readers with cards to test this type of scenario. I'm looking into our virtual testing solutions to see if one will work for this.

Maybe a combination of physical + virtual readers..?

That may work. I'll look into that today.

Looks like it's working and I think I'm able to easily reproduce the issue. Let me confirm this is indeed the case:

On a Fedora 41 system I have 2 smart cards--1 physical and 1 virtual.

• The virtual one contains cert/key for localuser1.
• The physical card contains cert/key for localuser2
• The virtual one is listed first by the system
• The cert for the physical one is mapped in the sssd.conf

Here are the sssd and card configurations:

# cat /etc/sssd/sssd.conf
[sssd]
debug_level = 9
services = nss, pam
domains = shadowutils

[nss]
debug_level = 9

[pam]
debug_level = 9
pam_cert_auth = True

[domain/shadowutils]
debug_level = 9
id_provider = proxy
#local_auth_policy = only
proxy_lib_name = files
local_auth_policy = enable:smartcard

[certmap/shadowutils/localuser2]
debug_level = 9
matchrule = <SUBJECT>.*CN=localuser2*

# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-token-urls
pkcs11:model=PKCS%2315%20emulated;manufacturer=Common%20Access%20Card;serial=000058bd002c19b5;token=localuser1
pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=MyEID

Now if I try to authenticate with the card mapped to localuser2, I see a failure:

# su - localuser2 -c 'su - localuser2 -c whoami'
PIN for localuser1: 
su: Authentication failure

If I stop the virtual card, authentication works:

# systemctl stop virt_cacard_reader1

# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-token-urls
pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=MyEID

# su - localuser2 -c 'su - localuser2 -c whoami'
PIN for MyEID: 
localuser2

Let me know if I missed a step to properly reproduce this. Otherwise, I think I should be able to verify the fix with my current setup.

[alexey-tikhonov]

su - localuser2 -c 'su - localuser2 -c whoami'
PIN for localuser1:
su: Authentication failure

huh... but why does it even try to use "cert/key for localuser1"? @sumit-bose, is this currently expected?

I think I should be able to verify the fix with my current setup.

Could you please try with a copr build from this PR?

[spoore1]

su - localuser2 -c 'su - localuser2 -c whoami'
PIN for localuser1:
su: Authentication failure

huh... but why does it even try to use "cert/key for localuser1"? @sumit-bose, is this currently expected?

I just caught that when I was trying to re-run this to grab logs. I used the wrong PIN which explains the failure. I'm not sure about what happens when I use the correct PIN though because I didn't expect it to authenticate. Here's what I'm seeing now:

# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-token-urls
pkcs11:model=PKCS%2315%20emulated;manufacturer=Common%20Access%20Card;serial=000058bd002c19b5;token=localuser1
pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=MyEID

# su - localuser2 -c 'su - localuser2 -c whoami'
PIN for localuser1: 
localuser2

# systemctl stop virt_cacard_reader1

# su - localuser2 -c 'su - localuser2 -c whoami'
PIN for MyEID: 
localuser2

Above, sssd seems to have authenticated the user regardless of which card is used.

I think I should be able to verify the fix with my current setup.

Could you please try with a copr build from this PR?

Trying with the copr build, I see neither card/cert working. And after several tries with the correct PINs, I now see this:

# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-token-urls
pkcs11:model=PKCS%2315%20emulated;manufacturer=Common%20Access%20Card;serial=000058bd002c19b5;token=localuser1
pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=MyEID

# su - localuser2 -c 'su - localuser2 -c whoami'
Please select a certificate by typing the corresponding number

[1]:
Certificate
CN=localuser2

[2]:
CAC ID Certificate
CN=localuser1
1
Certificate ‘01’ selected
PIN for MyEID: 
su: Authentication failure

# su - localuser2 -c 'su - localuser2 -c whoami'
Please select a certificate by typing the corresponding number

[1]:
Certificate
CN=localuser2

[2]:
CAC ID Certificate
CN=localuser1
2
Certificate ‘0001’ selected
PIN for localuser1: 
PIN locked
su: Authentication failure

# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-all-certs --login pkcs11:token=localuser1
Token 'localuser1' with URL 'pkcs11:model=PKCS%2315%20emulated;manufacturer=Common%20Access%20Card;serial=000058bd002c19b5;token=localuser1' requires user PIN
Enter PIN: 
Object 0:
        URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=Common%20Access%20Card;serial=000058bd002c19b5;token=localuser1;id=%00%01;object=CAC%20ID%20Certificate;type=cert
        Type: X.509 Certificate (RSA-2048)
        Expires: Thu Feb  1 08:00:45 2035
        Label: CAC ID Certificate
        ID: 00:01

So the second card listed (the virtual one with token=localuser1), appears as if the PIN is locked. However, when I try directly with p11tool, it works.

