Setup and Locking/Unlocking MATE With a Smart Card

Hi everyone,

Good day to you all and I hope all is well.

I had a query please regarding setting up a smartcard reader with MATE.

I had tried setting up a smart card with Rocky Linux 8.10 on MATE, however was unsuccessful and wanted to also try using Ubuntu MATE 24.04. I asked for help, but received no reply (not a problem of course).

My goal is to be able to unlock and lock the desktop using a smart card with SSSD and PAM. This includes if the user locks their screen or if the screensaver is activated.

I initially would like to perform this for a local user and then expanding that to authenticating via LDAP using FreeIPA.

The reader I am using is a SCM Microsystems, Inc. SCR331-LC1 / SCR3310 SmartCard Reader, with a smartcard.

The output of lsusb:

Bus 001 Device 003: ID 04e6:5116 SCM Microsystems, Inc. SCR331-LC1 / SCR3310 SmartCard Reader

Output of opensc-tool --list-readers:

# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             SCM Microsystems Inc. SCR 3310 [CCID Interface] (53311947214780) 00 00

Output of pkcs15-tool --list-keys:

Using reader with a card: SCM Microsystems Inc. SCR 3310 [CCID Interface] (53311947214780) 01 00
Private RSA Key [User Authentication Key]
<KEY_INFO_HERE>
Private RSA Key [Digital Signature Key]
<KEY_INFO_HERE>

I am running a Ubuntu MATE 24.04 VM with virt-manager and the card reader is successfully passed through.

Running through the quick start guide for opensc, I am able to successfully find my card reader and detect my card when inserted.

For setting up the smartcard reader with MATE, I have been researching for guides on how to perform that, however there unfortunately is not much documentation available and the majority of guides show how to get a smart card working with GDM and the Gnome ecosystem.

For the foundation, I am following the Ubuntu documentation on how to set up a smart card reader with GDM and then diverting where appropriate for MATE. I am also using the similar desktop setup and Ubuntu Server guides for reference.

Steps that I have ran so far:

• sudo apt update && sudo apt upgrade
• sudo apt install opensc-pkcs11
• sudo apt install opensc
• Went through the p11-kit documentation.
• p11-kit list-modules successfully shows that my smartcard is detected:

module: opensc-pkcs11
    path: /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
    uri: pkcs11:library-description=OpenSC%20smartcard%20framework;library-manufacturer=OpenSC%20Project
    library-description: OpenSC smartcard framework
    library-manufacturer: OpenSC Project
    library-version: 0.25
    token: JPKI (User Authentication PIN)
    token: JPKI (Digital Signature PIN)

• pkcs15-tool --list-certificates and observed certificates are present:

Using reader with a card: SCM Microsystems Inc. SCR 3310 [CCID Interface] (53311947214780) 00 00
X.509 Certificate [User Authentication Certificate]
<CERT_INFO_HERE>
X.509 Certificate [Digital Signature Certificate]
<CERT_INFO_HERE>
X.509 Certificate [User Authentication Certificate CA]
<CERT_INFO_HERE>
X.509 Certificate [Digital Signature Certificate CA]

• Exported each certificate with pkcs15-tool --read-certificate <ID_number> > <CERT_FILE>.

• Where I am stuck at the moment, is generating a self-signed certificate, using the smart card's private key. After further research, I had found a blog that goes into openssl and observed that a self-signed certificate can be generated:

Create a self-signed certificate from a smart card private key:
openssl req -new -x509 -engine pkcs11 -keyform engine -key "<rfc7512-uri>" ...

• When running the above command however, I receive:

Invalid engine "pkcs11"
40E74DDAB5780000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so): /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so: cannot open shared object file: No such file or directory
40E74DDAB5780000:error:12800067:DSO support routines:DSO_load:could not load the shared library:../crypto/dso/dso_lib.c:152:
40E74DDAB5780000:error:13000084:engine routines:dynamic_load:dso not found:../crypto/engine/eng_dyn.c:442:
40E74DDAB5780000:error:13000074:engine routines:ENGINE_by_id:no such engine:../crypto/engine/eng_list.c:433:id=pkcs11
40E74DDAB5780000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:118:filename(libpkcs11.so): libpkcs11.so: cannot open shared object file: No such file or directory
40E74DDAB5780000:error:12800067:DSO support routines:DSO_load:could not load the shared library:../crypto/dso/dso_lib.c:152:
40E74DDAB5780000:error:13000084:engine routines:dynamic_load:dso not found:../crypto/engine/eng_dyn.c:442:
No engine specified for loading private key
No filename or uri specified for loading
 private key

• I do not have the CA-Auth-cert.pem file, which is why I am trying to create a self-signed CA certificate

If anyone has any experience with setting up a smart card with MATE (or with Gnome for that matter) and could assist with the above, that would be very appreciated please.

