IDM authentication using Gemalto C700 pinpad reader and HSM smart card challenges RHEL8.2

Posted on

Hello Folks!

I am struggling getting idm working using Gemalto C700 pinpad reader and HSM smart card for user authentication on RHEL8 clients.

Here is what happens:
1. GDM show a list of users who had login before.
2. You insert the smart card in card reader.
3. GDM blanks out and card reader LCD display asks you for PIN.
4. You enter PIN using card reader pinpad, press ok and get "pin OK" from LCD display.
5. GDM now prompts you for PIN once again, you can enter any number it does not matter, and hit enter.
6. The card reader again asks you for PIN in the LDC display.
7. You enter PIN on card reader pinpad, get "pin OK".
8. You are now logged in.

Why are GDM asking for pin after successfully entering pin ?

If we disable the pinpad in opensc.conf then there is not any additional questions about PIN codes, you are logged in directly.

We have repeated exactly same behaviour on five RHEL8 client installations, also two fedora32 and one linux mint.

All software updated to latest versions, RHEL8.2.

We have analyzed logs and can see that the first pin entered in step 4 above is received by the IDM in Kerberos logs and step 7.
We also made all kind of tests validating configuration.

Anyone who have seen this behaviour before ?

I will later add on all details how we set it up, here is some highlights:

All clients uses idm as primary dns, all clients and server uses chrony.

Readers are detected correctly, as well certificates on cards, they are all mapped and discovered by IDM. "Login" tests on all cards is working.

HSM smart cards is initialized with SO pin and PIN in DKEK shares, and a 2048 bit RSA keypair in the HSM.
To use the HSM card with OpenSSL CSR was created using the HSM card which was added to one unique user in IDM and then retrieved as signed by IDM and written back to the HSM card again. (each user has its own certificate that IDM successfully maps at all times)

On IDM server we executed and run the script generated on the server as well:
ipa-advise config-server-for-smart-card-auth

On IDM server we executed and run the script generated on each client.
ipa-advise config-client-for-smart-card-auth
We manually confirmed each steps from the scripts as well.
And we added "pam_cert_auth = True" to /etc/sssd/sssd.conf