[lo1ol]

On my Ubuntu everything is works on this commmit

1. I had two accounts on two different smart cards: [email protected] and [email protected]. On each of them certificate authentication is set up:

$ p11tool --provider /opt/aktivco/rtlogon/lib/librtpkcs11ecp.so --list-token-urls
pkcs11:model=Rutoken%20ECP;manufacturer=Aktiv%20Co.;serial=3ac65cdd;token=Rutoken%20label
pkcs11:model=Rutoken%20ECP;manufacturer=Aktiv%20Co.;serial=3ac67ae9;token=kek3242

$ /usr/libexec/sssd/p11_child --pre --ca_db /etc/rtlogon/ca.pem
0
Rutoken label
/opt/aktivco/rtlogon/lib/librtpkcs11ecp.so
CE9EE843A6A61006
ce9ee843a6a61006
MIIEhTCCAu2gAwIBAgIDAIjNMA0GCSqGSIb3DQEBCwUAMDQxEjAQBgNVBAoMCVJUS04uVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MDIwNDA4NTYxOVoXDTI3MDIwNTA4NTYxOVowLDESMBAGA1UECgwJUlRLTi5URVNUMRYwFAYDVQQDDA1wZXR5YV9mZWRvcmExMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAzLQE6ifVt4pVgYXT/kYkLPowulWVyOa80gKISZkRf9Zis6VKJ2Lm1QOBHiZtF0rqNoBFOcK09JG9abTaBRwG/GeVXGsXW1B7zmIDsjoQqv0Ro7sUCF50Zy1zMPC7/mhhFvDsyrwL3ETzeeUQlgrGGlL0NMNacywLrV0+v7R+y0wWMRnVPTZyLu2yUla7swpobHuCdSwcWJBK5caXuw6PpZhynwtOU9+Iwy1gWUxrNeUlYHcGojPEGe74dW/xnXK/ulA6vA2Dfw8hRhBr4fB3eJO4p40Hk0jSFeYAh8kWD72RedZBMuk2kPpAoJR/uDwT6HHVw0kfmde+isSSRYM/pQIDAQABo4IBJjCCASIwHwYDVR0jBBgwFoAUaiJEAvkud9Dfyq4KaRsWn4veWEgwOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzABhh9odHRwOi8vaXBhLWNhLnJ0a24udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdAYDVR0fBG0wazBpoDGgL4YtaHR0cDovL2lwYS1jYS5ydGtuLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBQEF7yUgdqxYGFb0oOUfI5pLfglKzANBgkqhkiG9w0BAQsFAAOCAYEAe97OO+U6aqfuriE2e7ZYqVltLtZ6LY/mz6L8WuDSjat0ABsVBiiXECL9GjMQ6gGNoBoGA1E9J1oPFXJer8lwPNBYgFaEO6ya1kIOQ0KiE/SdYe/oxejjWYCB5r55PE6ZlMjpYrq88G4aRZ808z7JFB1OeYYt4y3FJu61/AY6BtP27mhJkaiUs/91v//XpocRDf1x1irsmicS6txUGTMabgi1iy7BUHHRG598tam9UUfKVSM7NegbJCgw1O30xhqjE7rk063xnG0cwvizyYSmjsrlbvC30Nog8U5EJCnb68rIhPkGIbBC4U1fdPnQJbze77GgPa0Y2KJNloYfGfOEcFKA6/i2WnyPtGKgAijdq3KLS0DiKgEKhH/d44UfrcuQrHPvrcIyLvroCbOCAl9jxo9qKbRwv78d5QO5+3EDqxPvqPBFFMDiK425rqNsMLe+EPTNut45CCk86Wtk4rbPU9GFgqc41sA0gHaWn2jOnqbl7bM74nJREcjS2Q/GZJPD