My apologies for not being able to post more links to the websites I referenced. Unfortunately being a new user, I cannot post more than 2 links.

Many thanks indeed and if I can help provide any outputs that are required, please don't hesitate to let me know and I will be more than happy to do so.

Aside from that, Ubuntu MATE is an excellent showcase of the MATE desktop, especially with the theming and colour selection. Please keep up the amazing work and thank you so much to the Ubuntu MATE maintainers for your tireless work!

Welcome @metalinux to the community!

Hi @Bombilla and thank you very much for the lovely welcome!

Hi, @metalinux

(Usual disclaimer: please note that I'm just another Forum user here. I'm NOT an Ubuntu developer or Ubuntu MATE developer)

Congratulations on your wonderfully detailed (first) post I must say I've never used smartcard / smart card authentication for authenticating to my local user account in Ubuntu (I do use the National Portuguese Citizen smartcard, with a smart card reader, in Ubuntu MATE 22.04 LTS ("Jammy Jellyfish"), but it's for use with an application provided by the Portuguese Government -
"Aplicação Autenticação.gov para computador" - https://www.autenticacao.gov.pt/cc-aplicacao )

Having said that, regarding the errors you've got when running the openssl req -new -x509 -engine pkcs11 -keyform engine -key "<rfc7512-uri>" ... command, specifically the following error:

Invalid engine "pkcs11"
40E74DDAB5780000:error:12800067:DSO support routines:dlfcn_load:could not load the shared library:../crypto/dso/dso_dlfcn.c:118:filename(/usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so): /usr/lib/x86_64-linux-gnu/engines-3/pkcs11.so: cannot open shared object file: No such file or directory
(...)

... my suggestion (but I may be wrong!) is to install the package libengine-pkcs11-openssl in your Ubuntu MATE 24.04 LTS ("Noble Numbat"), if it is not already installed, with the following command:

sudo apt install libengine-pkcs11-openssl

Here's the information for that package in an Ubuntu MATE 24.04 VM (Virtual Machine) that I have, where that package is NOT yet installed (the apt info command shows information about a software package, even if it's not yet installed):

ricmarques@ubumate2404vm:~$ apt info libengine-pkcs11-openssl
Package: libengine-pkcs11-openssl
Version: 0.4.12-1.1build2
Priority: optional
Section: universe/libs
Source: libp11
Origin: Ubuntu
Maintainer: Ubuntu Developers <[email protected]>
Original-Maintainer: Debian OpenSC Maintainers <[email protected]>
Bugs: https://bugs.launchpad.net/ubuntu/+filebug
Installed-Size: 100 kB
Depends: p11-kit, libc6 (>= 2.34), libssl3t64 (>= 3.0.0)
Homepage: https://github.com/OpenSC/libp11
Download-Size: 33.5 kB
APT-Sources: http://pt.archive.ubuntu.com/ubuntu noble/universe amd64 Packages
Description: OpenSSL engine for PKCS#11 modules
 With this engine for OpenSSL you can use OpenSSL library
 and command line tools with any PKCS#11 implementation as
 backend for the crypto operations.
 .
 Engine_pkcs11 was developed for smart cards, and mostly
 for the OpenSC PKCS#11 module, but it should work fine with
 any PKCS#11 implementation.
 .
 Engine_pkcs11 is a spin off from OpenSC and replaced
 libopensc-openssl.
 

I hope this helps Please, keep us posted.

Hi @ricmarques and a very good day to you.

Thank you very kindly for your reply. Absolutely and I want to provide as much detail as possible, especially when asking for help from the fine folks here.

Understood, so you have your Portuguese Citizen smartcard that interfaces directly with the app itself. We have the same setup in Japan as well.

