Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Bug#927158: strongswan-nm: charon-nm reports no usable smartcard found despite the smartcard working with charon as called by swanctl
114 views
Skip to first unread message
Grizzard, Robert
Apr 15, 2019, 1:10:02 PM4/15/19
to
Package: strongswan-nm
Version: 5.7.2-1
Severity: important
Tags: upstream
Dear Maintainer,
When using a yubikey 4 smartcard device with strongswan configured according to
the instructions for smartcard
usage (https://wiki.strongswan.org/projects/strongswan/wiki/
SmartCards#strongSwan-configuration) with
network-manager-strongswan and strongswan-nm, network manager fails to
authenticate.
Using the smartcard with swanctl works properly.
Using the same certificate and key that were loaded onto the smartcard with the
network manager Authentication option "Certificate/private key" authenticates
correctly.
The complete output when using the "Smartcard" option in network manager seen
in /var/log/syslog is:
Apr 15 12:31:33 qir9rgyf8 NetworkManager[624]: <info> [1555345893.6013] vpn-
connection[0x55af49452780,f8d08eec-07
52-4309-9a9a-fc5f27a6d376,"New vpn connection",0]: Saw the service appear;
activating connection
Apr 15 12:31:33 qir9rgyf8 charon-nm: 04[CFG] received initiate for
NetworkManager connection New vpn connection
Apr 15 12:31:33 qir9rgyf8 charon-nm: 04[CFG] using CA certificate, gateway
identity 'openbsd.lan.domain'
Apr 15 12:31:33 qir9rgyf8 NetworkManager[624]: <warn> [1555345893.6077] vpn-
connection[0x55af49452780,f8d08eec-07
52-4309-9a9a-fc5f27a6d376,"New vpn connection",0]: VPN connection: failed to
connect: 'no usable smartcard certificate found.'
The relevant output seen in /var/log/syslog when using swanctl with the
smartcard is:
Apr 15 12:43:12 qir9rgyf8 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2
daemon using ipsec.conf.
Apr 15 12:43:12 qir9rgyf8 ipsec[7908]: Starting strongSwan 5.7.2 IPsec
[starter]...
Apr 15 12:43:12 qir9rgyf8 charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.7.2, Linux 4.19.0-4-amd64, x86_64)
Apr 15 12:43:12 qir9rgyf8 charon: 00[CFG] loaded PKCS#11 v2.20 library
'opensc' (/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so)
Apr 15 12:43:12 qir9rgyf8 charon: 00[CFG] OpenSC Project: OpenSC smartcard
framework v0.19
Apr 15 12:43:12 qir9rgyf8 charon: 00[CFG] found token in slot 'opensc':0
(Yubico YubiKey OTP+FIDO+CCID 00 00)
The contents of /etc/strongswan.d/charon/pkcs11.conf are:
pkcs11 {
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# Reload certificates from all tokens if charon receives a SIGHUP.
# reload_certs = no
# Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc
# option).
# use_dh = no
# Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
# operations. ECDSA private keys can be used regardless of this option.
# use_ecc = no
# Whether the PKCS#11 modules should be used to hash data.
# use_hasher = no
# Whether the PKCS#11 modules should be used for public key operations,
even
# for keys not stored on tokens.
# use_pubkey = no
# Whether the PKCS#11 modules should be used as RNG.
# use_rng = no
# List of available PKCS#11 modules.
modules {
opensc {
# Whether to automatically load certificates from tokens.
# load_certs = yes
# Whether OS locking should be enabled for this module.
# os_locking = no
# Full path to the shared object file of this PKCS#11 module.
path = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
}
}
}
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (3, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages strongswan-nm depends on:
ii libc6 2.28-8
ii libglib2.0-0 2.58.3-1
ii libnm0 1.14.6-2
ii libstrongswan 5.7.2-1
ii strongswan-libcharon 5.7.2-1
Versions of packages strongswan-nm recommends:
ii network-manager-strongswan 1.4.4-2
strongswan-nm suggests no packages.
-- no debconf information
Version: 5.7.2-1
Severity: important
Tags: upstream
Dear Maintainer,
When using a yubikey 4 smartcard device with strongswan configured according to
the instructions for smartcard
usage (https://wiki.strongswan.org/projects/strongswan/wiki/
SmartCards#strongSwan-configuration) with
network-manager-strongswan and strongswan-nm, network manager fails to
authenticate.