kek3242
/opt/aktivco/rtlogon/lib/librtpkcs11ecp.so
30188F0B1F29ED7F
30188f0b1f29ed7f
MIIEhTCCAu2gAwIBAgIDAIjOMA0GCSqGSIb3DQEBCwUAMDQxEjAQBgNVBAoMCVJUS04uVEVTVDEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTI1MDIwNDA4NTkxM1oXDTI3MDIwNTA4NTkxM1owLDESMBAGA1UECgwJUlRLTi5URVNUMRYwFAYDVQQDDA1wZXR5YV9mZWRvcmEyMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyy4A8teidqWg0Md09uQ21oPkAZtYhH0Un35hBtDiuxooxGuM3rGw2HQKGV9fE02xd9Ckx1w5LpPi9VzxZjBZsGdM2sC5l2/IU30qZd7woMJm4uZEvI92AW61pANxXZBr2CC/lNL5N8n0132U1lqmaP3ncLho94a5KkNZFvCoK9lyn6cdNNUxVuj8HMOoQDvTn62lzw34MdJ1vdLis8/sCpPQut2iyw+Jx2nghtVt/syepdbvV9RDS9ZQ+XI61hQjqHpSXnRZ1gBQE7K6ioNbYiS2yAJ0sC7yawVi8dlubjPqp+yz7MUBKFTyRhwFxyyb9J8mF1H/aUeGla/KZlFD3QIDAQABo4IBJjCCASIwHwYDVR0jBBgwFoAUaiJEAvkud9Dfyq4KaRsWn4veWEgwOwYIKwYBBQUHAQEELzAtMCsGCCsGAQUFBzABhh9odHRwOi8vaXBhLWNhLnJ0a24udGVzdC9jYS9vY3NwMA4GA1UdDwEB/wQEAwIE8DAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwdAYDVR0fBG0wazBpoDGgL4YtaHR0cDovL2lwYS1jYS5ydGtuLnRlc3QvaXBhL2NybC9NYXN0ZXJDUkwuYmluojSkMjAwMQ4wDAYDVQQKDAVpcGFjYTEeMBwGA1UEAwwVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB0GA1UdDgQWBBR7+A0Z7E91AZL/BgLY44r+as+9RjANBgkqhkiG9w0BAQsFAAOCAYEAoEflFDuHsuEgyYMiN47wKLFQUibBs5Hqc0e8EejnvlzbOL3JyXQTtBIC4KNn3nuQEpwvkdX4cJUNAXl/BWoNA7DcCFE5lPtLTtTHohti3TDd4wdKAJ6KZh7EWCH0rnQKcC+8ruQ2HqZpalSSO17aB788DauZACoKxfFNSQCTlkcENmbjw2XbLpOKJJubADR5u5HJr8hCdEPr2vbjoMfX113Q+g/MMyy7Putag001S7CR/7dOf9WEEWVhz8IA0bKO0t0a6vO0wuPbB+Bah0ZXdXDW0YmKtIkS3eRz9FRTCf9EDL84+8indXiLYpCGpvQcKKX6PHk/tsiEh6rBDoCSLuD5PbjKP6t1BFYrAc031ltl04RSYrwFbKb+T8H+6WuoARwjlhkiR87a0fw9+2A3agJgeb0PzAQ5+7998SmqaeqFEeeQawPzSdN/b4H2iXe/ZGLOIZghvSnz6lHSIB+imVwgNGXrPx4gpa48JjRuBsAe/DvWhq1e0utR/Uc3B4dv