Thank you very much for your suggestion of installing the libengine-pkcs11-openssl package. I will go ahead and try to have that installed and then report back here afterwards.

I hope you have an excellent rest of your day!

@ricmarques please see the steps performed below:

• Confirmed the libengine-pkcs11-openssl package had not been installed.
• Installed the package successfully:

test@test:~$ sudo apt install libengine-pkcs11-openssl
[sudo] password for test: 
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following NEW packages will be installed:
  libengine-pkcs11-openssl
0 upgraded, 1 newly installed, 0 to remove and 0 not upgraded.
Need to get 33.5 kB of archives.
After this operation, 100 kB of additional disk space will be used.
Get:1 http://jp.archive.ubuntu.com/ubuntu noble/universe amd64 libengine-pkcs11-openssl amd64 0.4.12-1.1build2 [33.5 kB]
Fetched 33.5 kB in 2s (13.5 kB/s)                      
Selecting previously unselected package libengine-pkcs11-openssl:amd64.
(Reading database ... 231832 files and directories currently installed.)
Preparing to unpack .../libengine-pkcs11-openssl_0.4.12-1.1build2_amd64.deb ...
Unpacking libengine-pkcs11-openssl:amd64 (0.4.12-1.1build2) ...
Setting up libengine-pkcs11-openssl:amd64 (0.4.12-1.1build2) ...

• Then when running openssl req -new -x509 -engine pkcs11 -keyform engine -key "<rfc7512-uri>", the pcs11 engine is recognised. Thank you so much and you are excellent!

test@test:~$ openssl req -new -x509 -engine pkcs11 -keyform engine -key "<rfc7512-uri>"
Engine "pkcs11" set.

• Now I need to work out how to point opensslto the private key on my smartcard, in order to generate the self-signed CA certification. I am reading further about RFC 7512, because of course "<rfc7512-uri>" is just a placeholder in the openssl req -new -x509 -engine pkcs11 -keyform engine -key "<rfc7512-uri>" command.

Further troubleshooting performed.

• Installed the p11tool with sudo apt install gnutls-bin. This OpenConnect documentation was great for helping me find the right commands for p11tool.
• Ran p11tool --list-tokens. This then successfully read my smart card.
• Observed the required URL under Token 1 :

Token 1:
	URL: pkcs11:model=PKCS%2315%20emulated;manufacturer=JPKI;serial=00000000;token=<TOKEN_HERE>
	Label: JPKI (User Authentication PIN)
	Type: Hardware token
	Flags: Requires login
	Manufacturer: JPKI
	Model: PKCS#15 emulated
	Serial: 00000000
	Module: opensc-pkcs11.so

• Then running openssl req -new -x509 -engine pkcs11 -keyform engine -key "pkcs11:model=PKCS%2315%20emulated;manufacturer=JPKI;serial=00000000;token=<TOKEN_HERE>", I could then create the self-signed CA certificate:

test@test:~$ openssl req -new -x509 -engine pkcs11 -keyform engine -key "pkcs11:model=PKCS%2315%20emulated;manufacturer=JPKI;serial=00000000;token=JPKI%20%28User%20Authentication%20PIN%29"
Engine "pkcs11" set.
Enter PKCS#11 token PIN for JPKI (User Authentication PIN):
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:<COUNTRY_CODE_HERE>
State or Province Name (full name) [Some-State]:<STATE_HERE>
Locality Name (eg, city) []:<CITY_HERE>
Organization Name (eg, company) [Internet Widgits Pty Ltd]:<NOTHING_INSERTED>
Organizational Unit Name (eg, section) []:<NOTHING_INSERTED>
Common Name (e.g. server FQDN or YOUR name) []:<MY_NAME>
Email Address []:<NOTHING_INSERTED>
-----BEGIN CERTIFICATE-----
<CERT_HERE>
-----END CERTIFICATE-----