Using the smartcard with swanctl works properly.
Using the same certificate and key that were loaded onto the smartcard with the
network manager Authentication option "Certificate/private key" authenticates
correctly.
The complete output when using the "Smartcard" option in network manager seen
in /var/log/syslog is:
Apr 15 12:31:33 qir9rgyf8 NetworkManager[624]: <info> [1555345893.6013] vpn-
connection[0x55af49452780,f8d08eec-07
52-4309-9a9a-fc5f27a6d376,"New vpn connection",0]: Saw the service appear;
activating connection
Apr 15 12:31:33 qir9rgyf8 charon-nm: 04[CFG] received initiate for
NetworkManager connection New vpn connection
Apr 15 12:31:33 qir9rgyf8 charon-nm: 04[CFG] using CA certificate, gateway
identity 'openbsd.lan.domain'
Apr 15 12:31:33 qir9rgyf8 NetworkManager[624]: <warn> [1555345893.6077] vpn-
connection[0x55af49452780,f8d08eec-07
52-4309-9a9a-fc5f27a6d376,"New vpn connection",0]: VPN connection: failed to
connect: 'no usable smartcard certificate found.'
The relevant output seen in /var/log/syslog when using swanctl with the
smartcard is:
Apr 15 12:43:12 qir9rgyf8 systemd[1]: Started strongSwan IPsec IKEv1/IKEv2
daemon using ipsec.conf.
Apr 15 12:43:12 qir9rgyf8 ipsec[7908]: Starting strongSwan 5.7.2 IPsec
[starter]...
Apr 15 12:43:12 qir9rgyf8 charon: 00[DMN] Starting IKE charon daemon
(strongSwan 5.7.2, Linux 4.19.0-4-amd64, x86_64)
Apr 15 12:43:12 qir9rgyf8 charon: 00[CFG] loaded PKCS#11 v2.20 library
'opensc' (/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so)
Apr 15 12:43:12 qir9rgyf8 charon: 00[CFG] OpenSC Project: OpenSC smartcard
framework v0.19
Apr 15 12:43:12 qir9rgyf8 charon: 00[CFG] found token in slot 'opensc':0
(Yubico YubiKey OTP+FIDO+CCID 00 00)
The contents of /etc/strongswan.d/charon/pkcs11.conf are:
pkcs11 {
# Whether to load the plugin. Can also be an integer to increase the
# priority of this plugin.
load = yes
# Reload certificates from all tokens if charon receives a SIGHUP.
# reload_certs = no
# Whether the PKCS#11 modules should be used for DH and ECDH (see use_ecc
# option).
# use_dh = no
# Whether the PKCS#11 modules should be used for ECDH and ECDSA public key
# operations. ECDSA private keys can be used regardless of this option.
# use_ecc = no
# Whether the PKCS#11 modules should be used to hash data.
# use_hasher = no
# Whether the PKCS#11 modules should be used for public key operations,
even
# for keys not stored on tokens.
# use_pubkey = no
# Whether the PKCS#11 modules should be used as RNG.
# use_rng = no
# List of available PKCS#11 modules.
modules {
opensc {
# Whether to automatically load certificates from tokens.
# load_certs = yes
# Whether OS locking should be enabled for this module.
# os_locking = no
# Full path to the shared object file of this PKCS#11 module.
path = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
}
}
}
-- System Information:
Debian Release: buster/sid
APT prefers testing
APT policy: (500, 'testing'), (3, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-4-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=
(charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages strongswan-nm depends on:
ii libc6 2.28-8
ii libglib2.0-0 2.58.3-1
ii libnm0 1.14.6-2
ii libstrongswan 5.7.2-1
ii strongswan-libcharon 5.7.2-1
Versions of packages strongswan-nm recommends:
ii network-manager-strongswan 1.4.4-2
strongswan-nm suggests no packages.
-- no debconf information
robert....@quoininc.com
Apr 16, 2019, 9:20:03 AM4/16/19
to
On Tuesday, April 16, 2019 4:01:57 AM EDT Tobias Brunner wrote:
Hi Tobias,
>Configure the plugin's settings directly in
> strongswan.conf in the charon-nm.plugins.pkcs11 section (or set them in
> the libstrongswan section so they apply to both daemons).