I can auth via both certificates:

$ sudo login [email protected]
PIN for Rutoken label:
...
[email protected]@ubuntu:~$ klist
Ticket cache: KEYRING:persistent:943803168:krb_ccache_6L559SB
Default principal: [email protected]

Valid starting       Expires              Service principal
02/04/2025 11:50:22  02/05/2025 11:12:43  krbtgt/[email protected]

$ sudo login [email protected]
PIN for kek3242
...
[email protected]@ubuntu:~$ klist
Ticket cache: KEYRING:persistent:943803169:krb_ccache_d2vuFZm
Default principal: [email protected]

Valid starting       Expires              Service principal
02/04/2025 11:59:26  02/05/2025 11:47:01  krbtgt/[email protected]

Everything is ok if I have 2 certs on different smart cards for the same user:

$ sudo login [email protected]
Please select a certificate by typing the corresponding number

[1]:
b7fc45b4c04e3da3
CN=petya_fedora1,O=RTKN.TEST

[2]:
ce9ee843a6a61006
CN=petya_fedora1,O=RTKN.TEST
1
Certificate ‘B7FC45B4C04E3DA3’ selected
PIN for kek3242:
...
[email protected]@ubuntu:~$ klist
Ticket cache: KEYRING:persistent:943803168:krb_ccache_6L559SB
Default principal: [email protected]

Valid starting       Expires              Service principal
02/04/2025 12:12:03  02/05/2025 11:59:48  krbtgt/[email protected]

$ sudo login [email protected]
Please select a certificate by typing the corresponding number

[1]:
b7fc45b4c04e3da3
CN=petya_fedora1,O=RTKN.TEST

[2]:
ce9ee843a6a61006
CN=petya_fedora1,O=RTKN.TEST
2
Certificate ‘CE9EE843A6A61006’ selected
PIN for Rutoken label:
...
[email protected]@ubuntu:~$ klist
Ticket cache: KEYRING:persistent:943803168:krb_ccache_6L559SB
Default principal: [email protected]

Valid starting       Expires              Service principal
02/04/2025 12:12:53  02/05/2025 11:18:57  krbtgt/[email protected]

I tried to test it on Fedora, but I couldn't auth because a lot of problems. Even when only smart card was inserted and with sssd from repos.

On Ubuntu I has sssd 2.9.5 and test it by replacing only p11_child executable. I tried to build and install the master, but service sssd doesn't starting after that

[spoore1]

I believe I found the issue with my previous testing. My certmap rule seems to be matching more because of the additional wildcard at the end of the CN in the maprule. Changing this does seem to get me closer to reproducing the issue.

Now I'm seeing this:

# rpm -q sssd
sssd-2.10.2-1.fc41.x86_64

# systemctl stop virt_cacard_reader1

# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; for file in $(ls /var/log/sssd/*.log); do cat /dev/null > $file; done; systemctl start sssd

# su - localuser2 -c 'su - localuser2 -c whoami'                                                          
PIN for MyEID:        
localuser2                          

# systemctl start virt_cacard_reader1

# systemctl stop sssd; rm -rf /var/lib/sss/{db,mc}/*; for file in $(ls /var/log/sssd/*.log); do cat /dev/null > $file; done; systemctl start sssd

# su - localuser2 -c 'su - localuser2 -c whoami'                                                          
Password:                           
Session terminated, killing shell... ...killed.

Here's the sssd.conf now:

# cat /etc/sssd/sssd.conf
[sssd]
debug_level = 9
services = nss, pam
domains = shadowutils

[nss]
debug_level = 9

[pam]
debug_level = 9
pam_cert_auth = True

[domain/shadowutils]
debug_level = 9
id_provider = proxy
#local_auth_policy = only
proxy_lib_name = files
local_auth_policy = enable:smartcard

[certmap/shadowutils/localuser2]
debug_level = 9
matchrule = <SUBJECT>.*CN=localuser2

This is what I see in p11_child.log:

(2025-02-04 10:41:28): [p11_child[17658]] [read_certs] (0x4000): [CID#4] found cert[CAC ID Certificate][/CN=localuser1]
(2025-02-04 10:41:28): [p11_child[17658]] [do_ocsp] (0x0020): [CID#4] No OCSP URL in certificate and no default responder defined, skipping OCSP check.
(2025-02-04 10:41:28): [p11_child[17658]] [do_card] (0x4000): [CID#4] (null) /usr/lib64/pkcs11/opensc-pkcs11.so (null) localuser1 (null) - no label given- 0001.
(2025-02-04 10:41:28): [p11_child[17658]] [do_card] (0x4000): [CID#4] uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.26;slot-description=Virtual%20PCD%2000%2000;slot-manufacturer=;slot-id=0;model=PKCS%2315%20emulated;manufacturer=Common%20Access%20Card;serial=000058bd002c19b5;token=localuser1;id=%00%01;object=CAC%20ID%20Certificate;type=cert.
(2025-02-04 10:41:28): [p11_child[17658]] [do_card] (0x4000): [CID#4] Found certificate has key id [0001].