• To problem is then trying to verify that this certificate works with the private key on the smart card. with openssl. From my research, there is no way to extract the private key. My idea was to use the exact URI of the smart card and essentially compare the public key generated with the private key on the smart card. Something like openssl verify -verbose -CAfile self-signed_cert.pem "pkcs11:model=PKCS%2315%20emulated;manufacturer=JPKI;serial=00000000;token=<TOKEN_HERE>". However, this does not work and I observe the following error:

test@test:~$ openssl verify -verbose -CAfile self-signed_cert.pem -engine pkcs11 "pkcs11:model=PKCS%2315%20emulated;manufacturer=JPKI;serial=00000000;token=<TOKEN_HERE>"
Engine "pkcs11" set.
Could not open file or uri for loading certificate file from pkcs11:model=PKCS%2315%20emulated;manufacturer=JPKI;serial=00000000;token=<TOKEN_HERE>
40B7997BAE740000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=file
40B7997BAE740000:error:80000002:system library:file_open:No such file or directory:../providers/implementations/storemgmt/file_store.c:267:calling stat(pkcs11:model=PKCS%2315%20emulated;manufacturer=JPKI;serial=00000000;token=<TOKEN_HERE>)
40B7997BAE740000:error:16000069:STORE routines:ossl_store_get0_loader_int:unregistered scheme:../crypto/store/store_register.c:237:scheme=pkcs11
40B7997BAE740000:error:1608010C:STORE routines:inner_loader_fetch:unsupported:../crypto/store/store_meth.c:383:No store loader found. For standard store loaders you need at least one of the default or base providers available. Did you forget to load them? Info: Global default library context, Scheme (pkcs11 : 0), Properties (<null>)
Unable to load certificate file

• However, I will continue on for now, with the assumption that public and private keys work fine.
• Next I need to configure sssd.conf under Configure SSSD in the smart card setup guide and am creating a FreeIPA server on a CentOS 7 VM via a DigitalOcean guide as part of that.

@metalinux

Hello,

Just a couple of hints. easy-rsa makes certificates and key management much easier in comparison with openssl CLI.

AFAIK, the certificate goes first. I.e. one creates self-signed certificate, generates key pair and signs public key with it. A key in question is written to smartcard. Long story short, if one receives a key pair from a third party he can retrieve (or request) issuer's certificate from issuer's site. Since then the issuer's certificate is configured as trusted one.

Good luck!

Good day to you @ugnvs and thank you kindly for mentioning easy-rsa and the explanation on certificate generation. I'll read up more on the documentation and see if I can apply it to my smart card. Thanks again!

I have further investigated easy-rsa via their official documentation and via the nitrokey guide. I also checked easy-rsa's GitHub, mainly #268 for PKCS11 smart card support, which then linked me to #689 - base64 encode PKCS files for use in Openvpn INLINE tags , which is open at this time. There is also #332 with a patch for smart card support, however multiple users had problems with setting it up with their Yubi keys. Further research does not uncover use of easy-rsa with smart cards. Unfortunately it looks like smart card support is not available at this time. Thank you so much regardless @ugnvs and that was a good shout.

Following the original Ubuntu guide further and setting up sssd (and therefore FreeIPA), I am going through this DigitalOcean guide on setting up a CentOS 7 box to be a FreeIPA server. I have set up a local CentOS 7 VM and everything went well until part Step 4 — Installing the FreeIPA Server . When installing the server with ipa-server-install and correctly providing my domain name information. It would run well until the following:

  [37/45]: adding entries for topology management
  [38/45]: initializing group membership
  [error] NetworkError: cannot connect to 'ldap://<MY_DOMAIN>:389': 
ipapython.admintool: ERROR    cannot connect to 'ldap://<MY_DOMAIN>:389':

• I confirmed that my router had all of the required FreeIPA ports open, pointed at the right IP.
• My CentOS 7 VM was successfully bridged with an available Internet connection and IP in virt-manager.
• I am now troubleshooting further in the following areas: My ISP blocking connections, Namecheap DNS settings and the local Bridge Connection that I had created as well.

I am afraid, that using FreeIPA for the sole purpose of smartcard authentication could be a bit of overkill.

It looks like that smartcard authentication can be configured as local service. I.e.

https://ubuntu.com/tutorials/how-to-use-smart-card-authentication-in-ubuntu-desktop

Thank you for the links @ugnvs and my end goal was to have a FreeIPA instance be a central point of authentication, however I will start smaller first with the local authentication and then work my way up from there. The Ubuntu documentation you kindly linked is also one that I am following in the tutorial. I have checked through the RHEL documentation that you have provided and that seems to be the ticket when generating the right keys and local certs.

