|
Bugzilla – Full Text Bug Listing |
| Summary: | openct: ownership mismatch between openct,conf and HAL | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE 11.4 | Reporter: | Hans Witvliet <hwit> |
| Component: | Hotplug | Assignee: | Stanislav Brabec <sbrabec> |
| Status: | RESOLVED FIXED | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Major | ||
| Priority: | P3 - Medium | CC: | luizluca, meissner, pkeller |
| Version: | RC 1 | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | openSUSE 11.3 | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
This is still broken in 11.3, which means that these devices do not work out of the box as they used to. This makes this problem an openSUSE regression that should be fixed (and as the OP has pointed out the fix is trivial). One minor point is that doing 'chmod o-r' on the device means that the device doesn't show up in the output of 'lsusb' for ordinary users. The source of the file /usr/lib/hal/hald-addon-openct in the OpenSC distribution is the template file etc/openct.hald.in As far as I can see hal rather than DeviceKit is still being used for this in 11.3 This isn't a kernel issue. If by that, you mean that it has been assigned to the wrong component and/or has the wrong assignee, why not change it? I doubt that the OP would mind, especially if it increases the chances of this bug being eventually fixed. I think that these corrections are best made by Novell insiders :-) How it works in openSUSE 11.4 or older 11.x with packages from security:chipcard OBS project? openct infrastructure changed there a lot, and it migrated to udev. Thanks for the pointer - I can see that openct in security:chipcard is now at 0.6.20. I don't have the time right now to try this out, but I will certainly give it a go with 11.4 and report back, hopefully before the official release :-) A colleague has made an installation of 11.4-RC1, so I piggy-backed on this to try this out with a Rainbow iKey3000. I installed the following packages (these are the ones that are required on 11.3): libpcsclite1 pcsc-openct pkcs11-helper pcsc-lite libopensc2 libpkcs11-helper1 opensc libopenct1 openct engine_pkcs11 openct-devel dmesg was OK: [ 1550.113980] usb 3-1: new low speed USB device using uhci_hcd and address 6 [ 1550.268007] usb 3-1: New USB device found, idVendor=04b9, idProduct=1300 [ 1550.268011] usb 3-1: New USB device strings: Mfr=0, Product=1, SerialNumber=0 [ 1550.268014] usb 3-1: Product: iKey 3000 Series Token lsusb worked (even as a normal user - good!): Bus 003 Device 006: ID 04b9:1300 Rainbow Technologies, Inc. iKey 3000 Token but "openct-tool list" and "opensc-tool -l" both gave nothing. /var/log/messages contained this: Feb 21 15:04:51 bijvoet kernel: [ 1550.113980] usb 3-1: new low speed USB device using uhci_hcd and address 6 Feb 21 15:04:51 bijvoet kernel: [ 1550.268007] usb 3-1: New USB device found, idVendor=04b9, idProduct=1300 Feb 21 15:04:51 bijvoet kernel: [ 1550.268011] usb 3-1: New USB device strings: Mfr=0, Product=1, SerialNumber=0 Feb 21 15:04:51 bijvoet kernel: [ 1550.268014] usb 3-1: Product: iKey 3000 Series Token Feb 21 15:04:51 bijvoet mtp-probe: checking bus 3, device 6: "/sys/devices/pci0000:00/0000:00:1a.0/usb3/3-1" Feb 21 15:04:51 bijvoet mtp-probe: bus: 3, device: 6 was not an MTP device Feb 21 15:04:52 bijvoet pcscd: dyn_unix.c:81:DYN_GetAddress() IFDHCreateChannelByName: /usr/lib64/readers/openct-ifd.bundle/Contents/Linux/openct-ifd.so: undefined symbol: IFDHCreateChannelByName Feb 21 15:04:52 bijvoet pcscd: readerfactory.c:962:RFInitializeReader() Open Port 0x200000 Failed (usb:04b9/1300:libusb-1.0:3:6) Feb 21 15:04:52 bijvoet pcscd: readerfactory.c:273:RFAddReader() Rainbow iKey 3000 init failed. Feb 21 15:04:52 bijvoet pcscd: utils.c:95:CheckForOpenCT() Remove OpenCT and try again I then tried installing the libchipcard package, but this made no difference. Is this still genuine breakage, or are further packages required? After more investigation it would seem: (1) The migration of OpenCT to udev was not done properly. It will never work out-of-the box in the state in which openSUSE now distribute it. (2) OpenCT seems to be deprecated anyway (in openSUSE 11.4 OpenSC is compiled without OpenCT support; openSSH can no longer use engine_pkcs11 to communicate with OpenCT). Someone should make a decision about whether to fix OpenCT or drop it from the distro entirely. I will try to open a new request for this for a more appropriate component. New rant: bug 681680 Is there anyone still dealing with this bug?