And I see this in sssd_pam.log:

(2025-02-04 10:41:28): [pam] [parse_p11_child_response] (0x4000): [CID#4] Found token name [localuser1].
(2025-02-04 10:41:28): [pam] [parse_p11_child_response] (0x4000): [CID#4] Found module name [/usr/lib64/pkcs11/opensc-pkcs11.so].
(2025-02-04 10:41:28): [pam] [parse_p11_child_response] (0x4000): [CID#4] Found key id [0001].
(2025-02-04 10:41:28): [pam] [parse_p11_child_response] (0x4000): [CID#4] Found label [CAC ID Certificate].
(2025-02-04 10:41:28): [pam] [parse_p11_child_response] (0x4000): [CID#4] Found cert [MIID...ghRmqgYu7c].
(2025-02-04 10:41:28): [pam] [parse_p11_child_response] (0x1000): [CID#4] Cert [MIID...ghRmqgYu7c] does not match matching rules and is ignored.
(2025-02-04 10:41:28): [pam] [pam_forwarder_cert_cb] (0x4000): [CID#4] try_cert_auth flag set but no certificate available, request finished.
(2025-02-04 10:41:28): [pam] [pam_reply] (0x4000): [CID#4] pam_reply initially called with result [9]: Authentication service cannot retrieve authentication info. this result might be changed during processing
(2025-02-04 10:41:28): [pam] [pam_reply] (0x0400): [CID#4] Local auth policy allowed: smartcard [False], passkey [False]
(2025-02-04 10:41:28): [pam] [pam_reply] (0x0040): [CID#4] Assuming offline authentication setting status for pam call 249 to PAM_SUCCESS.

After upgrading to the PR COPR build, it looks good when only 1 certificate is matched and that is the one mapped:

# rpm -q sssd
sssd-9.pr7817-06062.fc41.x86_64

# systemctl stop virt_cacard_reader1

# p11tool --provider /usr/lib64/opensc-pkcs11.so --list-token-urls
pkcs11:model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=MyEID

# su - localuser2 -c 'su - localuser2 -c whoami'
PIN for MyEID: 
localuser2

However, when you run with both cards, I see authentication failure in p11_child.log:

(2025-02-04 11:55:34): [p11_child[18581]] [main] (0x0400): [CID#2] p11_child started.
(2025-02-04 11:55:34): [p11_child[18581]] [main] (0x2000): [CID#2] Running in [auth] mode.
(2025-02-04 11:55:34): [p11_child[18581]] [main] (0x2000): [CID#2] Running with effective IDs: [998][998].
(2025-02-04 11:55:34): [p11_child[18581]] [main] (0x2000): [CID#2] Running with real IDs [998][998].
(2025-02-04 11:55:37): [p11_child[18581]] [do_card] (0x4000): [CID#2] Module List:
(2025-02-04 11:55:37): [p11_child[18581]] [do_card] (0x4000): [CID#2] common name: [p11-kit-trust].
(2025-02-04 11:55:37): [p11_child[18581]] [do_card] (0x4000): [CID#2] dll name: [/usr/lib64/pkcs11/p11-kit-trust.so].
(2025-02-04 11:55:37): [p11_child[18581]] [do_card] (0x4000): [CID#2] Description [/etc/pki/ca-trust/source] Manufacturer [PKCS#11 Kit] flags [1] removable [false] token present [true].
(2025-02-04 11:55:37): [p11_child[18581]] [do_card] (0x4000): [CID#2] Description [/usr/share/pki/ca-trust-source] Manufacturer [PKCS#11 Kit] flags [1] removable [false] token present [true].
(2025-02-04 11:55:37): [p11_child[18581]] [do_card] (0x4000): [CID#2] common name: [opensc].
(2025-02-04 11:55:37): [p11_child[18581]] [do_card] (0x4000): [CID#2] dll name: [/usr/lib64/pkcs11/opensc-pkcs11.so].
(2025-02-04 11:55:37): [p11_child[18581]] [do_card] (0x4000): [CID#2] Description [Virtual PCD 00 00] Manufacturer [] flags [7] removable [true] token present [true].
(2025-02-04 11:55:37): [p11_child[18581]] [do_card] (0x4000): [CID#2] Token label [localuser1].
(2025-02-04 11:55:37): [p11_child[18581]] [do_slot] (0x4000): [CID#2] Found [localuser1] in slot [Virtual PCD 00 00][0] of module [1][/usr/lib64/pkcs11/opensc-pkcs11.so].
(2025-02-04 11:55:37): [p11_child[18581]] [do_slot] (0x4000): [CID#2] Login required.
(2025-02-04 11:55:37): [p11_child[18581]] [do_slot] (0x4000): [CID#2] Token flags [1037].
(2025-02-04 11:55:37): [p11_child[18581]] [do_slot] (0x0040): [CID#2] C_Login failed [5][Internal error].
(2025-02-04 11:55:37): [p11_child[18581]] [main] (0x0020): [CID#2] p11_child failed (5)