For private key and cert generation testing, I have also bought a Yubikey to make that process more smooth and I will update here on my progress. Thanks again!

Further troubleshooting steps performed.

• Re-created my Ubuntu Mate 24.04 VM from scratch.
• Created the Certificate Authority directory.

mkdir /tmp/ca

• Changed into the directory.

cd /tmp/ca

• Set up the certificate.

cat > ca.cnf <<EOF
[ ca ]
default_ca = CA_default

[ CA_default ]
dir              = .
database         = \$dir/index.txt
new_certs_dir    = \$dir/newcerts

certificate      = \$dir/rootCA.crt
serial           = \$dir/serial
private_key      = \$dir/rootCA.key
RANDFILE         = \$dir/rand

default_days     = 365
default_crl_days = 30
default_md       = sha256

policy           = policy_any
email_in_dn      = no

name_opt         = ca_default
cert_opt         = ca_default
copy_extensions  = copy

[ usr_cert ]
authorityKeyIdentifier = keyid, issuer

[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer:always
basicConstraints       = CA:true
keyUsage               = critical, digitalSignature, cRLSign, keyCertSign

[ policy_any ]
organizationName       = supplied
organizationalUnitName = supplied
commonName             = supplied
emailAddress           = optional

[ req ]
distinguished_name = req_distinguished_name
prompt             = no

[ req_distinguished_name ]
O  = Example
OU = Example Test
CN = Example Test CA
EOF
Expand

• Created the following directories.

mkdir certs crl newcerts

• Made these files.

touch index.txt crlnumber index.txt.attr

• Wrote number 01 into the serial file.

echo 01 > serial

• Generated the OpenSSL root CA Key.

openssl genrsa -out rootCA.key 2048

• Created the self-signed root Certification Authority certificate.

openssl req -batch -config ca.cnf \
    -x509 -new -nodes -key rootCA.key -sha256 -days 10000 \
    -set_serial 0 -extensions v3_ca -out rootCA.crt

• Now to set up the private key with my YubiKey 5C NFC.
• Followed the YubiKey PIV Tool documentation and downloaded the latest 2.5.2 release tarball.
• Installed the following packages.

cmake libtool libssl-dev pkg-config check libpcsclite-dev gengetopt help2man zlib-devel

• Note, in my case I had to replace zlib-devel with zlib1g-dev, as zlib-devel was not found.
• Ran gunzip and tar -xf on the tarball and then changed directory into yubico-piv-tool-2.5.2.
• Ran these commands which completed successfully.

mkdir build
cd build
cmake ..
make
sudo make install
sudo ldconfig

• Followed the Yubikey documentation for generating a key pair via OpenSSL.
• Made a key for my username.

openssl genrsa -out test.pem 2048

• Extracted the public key from the key pair.

openssl rsa -in test.pem -outform PEM -pubout -out test_public.pem

• I then have a private and public key available.

-rw------- 1 test test 1704 Jun 24 16:43 test.pem
-rw-rw-r-- 1 test test  451 Jun 24 16:45 test_public.pem

• Followed this YubiKey documentation on placing the private key onto the YubiKey and this one as well for importing the key into the slot of the YubiKey.
• Successfully imported the Private Key into the YubiKey.

test@test:/tmp/ca$ yubico-piv-tool -s 9a -a import-key -i test.pem
Successfully imported a new private key.

• Made the Certificate Signing Request Configuration File.

cat > req.cnf <<EOF
[ req ]
distinguished_name = req_distinguished_name
prompt = no

[ req_distinguished_name ]
O = Example
OU = Example Test
CN = testuser

[ req_exts ]
basicConstraints = CA:FALSE
nsCertType = client, email
nsComment = "testuser"
subjectKeyIdentifier = hash
keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment
extendedKeyUsage = clientAuth, emailProtection, msSmartcardLogin
subjectAltName = otherName:msUPN;UTF8:[email protected], email:[email protected]
EOF

• Generated the certificate signing request for the user certificate.

openssl req -new -nodes -key test.pem \
    -reqexts req_exts -config req.cnf -out test.csr

• Configured the new certificate for expiration of 1 year.

openssl ca -config ca.cnf -batch -notext \
    -keyfile rootCA.key -in test.csr -days 365 \
    -extensions usr_cert -out test.crt

• Ensured that sssd is installed.

sudo apt install sssd
sssd is already the newest version (2.9.4-1.1ubuntu6).