It is still present in 13.1 RC2.
openct uses the user scard/group scard. However, the usb devices are not readable/writable by this user. So, openct always fails.
2013-11-07T17:16:27.983943-02:00 tresc031501 ifdhandler[15838]: Unable to open USB device /dev/bus/usb/001/011: Permission denied
2013-11-07T17:16:27.984205-02:00 tresc031501 ifdhandler[15838]: usb:/dev/bus/usb/001/011: initialization failed (driver ccid)
2013-11-07T17:16:27.984441-02:00 tresc031501 ifdhandler[15838]: unable to open reader ccid usb /dev/bus/usb/001/011
2013-11-07T17:16:27.985665-02:00 tresc031501 ifdhandler[15840]: Unable to open USB device /dev/bus/usb/001/017: Permission denied
2013-11-07T17:16:27.985904-02:00 tresc031501 ifdhandler[15840]: usb:/dev/bus/usb/001/017: initialization failed (driver etoken64)
2013-11-07T17:16:27.986177-02:00 tresc031501 ifdhandler[15840]: unable to open reader etoken64 usb /dev/bus/usb/001/017
udev rule must be updated to add permissions to scard user/group.
As a workarround, I added scard to root user and updated /etc/openct.conf with:
ifdhandler {
groups = {
- scard,
+ scard,root,
};
};
This issue should be fixed in 13.2+ As per the added patch. The automatic system will sent the notification soon about it here. |
User-Agent: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1.7) Gecko/20100106 Ubuntu/9.10 (karmic) Firefox/3.5.7 Prior to 11.0 (eg: 10.3) the (relevant top) lines from /etc/openct.conf read: # Path to ifdhandler ifdhandler = /usr/sbin/ifdhandler; Since 11.0 (and still in 11.2) this has been changed into: ifdhandler { program = /usr/sbin/ifdhandler ; # # Safe to disable force_poll: # >=linux-2.6.27.14 # >=linux-2.6.28.3 # force_poll = 1; user = scard; groups = { scard, }; }; When plugging in an etoken (smartcard + usb-reader) one gets the error in syslog: Feb 11 14:04:15 wt8510w ifdhandler[7409]: Unable to open USB device /dev/bus/usb/007/005: Permission denied Feb 11 14:04:15 wt8510w ifdhandler[7409]: usb:/dev/bus/usb/007/005: initialization failed (driver etoken64) Feb 11 14:04:15 wt8510w ifdhandler[7409]: unable to open reader etoken64 usb /dev/bus/usb/007/005 Reason for this is, that in the corresponding HAL-file, permissions are not set: In /usr/lib/hal/hald-addon-openct are the corresponding two lines (19,20) still in comment. Reproducible: Always Steps to Reproduce: 1. Insert etoken (aladdin, or omnikey) 2. issue any opensc commands, like cardos-info 3. watch syslog Actual Results: Unable to open USB device /dev/bus/usb/007/005: Permission denied usb:/dev/bus/usb/007/005: initialization failed (driver etoken64) unable to open reader etoken64 usb /dev/bus/usb/007/005 1) either DO NOT SET the owner in /etc/openct.conf (putting the line in #comment solves the problem) 2) or uncomment lines 19,20 in /usr/lib/hal/hald-addon-openct (chmod and chown) that works as well. 3) Andreas Jellinghaus (from opensc) strongly recommends a upgrade to the latest version: default 0.6.17-3.1, on the OBS is 0.16.17-21.3 available, while openct 0.6.20 has been released. I've raised severity to "major", as security-tokens don't work any more without either change (1 or 2) above. (as said, in 10.3, the user was NOT set) For current versions (11.0 / 11.2) a security patch should be not that difficult, ether a new /etc/openct.conf or /usr/lib/hal/hald-addon-openct I understand that for the upcoming 11.3 the use of "hal" is depreciated...