Copying the pkcs11 configuration from /etc/strongswan.d/charon/pkcs11.conf to
the libstrongswan.plugins.pkcs11 section in strongswan.conf solved the
problem.
Many thanks,
--
RG
Hi Tobias,
>Configure the plugin's settings directly in
> strongswan.conf in the charon-nm.plugins.pkcs11 section (or set them in
> the libstrongswan section so they apply to both daemons).
Copying the pkcs11 configuration from /etc/strongswan.d/charon/pkcs11.conf to
the libstrongswan.plugins.pkcs11 section in strongswan.conf solved the
problem.
Many thanks,
--
RG
Yves-Alexis Perez
Apr 16, 2019, 12:40:03 PM4/16/19
to
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Tue, 2019-04-16 at 09:15 -0400, robert....@quoininc.com wrote:
> >Configure the plugin's settings directly in
> > strongswan.conf in the charon-nm.plugins.pkcs11 section (or set them in
> > the libstrongswan section so they apply to both daemons).
>
> Copying the pkcs11 configuration from /etc/strongswan.d/charon/pkcs11.conf to
> the libstrongswan.plugins.pkcs11 section in strongswan.conf solved the
> problem.
Thanks Tobias for providing the help.
Robert, since it doesn't seems to be a bug in strongSwan in the end, I'm
closing the bug.
Regards,
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAly2AvYACgkQ3rYcyPpX
RFsaygf8DhBrzeyPiXgsKt6oFjuUB46eeV7lChaM93jLTVubuSvbWMO9BQ+izHxG
rt2AFO3H0i+YpZAgO4rjWpeK5iaK6gCwxgMx36To4HRBNZ/k3pnUTW70m+VtNz5b
Hsme+4dqeccEIUNSZSsIy4vecFZS9eRUuklwIaDV0hJK1JzcqgGwgp9/vEzaXusE
J+SJli3e/nIKZg5KE0J0jn2++JNbcHKJy/3HR7JiUN9UvU34WmwnBFTBqok7zo4G
mCO2AoJSggBjxy0BNgDQHok6svgwLL73FhI48sejvX75xIDez8Ujcll50sP8N+sV
/HQjQfGZNkiYT78ghyJftnCxE0dOJQ==
=J2Ve
-----END PGP SIGNATURE-----
Hash: SHA256
On Tue, 2019-04-16 at 09:15 -0400, robert....@quoininc.com wrote:
> >Configure the plugin's settings directly in
> > strongswan.conf in the charon-nm.plugins.pkcs11 section (or set them in
> > the libstrongswan section so they apply to both daemons).
>
> Copying the pkcs11 configuration from /etc/strongswan.d/charon/pkcs11.conf to
> the libstrongswan.plugins.pkcs11 section in strongswan.conf solved the
> problem.
Robert, since it doesn't seems to be a bug in strongSwan in the end, I'm
closing the bug.
Regards,
- --
Yves-Alexis
-----BEGIN PGP SIGNATURE-----
iQEzBAEBCAAdFiEE8vi34Qgfo83x35gF3rYcyPpXRFsFAly2AvYACgkQ3rYcyPpX
RFsaygf8DhBrzeyPiXgsKt6oFjuUB46eeV7lChaM93jLTVubuSvbWMO9BQ+izHxG
rt2AFO3H0i+YpZAgO4rjWpeK5iaK6gCwxgMx36To4HRBNZ/k3pnUTW70m+VtNz5b
Hsme+4dqeccEIUNSZSsIy4vecFZS9eRUuklwIaDV0hJK1JzcqgGwgp9/vEzaXusE
J+SJli3e/nIKZg5KE0J0jn2++JNbcHKJy/3HR7JiUN9UvU34WmwnBFTBqok7zo4G
mCO2AoJSggBjxy0BNgDQHok6svgwLL73FhI48sejvX75xIDez8Ujcll50sP8N+sV
/HQjQfGZNkiYT78ghyJftnCxE0dOJQ==
=J2Ve
-----END PGP SIGNATURE-----
0 new messages