And I see "Bad item passed" in the sssd_pam.log:

(2025-02-04 11:55:34): [pam] [pam_initgr_check_timeout] (0x4000): [CID#2] User [localuser2] not found in PAM cache.
(2025-02-04 11:55:34): [pam] [pam_initgr_cache_set] (0x2000): [CID#2] [localuser2] added to PAM initgroup cache
(2025-02-04 11:55:34): [pam] [pam_dom_forwarder] (0x0100): [CID#2] pam_dp_send_req returned 0
(2025-02-04 11:55:34): [pam] [sbus_dispatch] (0x4000): Dispatching.
(2025-02-04 11:55:34): [pam] [pam_dp_send_req_done] (0x0200): [CID#2] received: [29 (Bad item passed to pam_*_item())][shadowutils]
(2025-02-04 11:55:34): [pam] [pam_reply] (0x4000): [CID#2] pam_reply initially called with result [29]: Bad item passed to pam_*_item(). this result might be changed during processing
(2025-02-04 11:55:34): [pam] [pam_reply] (0x0400): [CID#2] Local auth policy allowed: smartcard [True], passkey [False]
(2025-02-04 11:55:34): [pam] [pam_reply] (0x3f7c0): [CID#2] Backend cannot handle Smartcard authentication, trying local Smartcard authentication.
(2025-02-04 11:55:34): [pam] [child_handler_setup] (0x2000): [CID#2] Setting up signal handler up for pid [18581]
(2025-02-04 11:55:34): [pam] [child_handler_setup] (0x2000): [CID#2] Signal handler set up for pid [18581]
(2025-02-04 11:55:34): [pam] [_write_pipe_handler] (0x0400): [CID#2] All data has been sent!
(2025-02-04 11:55:37): [pam] [_read_pipe_handler] (0x0400): [CID#2] EOF received, client finished
(2025-02-04 11:55:37): [pam] [pam_forwarder_cert_cb] (0x0020): [CID#2] No certificate returned, authentication failed.
(2025-02-04 11:55:37): [pam] [pam_reply] (0x4000): [CID#2] pam_reply initially called with result [7]: Authentication failure. this result might be changed during processing
(2025-02-04 11:55:37): [pam] [pam_reply] (0x0400): [CID#2] Local auth policy allowed: smartcard [True], passkey [False]
(2025-02-04 11:55:37): [pam] [pam_reply] (0x0200): [CID#2] blen: 28
(2025-02-04 11:55:37): [pam] [pam_reply] (0x0200): [CID#2] Returning [7]: Authentication failure to the client
(2025-02-04 11:55:37): [pam] [child_sig_handler] (0x1000): [CID#2] Waiting for child [18581].
(2025-02-04 11:55:37): [pam] [child_sig_handler] (0x0020): [CID#2] child [18581] failed with status [1].

[lo1ol]

May be there is some problems with scenario of local authentication and smart card visiable by opensc module. I will try to check it

UPD:

1. the problem is not with opensc module. I can easily auth with two smart cards in freeipa domain
2. I can confirm the same problem with local user authentication

I got a problem. During local auth p11_child is called with --auth flag. And it try to auth on both smart cards. During domain auth p11_child is called only with --pre flag. And authentication on token perform someone else (krb5-pkinit?)

I think we have to add check choosen smart card for passed token_name and existing cert for passed key_id and label if p11_child run with --auth flag

[alexey-tikhonov]

During local auth p11_child is called with --auth flag.

In both cases - local and backend auth - 'p11_child' is first called in [pre-auth] mode to gather a list of available tokens.
It seems this step works correctly - 2 tokens are found:

[[19078]] [do_card] (0x4000): [CID#2] Token label [localuser1].
[[19078]] [read_certs] (0x4000): [CID#2] found cert[CAC ID Certificate][/CN=localuser1]
[[19078]] [do_slot] (0x4000): [CID#2] (null) /usr/lib64/pkcs11/opensc-pkcs11.so (null) localuser1 (null) - no label given- 0001.
[[19078]] [do_slot] (0x4000): [CID#2] uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.26;slot-description=Virtual%20PCD%2000%2000;slot-manufacturer=;slot-id=0;model=PKCS%2315%20emulated;manufacturer=Common%20Access%20Card;serial=000058bd002c19b5;token=localuser1;id=%00%01;object=CAC%20ID%20Certificate;type=cert.
[[19078]] [do_slot] (0x4000): [CID#2] Found certificate has key id [0001].

