What Should I Push On?
Douglas E. Engert
deengert at anl.gov
Fri May 4 09:57:37 EDT 2012
On 5/3/2012 11:18 PM, Greg Hudson wrote:
> On 05/03/2012 08:52 PM, Henry B. Hotz wrote:
>> [5571] 1336088306.8828: Selected etype info: etype aes256-cts, salt "SC.JPL.NASA.GOVhotz", params "
>> CoolKey PIN:
>> [5571] 1336088310.707006: Preauth module pkinit (16) (flags=1) returned: 12/Cannot allocate memory
>> [5571] 1336088310.708361: Preauth module pkinit (15) (flags=1) returned: 12/Cannot allocate memory
>
> That almost certainly indicates a bug--either in our code, the
> Scientific Linux packaging of it, or the PKCS11 library invoked for the
> PIV card.
What version of coolkey are you running? In the past coolkey only supported
the CAC cards. DOD has been moving to dual CAC and PIV cards. NASA cards may
be PIV only, thus may not work with some versions of coolkey.
To test if it is a PKCS#11 issue, OpenSC has a pkcs11-spy module
that could be used to trace the PKCS#11 calls and results.
export PKCS11SPY=/usr/lib64/pkcs11/libcoolkeypk11.so
kinit -X X509_user_identity=PKCS11:/path/to/pkcs11-spy.so hotz at SC.JPL.NASA.GOV
OpenSC also has PKCS#11 and supports PIV.
>
> Unfortunately, I think the next step is to grab the SRPM for krb5 and
> either (a) build with debugging symbols (and without optimization) and
> start poking around in gdb, or (b) build with the PKINIT debugging
> defines turned on and collect more information. Either is pretty
> time-consuming.
> _______________________________________________
> krbdev mailing list krbdev at mit.edu
> https://mailman.mit.edu/mailman/listinfo/krbdev
>
>
--
Douglas E. Engert <DEEngert at anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
More information about the krbdev
mailing list