• Created a pki directory.

/etc/sssd/pki

• Copied the rootCA.cert into the pki directory.

sudo cp /tmp/ca/rootCA.crt /etc/sssd/pki/sssd_auth_ca_db.pem

• Installed gnutls-bin, as the Red Hat documentation lists gnutls-utils, however that is under a different name in Ubuntu.
• Started the pcscd service.

systemctl start pcscd

• Enabled the service to run at login.

test@test:~$ systemctl enable pcscd
Synchronizing state of pcscd.service with SysV service script with /usr/lib/systemd/systemd-sysv-install.
Executing: /usr/lib/systemd/systemd-sysv-install enable pcscd

• Verified it was running successfully.

test@test:/tmp/ca$ systemctl status pcscd
● pcscd.service - PC/SC Smart Card Daemon
     Loaded: loaded (/usr/lib/systemd/system/pcscd.service; indirect; preset: enabled)

• Imported the test certificate into the YubiKey successfully.

yubico-piv-tool -a import-certificate -s 9a -i test.crt
Successfully imported a new certificate.

• Confirmed via the YubiKey Manager AppImage under Applications --> PIV --> Certificates that one test certificate had been uploaded successfully.
• I now have both the private key and certificate in the YubiKey.
• Added to my blank /etc/sssd/sssd.conf file the following.

[pam]
pam_cert_auth = True
pam_p11_allowed_services = +mate-screensaver

I'll continue further later on, next I need to configure MATE for when the screen locks, it prompts for the YubuKey.

Hi everyone and I hope things are going well today.

To kindly update further regarding my testing on this issue.

• Checked the vmware documentation and the /etc/pam.d/mate-screensaver file also needs to be created and the auth include smartcard-auth line needs to be added.
• In my setup, the /etc/pam.d/mate-screensaver file is already available.

test@test:~$ ls -l /etc/pam.d | grep mate
-rw-r--r-- 1 root root   57 Sep 17  2018 mate-screensaver

• This is the current contents,

est:~$ cat /etc/pam.d/mate-screensaver 
@include common-auth
auth optional pam_gnome_keyring.so

• Following the vmware example, it should look something like this.

#%PAM-1.0
 
# Fedora Core
auth include smartcard-auth            
auth       include      system-auth
auth       optional     pam_gnome_keyring.so
account    include      system-auth
password   include      system-auth
session    include      system-auth

• I have now set the file as the following.

test@test:~$ cat /etc/pam.d/mate-screensaver 
@include common-auth
auth       include      smartcard-auth            
auth       include      system-auth
auth       optional     pam_gnome_keyring.so
account    include      system-auth
password   include      system-auth
session    include      system-auth

• Running journalctl -exu sssd on the sssd service, I observed the following issue.

Jul 02 13:53:01 test sssd[879]: SSSD couldn't load the configuration database [1432158324]: File ownership and permissions check failed

• Checked this website and saw that sssd.conf was owned by root, which is good.

test@test:~$ sudo ls -l /etc/sssd/ | grep sssd
-rw-r--r-- 1 root root   72 Jun 24 17:51 sssd.conf

• Provided chmod 600 permissions and noticed that those had not been previous set.

test@test:~$ sudo ls -l /etc/sssd/ | grep sssd
-rw-r--r-- 1 root root   72 Jun 24 17:51 sssd.conf
test@test:~$ sudo chmod 600 /etc/sssd/sssd.conf
test@test:~$ sudo ls -l /etc/sssd/ | grep sssd
-rw------- 1 root root   72 Jun 24 17:51 sssd.conf

• Ran journalctl -fxu sssd whilst enacting sudo systemctl restart sssd.
• Checking the journal output again, I discovered this.

Jul 02 14:24:15 test sssd[3046]: SSSD couldn't load the configuration database [1432158246]: No domain is enabled

• Going back through the Red Hat guide, on point 5, there is the following configuration.