[[19078]] [do_card] (0x4000): [CID#2] Token label [MyEID].
[[19078]] [read_certs] (0x4000): [CID#2] found cert[Certificate][/CN=localuser2]
[[19078]] [do_slot] (0x4000): [CID#2] (null) /usr/lib64/pkcs11/opensc-pkcs11.so (null) MyEID (null) - no label given- 01.
[[19078]] [do_slot] (0x4000): [CID#2] uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.26;slot-description=SCM%20Microsystems%20Inc.%20SCR%203310%20%5BCCID%20Interface%5D%20%28533116517135...;slot-manufacturer=Identive;slot-id=8;model=PKCS%2315;manufacturer=Aventra%20Ltd.;serial=7055056447986431;token=MyEID;id=%01;object=Certificate;type=cert.
[[19078]] [do_slot] (0x4000): [CID#2] Found certificate has key id [01].

Then 'sssd_be' applies mapping/matching rules and correctly identifies that "CERT:b8WUf/iAIP" maps to 'localuser2'

Then it calls 'p11_child', this time to authenticate:

sssd/src/responder/pam/pamsrv_cmd.c

Line 1289 in 196ad92

ret = check_cert(cctx, cctx->ev, pctx, preq, pd);

->

sssd/src/responder/pam/pamsrv_cmd.c

Line 1880 in 196ad92

req = pam_check_cert_send(mctx, ev,

->

sssd/src/responder/pam/pamsrv_p11.c

Line 787 in 196ad92

DEBUG(SSSDBG_TRACE_ALL, "Adding PKCS#11 URI [%s].\n", uri);

And it try to auth on both smart cards.

Why both?
It uses single, but wrong, smart card (probably just first):

[[19098]] [do_slot] (0x4000): [CID#2] Found [localuser1] in slot [Virtual PCD 00 00][0] of module [1][/usr/lib64/pkcs11/opensc-pkcs11.so].
[[19098]] [do_slot] (0x0040): [CID#2] C_Login failed [5][Internal error].

pam_check_cert_send() should provide all details: --uri, --module_name, --token_name, --key_id, --label
But it doesn't work as expected.
I suggest to add debug messages to log all arguments.

During domain auth p11_child is called only with --pre flag. And authentication on token perform someone else (krb5-pkinit?)

Correct (if backend is online, otherwise it can still fallback to local auth).

[lo1ol]

Why both?

I saw it in my logs. I added printing args into the log:

