# PAM/xscreensaver/Authentification via MIFARE SMARTCARD

## ch64

Hello.

I want to lock xscreensaver when removing a smartcard. That is working here.

I have the USB device: ACS ACR122U PICC Interface and a few MIFARE classic cards 1k.

So, if I start card_eventmgr .. IT is locking via xscreensaver. -> Very nice.

But if I put the card back near the NFC reader xscreensaver is telling me: "error 2304 - Error Initializing the PKCS#11 module"

I have a pam for that, where it only needs a user. Xscreensaver tries as this user. But I have error 2304.

So, tail /var/log/messages is telling me:

```
Nov 15 22:52:03 dualcore xscreensaver[5077]: username = [flash]

Nov 15 22:52:03 dualcore xscreensaver[5077]: loading pkcs #11 module...

Nov 15 22:52:03 dualcore xscreensaver[5077]: PKCS #11 module = [/usr/lib/opensc-pkcs11.so]

Nov 15 22:52:03 dualcore xscreensaver[5077]: module permissions: uid = 0, gid = 0, mode = 755

Nov 15 22:52:03 dualcore xscreensaver[5077]: loading module /usr/lib/opensc-pkcs11.so

Nov 15 22:52:03 dualcore xscreensaver[5077]: getting function list

Nov 15 22:52:03 dualcore xscreensaver[5077]: initialising pkcs #11 module...

Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/auth.c:137:IsClientAuthorized() Process 5077 (user: 1000) is NOT authorized for action: access_pcsc

Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client

Nov 15 22:52:03 dualcore xscreensaver[5077]: module information:

Nov 15 22:52:03 dualcore xscreensaver[5077]: - version: 2.20

Nov 15 22:52:03 dualcore xscreensaver[5077]: - manufacturer: OpenSC Project                  

Nov 15 22:52:03 dualcore xscreensaver[5077]: - flags: 0000

Nov 15 22:52:03 dualcore xscreensaver[5077]: - library description: OpenSC smartcard framework      

Nov 15 22:52:03 dualcore xscreensaver[5077]: - library version: 0.16

Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/auth.c:137:IsClientAuthorized() Process 5077 (user: 1000) is NOT authorized for action: access_pcsc

Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client

Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/auth.c:137:IsClientAuthorized() Process 5077 (user: 1000) is NOT authorized for action: access_pcsc

Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client

Nov 15 22:52:03 dualcore xscreensaver[5077]: number of slots (a): 0

Nov 15 22:52:03 dualcore xscreensaver[5077]: init_pkcs11_module() failed: there are no slots available

Nov 15 22:52:03 dualcore xscreensaver[5077]: pam_pkcs11(xscreensaver:auth): init_pkcs11_module() failed: there are no slots available

Nov 15 22:52:14 dualcore xscreensaver[5077]: FAILED LOGIN 1 ON DISPLAY ":0", FOR "flash"

Nov 15 22:52:19 dualcore su[5126]: pam_unix(su:session): session closed for user root

```

IT is the first time, iam trying that. can somebody help?   :Wink: 

Also opensc is telling me, that the card is not compatible. 

```
dualcore ~ # nfc-list

nfc-list uses libnfc 1.7.1

NFC device: ACS / ACR122U PICC Interface opened

1 ISO14443A passive target(s) found:

ISO/IEC 14443A (106 kbps) target:

    ATQA (SENS_RES): 00  04

       UID (NFCID1): b3  73  99  d5

      SAK (SEL_RES): 08

```

The command where IT is telling me, that IT's a MIFARE CLASSIC 1k I now do not remember right...  :Smile: 

Also i think, that I have to use pam_pkcs11 module and not opensc! So I'm a bit confused.

----------

## ch64

Does this error come from a wrong polkit configuration?

 *Quote:*   

> Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/auth.c:137:IsClientAuthorized() Process 5077 (user: 1000) is NOT authorized for action: access_pcsc
> 
> Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/winscard_svc.c:335:ContextThread() Rejected unauthorized PC/SC client
> 
> Nov 15 22:52:03 dualcore pcscd[3761]: /mnt/data2/tmp/portage/sys-apps/pcsc-lite-1.8.22/work/pcsc-lite-1.8.22/src/auth.c:137:IsClientAuthorized() Process 5077 (user: 1000) is NOT authorized for action: access_pcsc
> ...

 

 *Quote:*   

> # opensc-tool -l
> 
> # Detected readers (pcsc)
> 
> Nr.  Card  Features  Name
> ...

 

 *Quote:*   

> Nov 17 05:36:44 dualcore xscreensaver[2174]: pam_pkcs11(xscreensaver:auth): no suitable token available
> 
> Nov 17 05:36:55 dualcore syslog-ng[5170]: Log statistics; processed='center(received)=1269', processed='center(queued)=2538', processed='src.none()=0', stamp='src.none()=0', processed='source(src)=1269', processed='destination(messages)=1269', processed='global(payload_reallocs)=1173', processed='global(sdata_updates)=0', processed='destination(console_all)=1269', processed='global(msg_clones)=0', processed='src.internal(src#2)=4', stamp='src.internal(src#2)=1510850215', processed='global(internal_queue_length)=0'
> 
> Nov 17 05:37:00 dualcore xscreensaver[2174]: FAILED LOGIN 1 ON DISPLAY ":0", FOR "flash"
> ...

 Last edited by ch64 on Fri Nov 17, 2017 4:40 am; edited 1 time in total

----------

## ch64

Now i added the following to polkit:

 *Quote:*   

> polkit.addRule(function(action, subject) {
> 
>     if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
> 
>         subject.user == "flash") {
> ...

 

The next Error I have IS, "no suitable token found"

So, I don't really know how to..   :Rolling Eyes: 

----------

## ch64

Now with coolkey module IT starts and (KILLS) the xscreensaver right. When removing and adding the card.

But there is this:

 *Quote:*   

> Nov 18 23:36:02 dualcore xscreensaver[8184]: Error setting configuration parameters
> 
> Nov 18 23:36:02 dualcore xscreensaver[8184]: FAILED LOGIN 1 ON DISPLAY ":0", FOR "flash"
> 
> Nov 18 23:36:26 dualcore xscreensaver[8184]: Error setting configuration parameters
> ...

 

The "xscreensaver-command -deactivate" does not deactivate the screensaver.

When I try as root, IT comes, that there is no such display. When i add -display :0 it comes: the MAGIC COOKIE message.

I then exported ~user/.Xauthority to root. 

It only stands: "deactivating from xscreensaver log.. But xscreensaver in the real world, doesn't deactivate.

It only says: AUTH failed.

But killall xscreensaver is doing well!

So: What is this "Error setting configuration parameters" ?[/quote]

----------

## ch64

When I started to configure pam_pkcs11 module, the sys-auth/pam_pkcs-0.6.9 was removed from the Gentoo tree!

Just before I started!   :Crying or Very sad: 

----------