[sssd]
services = nss, pam
domains = shadowutils

[nss]

[pam]
pam_cert_auth = True

[domain/shadowutils]
id_provider = files

• This configuration is missing in mine.

test@test:~$ sudo cat /etc/sssd/sssd.conf
[pam]
pam_cert_auth = True
pam_p11_allowed_services = +mate-screensaver

• Adding the Red Hat configuration, mine now looks like.

[sssd]
services = nss, pam
domains = shadowutils

[nss]

[pam]
pam_cert_auth = True
pam_p11_allowed_services = +mate-screensaver

[domain/shadowutils]
id_provider = files

• The pam_p11_allowed_services = +mate-screensaver line in my configuration, is where I had read in the XFCE wiki that the pam_p11_allowed_services = +xfce4-screensaver line was needed for a successful login via smart card.
• Another restart of the sssd service with sudo systemctl restart sssd sees that the service runs without issue.

Jul 02 14:34:33 test systemd[1]: Started sssd.service - System Security Services Daemon.
░░ Subject: A start job for unit sssd.service has finished successfully
░░ Defined-By: systemd
░░ Support: http://www.ubuntu.com/support
░░ 
░░ A start job for unit sssd.service has finished successfully.
░░ 
░░ The job identifier is 3055.

• I now observe that when I lock the screen, my user's password is no longer accepted. However, when I press the button my Yubikey, the password field is then populated in the lock screen and I receive Incorrect Password.
• My feeling this is an issue with the certificates I have set up with sssd, so I will explore further there. You can also use the pam_cert_db_path option to point to a specific certificate in pem format, however the sssd_auth_ca_db.pem file I had placed under /etc/sssd/pki/ should be fine, so I think this is a problem with the sssd_auth_ca_db.pem certificate itself, where it is a just a generic self-signed certificate that has no relation to the Yubikey.

• Went back to the certificate generation step with Yubikey Key Generation documentation and generated a self-signed certificate on slot 9a with yubico-piv-tool -a generate -s 9a. The output was this.

test@test:~$ yubico-piv-tool -a generate -s 9a
-----BEGIN PUBLIC KEY-----
<public_key_here>
-----END PUBLIC KEY-----
Successfully generated a new private key.

• I then saved the above output (where it starts with BEGIN PUBLIC KEY and ends with END PUBLIC KEY) to a file called test_public_key.pem. I then replaced the .pem file under /etc/sssd/pki/sssd_auth_ca_db.pem, with the contents of test_public_key.pem. Now the sssd_auth_ca_db.pem looks like this.

test@test:~/ca$ sudo cat /etc/sssd/pki/sssd_auth_ca_db.pem
-----BEGIN PUBLIC KEY-----
<public_key_here>
-----END PUBLIC KEY-----

• sssd restarts without issue with sudo systemctl restart sssd
• Locking the screen, pressing the Yubikey button, still sees Incorrect Password being generated.
• Going back to the Red Hat documentation, I can see this line here.

If you want to share the Certificate Authority certificates with another application, you can change the location in sssd.conf:
SSSD PAM responder: pam_cert_db_path in the [pam] section

• I copied the /etc/sssd/pki/sssd_auth_ca_db.pem file to my home directory and added this line to my sssd.conf file.

pam_cert_db_path = /home/test/sssd_auth_ca_db.pem

• Restarted sssd with no issues, but again see the same behaviour with starting the lock screen, pressing the Yubikey button and seeing Incorrect Password.
• Checked ask Ubuntu and the suggestion there was to place @include common-auth in the /etc/pam.d/mate-screensaver after the other lines.
• I changed it, so now the /etc/pam.d/mate-screensaver file looks like so.

auth       include      smartcard-auth
auth       include      system-auth
auth       optional     pam_gnome_keyring.so
account    include      system-auth
password   include      system-auth
session    include      system-auth
@include common-auth

• sssd restarts fine, however after locking the screen and pressing the Yubikey button, I am greeted with a Not permitted to gain access at this time message. That configuration does not help.
• Followed this Reddit guide on how to unlock the screen via a Yubikey.
• Installed libpam-u2f with sudo apt install libpam-u2f
• Ran mkdir -p ~/.config/Yubico
• Ran pamu2fcfg > ~/.config/Yubico/u2f_keys
• Pressed the button on Yubikey during the execution of the above command.
• Added this line into my /etc/pam.d/mate-screensaver file. The file then looks like this.