(2025-02-05 10:47:58): [p11_child[129798]] [main] (0x0020): [CID#17] Argv: /usr/libexec/sssd/.libs/p11_child --dumpable=1 --debug-microseconds=0 --debug-timestamps=1 --debug-fd=24 --debug-level=0x2f7f0 --pin --auth --label token2 --key_id 1234567890 --token_name Rutoken ECP (User2 PIN) --module_name /usr/lib/aarch64-linux-gnu/pkcs11/opensc-pkcs11.so --verify soft_ocsp,soft_crl --ca_db  /etc/rtlogon/ca.pem --chain-id 17
(2025-02-05 10:47:58): [p11_child[129798]] [do_card] (0x4000): [CID#17] Module List:
(2025-02-05 10:47:58): [p11_child[129798]] [do_card] (0x4000): [CID#17] common name: [p11-kit-trust].
(2025-02-05 10:47:58): [p11_child[129798]] [do_card] (0x4000): [CID#17] dll name: [/usr/lib/aarch64-linux-gnu/pkcs11/p11-kit-trust.so].
(2025-02-05 10:47:58): [p11_child[129798]] [do_card] (0x4000): [CID#17] Description [/etc/ssl/certs/ca-certificates.crt] Manufacturer [PKCS#11 Kit] flags [1] removable [false] token present [true].
(2025-02-05 10:47:58): [p11_child[129798]] [do_card] (0x4000): [CID#17] common name: [opensc-pkcs11].
(2025-02-05 10:47:58): [p11_child[129798]] [do_card] (0x4000): [CID#17] dll name: [/usr/lib/aarch64-linux-gnu/pkcs11/opensc-pkcs11.so].
(2025-02-05 10:47:58): [p11_child[129798]] [do_card] (0x4000): [CID#17] Description [Aktiv Rutoken ECP 00 00] Manufacturer [Aktiv] flags [7] removable [true] token present [true].
(2025-02-05 10:47:58): [p11_child[129798]] [do_card] (0x4000): [CID#17] Token label [Rutoken ECP (User2 PIN)].
(2025-02-05 10:47:58): [p11_child[129798]] [do_slot] (0x4000): [CID#17] Found [Rutoken ECP (User2 PIN)] in slot [Aktiv Rutoken ECP 00 00][0] of module [1][/usr/lib/aarch64-linux-gnu/pkcs11/opensc-pkcs11.so].
(2025-02-05 10:47:58): [p11_child[129798]] [do_slot] (0x4000): [CID#17] Login required.
(2025-02-05 10:47:58): [p11_child[129798]] [do_slot] (0x4000): [CID#17] Token flags [1037].
(2025-02-05 10:47:58): [p11_child[129798]] [read_certs] (0x4000): [CID#17] found cert[token2][/O=RTKN.TEST/CN=petya_ubuntu1]
(2025-02-05 10:47:58): [p11_child[129798]] [do_ocsp] (0x4000): [CID#17] Using OCSP URL [http://ipa-ca.rtkn.test/ca/ocsp].
(2025-02-05 10:47:59): [p11_child[129798]] [do_ocsp] (0x4000): [CID#17] Nonce in OCSP response is the same as the one used in the request.
(2025-02-05 10:47:59): [p11_child[129798]] [do_ocsp] (0x4000): [CID#17] OCSP check was successful.
(2025-02-05 10:47:59): [p11_child[129798]] [do_slot] (0x4000): [CID#17] /usr/lib/aarch64-linux-gnu/pkcs11/opensc-pkcs11.so /usr/lib/aarch64-linux-gnu/pkcs11/opensc-pkcs11.so Rutoken ECP (User2 PIN) Rutoken ECP (User2 PIN) 1234567890 token2 1234567890.
(2025-02-05 10:47:59): [p11_child[129798]] [do_slot] (0x4000): [CID#17] uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project;library-version=0.25;slot-description=Aktiv%20Rutoken%20ECP%2000%2000;slot-manufacturer=Aktiv;slot-id=0;model=PKCS%2315;manufacturer=Aktiv%20Co.;serial=000000003ac67ae9;token=Rutoken%20ECP%20%28User2%20PIN%29;id=%12%34%56%78%90;object=token2;type=cert.
...
(2025-02-05 10:47:59): [p11_child[129798]] [sign_data] (0x4000): [CID#17] Found RSA key using mechanism [66].
(2025-02-05 10:48:01): [p11_child[129798]] [do_slot] (0x4000): [CID#17] Certificate verified and validated.
(2025-02-05 10:48:01): [p11_child[129798]] [do_slot] (0x4000): [CID#17] Found certificate has key id [1234567890].
(2025-02-05 10:48:01): [p11_child[129798]] [do_card] (0x4000): [CID#17] Description [Aktiv Rutoken ECP 01 00] Manufacturer [Aktiv] flags [7] removable [true] token present [true].
(2025-02-05 10:48:01): [p11_child[129798]] [do_card] (0x4000): [CID#17] Token label [Rutoken ECP (User PIN)].
(2025-02-05 10:48:01): [p11_child[129798]] [do_slot] (0x4000): [CID#17] Found [Rutoken ECP (User PIN)] in slot [Aktiv Rutoken ECP 01 00][4] of module [1][/usr/lib/aarch64-linux-gnu/pkcs11/opensc-pkcs11.so].
(2025-02-05 10:48:01): [p11_child[129798]] [do_slot] (0x4000): [CID#17] Login required.
(2025-02-05 10:48:01): [p11_child[129798]] [do_slot] (0x4000): [CID#17] Token flags [1037].
(2025-02-05 10:48:01): [p11_child[129798]] [do_slot] (0x0040): [CID#17] C_Login failed [160][The password or PIN is incorrect]
(2025-02-05 10:48:01): [p11_child[129798]] [main] (0x0020): [CID#17] p11_child failed (1432158273)

I had two cert on two different smart cards for the same account and I can't auth when both inserted. When I try to auth via one of this smart card -- p11_child can't auth fails on the first. When I try to auth via another smart card -- p11_child passes authentication on the first one, and fails on the second