https://bugzilla.novell.com/show_bug.cgi?id=681680 https://bugzilla.novell.com/show_bug.cgi?id=681680#c0 Summary: OpenCT problems: missing udev rules file, ownership of device inconsistent with uid/gid of ifdhandler process, OpenSC support missing, OpenSSH support broken Classification: openSUSE Product: openSUSE 11.4 Version: Final Platform: x86-64 OS/Version: openSUSE 11.4 Status: NEW Severity: Normal Priority: P5 - None Component: Other AssignedTo: bnc-team-screening@forge.provo.novell.com ReportedBy: pkeller@globalphasing.com QAContact: qa@suse.de Found By: --- Blocker: --- User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0b12) Gecko/20110222 Firefox/4.0b12 This is a follow on from the discussion in bug 580144 and the suggestion to look at more recent versions of the chipcard project. The reason that I have filed one bug for these issues is because IMHO the regression since 11.3 is so severe that the real question is whether there is any point in keeping OpenCT in the default openSUSE repositories at all. OpenCT used hal in 11.3, but uses udev in 11.4. According to the udev setup information at http://www.opensc-project.org/openct/wiki/OperatingSystems the file /etc/udev/rules.d/50-openct.rules is required, but is missing from the current distribution. This stops OpenCT functioning. Manually adding the file by copying etc/openct.udev from the source RPM allows the ifdhandler process to start when a compatible smartcard is inserted, but we then hit the same issue as described in bug 580144 which is that the device created in /dev/bus/usb/ is owned by root:root, but the configuration in /etc/openct.conf specifies that the ifdhandler process runs as scard:scard. For the purposes of experimentation, this can be fixed by the following change to /lib/udev/rules.d/openct_usb: --- openct_usb.orig 2011-03-22 12:07:32.117000002 +0000 +++ openct_usb 2011-03-22 12:08:33.619007414 +0000 @@ -3,6 +3,8 @@ # maybe udev passes the device name to us. if [ -n "$1" ]; then DEVNAME="$1" + chown scard:scard "$DEVNAME" + chmod o-r "$DEVNAME" fi [ -n "$DEVPATH" ] || exit 0 Now OpenCT works in the sense that 'openct-tool list' and 'openct-tool -r 0 atr' give the correct output: guest@linux-lx7d:~> openct-tool list 0 Rainbow iKey 3000 guest@linux-lx7d:~> openct-tool -r 0 atr Detected Rainbow iKey 3000 Card present, status changed ATR: 3b b7 94 00 81 31 fe 65 53 50 4b 32 33 90 00 d1 In 11.3, once the card was recognised by OpenCT, it could be used with OpenSC and OpenSSH (in conjunction with engine_pkcs11). In 11.4, OpenSC has not been compiled with OpenCT support: guest@linux-lx7d:~/openct-0.6.20/etc> opensc-tool -i opensc 0.12.0 [gcc 4.5.1 20101208 [gcc-4_5-branch revision 167585]] Enabled features: zlib readline openssl pcsc(libpcsclite.so.1) Compare with the output from 11.3: [bernoulli]~-560 > opensc-tool -i opensc 0.11.13 [gcc 4.5.0 20100604 [gcc-4_5-branch revision 160292]] Enabled features: zlib readline iconv openssl openct pcsc(/usr/lib64/libpcsclite.so.1) nsplugin Attempting to install and use pcscd (package pcsc-lite) to access the card also fails, and according to this post on the MUSCLE card mailing list it is also due to OpenCT not behaving correctly: http://lists.drizzle.com/pipermail/muscle/2011-March/008832.html In 11.3, a private key on an OpenCT-compatible smartcard could be used with OpenSSH (version 5.4p1) out of the box by doing: ssh -v -I /usr/lib64/engines/engine_pkcs11.so .... or ssh-add -s /usr/lib64/engines/engine_pkcs11.so In 11.4 (OpenSSH version 5.8p1), we get the following error message in /var/log/messages or the output of 'ssh -v' when trying this: Mar 22 15:24:25 linux-lx7d ssh-pkcs11-helper[3029]: error: dlsym(C_GetFunctionList) failed: /usr/lib64/engines/engine_pkcs11.so: undefined symbol: C_GetFunctionList Sorry to go on at such length, but as I said I am wondering why OpenCT is in the distribution at all now. Comments anyone? Reproducible: Always -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.