test@test:~$ sudo cat /etc/pam.d/mate-screensaver 
@include common-auth
auth       include      smartcard-auth            
auth       include      system-auth
auth       optional     pam_gnome_keyring.so
auth       required     pam_u2f.so
account    include      system-auth
password   include      system-auth
session    include      system-auth

• Upon locking the screen and pressing the Yubikey button, I am met with Incorrect Password.
• Edited the /etc/pam.d/mate-screensaver file, so that only the following was present.

test@test:~$ sudo cat /etc/pam.d/mate-screensaver 
auth       required     pam_u2f.so

• The sssd restarted fine. However, this broke the lock screen and it did not display anything, only the desktop background.
• Now the issue is setting the right options in /etc/pam.d/mate-screensaver and I'll work further on that.

Good day all and to further update on my escapades here.

• I have been checking other pam.d/mate-screensaver configurations and will try the following.

#%PAM-1.0

auth       include      system-auth
auth       optional     pam_gnome_keyring.so
auth       required     pam_u2f.so
account    include      system-auth
password   include      system-auth
session    include      system-auth

• Restarted the sssd service with sudo systemctl restart sssd
• Locked the screen.
• Again the result was a blank lock screen.
• Then tried adding the following to the /etc/pam.d/mate-screensaver

auth       include      pam_sss.so

• Restarted sssd and again, only a blank lock screen.
  
  

  blank_lock_screen1918×1080 31.1 KB
• Removed auth required pam_u2f.so from the configuration, restarted sssd and now when locking the screen, the configuration is stuck on the screensaver and does not proceed to the lock screen.
• I will do a complete refresh of Ubuntu Mate 24.04, because I have gone wrong somewhere either with the pam.d configuration, sssd.conf or Yubikey setup.

Wow, @metalinux!

That is truly a labour of love, and what you have accomplished is impressive! Have a shower of "Kudos"!

I will offer you my encouragement to reach your end goal successfully, because I believe that means of verification, card-swipe or fingerprint-recognition, is likely to become a standard feature on most computers/tablets/phones in the long-run.

Not sure if you might want to look at the the approach(es) to fingerprint-recognition. That might be another viewpoint on the hardware/software configuration process that might give some insights to get you to that end-point!

Lots of luck, to you!

Hi again, @metalinux!

I realize this is not a direct fix or directly related to your specific issue, but ... there is a page related to use of SmartCards for US Gov that makes reference to MacOS (linux spinoff) on two aspects of the problem, namely:

• SSH from MacOS, and
• Configure a Linux Server.

I realize that might be a stretch ... but you never know where an answer will come from.

There is also a section specifically dedicated to Yubico-PAM module, if you haven't seen that yet, and a section specifically on Yubico PAM Single-factor configuration guide which might have direct relevance to your problem.

I underline that I offer these, even though I don't understand the problem in depth , but based on an abstraction of the issue you are facing for your context.

I also forgot to mention Arch Linux's page on Yubikey. Their pages sometimes have hints/workarounds at the bleeding edge.

Hi @ericmarceau and thank you so much for the lovely words of encouragement and for your added advice of fingerprint-recognition, looking into SmartCards via MacOS, the Yubico-PAM module and of course the excellent Arch Wiki regarding Yubikey. You similarly deserve a shower of kudos as well and seriously - thank you!

Ultimately, I found a workaround to this issue, which was to set up Smartcard Authentication in Gnome and then switch to the GDM Lock Screen in the MATE session.

I firstly installed Gnome and its dependencies with sudo apt install ubuntu-gnome-desktop and rebooted.

I then logged into the the MATE session, via GDM (selecting MATE instead of Gnome as the DE) upon successful boot up.

To switch directly to the GDM lock screen in the MATE session, I ran gdmflexiserver -ls in a terminal, which takes you directly to the GDM lock screen (it skips mate-screensaver) and then you can unlock the session with your SmartCard credentials there and then hop back into the same MATE session as before.

Thank you very much again to @ericmarceau , @ugnvs and @ricmarques for kindly giving your time and advice to assist here!