load_pkcs11_module() failed loading....

Asked by Bill Eccles on 2018-12-04

Ubuntu 16.04
Trying to install pam....
When I log into my server I get the following....

ERROR:pam_pkcs11.c:323: load_pkcs11_mosule() failed loading /usr/lib/opensc-pkcs11.so: stat() failed: No such file or directory.

I am new to pam...is there a config file that is missing....
is there an example I can look at?

I see the following online.....
ln -s /usr/lib/pkcs11/opensc-pkcs11.so /usr/lib/

Is that the solution?
do I have a missing file?

Question information

Language:
English Edit question
Status:
Answered
For:
Ubuntu pam-pkcs11 Edit question
Assignee:
No assignee Edit question
Last query:
2019-01-14
Last reply:
2019-01-14
Manfred Hampl (m-hampl) said : #1

"Trying to install pam...."
How did you try installing it?

What is the output of the commands
uname -a
lsb_release -crid
apt-cache policy libpam-pkcs11 opensc-pkcs11 libpam-runtime libpam-modules libpam0g

Bill Eccles (weccles) said : #2

#sudo apt-get install libpam-pkcs11

#sudo apt-get install opensc-pkcs11

sudo mkdir /etc/pam_pkcs11

zcat /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz | sudo tee /etc/pam_pkcs11/pam_pkcs11.conf

sudo mkdir /etc/pam_pkcs11/cacerts /etc/pam_pkcs11/crls

edit the use_mappers line in /etc/pam_pkcs11/pam_pkcs11.conf to list only pwent

Commands......

uname -a

Linux STIGtest 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux

lsb_release -crid

Distributor ID: Ubuntu

Description: Ubuntu 16.04.05 LTS

Release: 16.04

Codename: xenial

apt-cache policy libpam-pkcs11 opensc-pkcs11 libpam-runtime libpam-modules libpam0g

[cid:image001.jpg@01D48C70.C55AB930]

[cid:image002.jpg@01D48C70.C55AB930]

Thanks

Bill

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Manfred Hampl
Sent: Wednesday, December 05, 2018 4:15 AM
To: ECCLES, WILLIAM <email address hidden>
Subject: Re: [Question #676600]: load_pkcs11_module() failed loading....

Your question #676600 on pam-pkcs11 in Ubuntu changed:

https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_pam-2Dpkcs11_-2Bquestion_676600&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=xjQpo_Ow8o3mGHgPfyWQ80UgrprVisTz8uNq1yDb_Lk&s=iMN8oM8mPJxw7N-77edlOGZmh6vP5V9OFEpec16lmtY&e=

    Status: Open => Needs information

Manfred Hampl requested more information:

"Trying to install pam...."

How did you try installing it?

What is the output of the commands

uname -a

lsb_release -crid

apt-cache policy libpam-pkcs11 opensc-pkcs11 libpam-runtime libpam-modules libpam0g

--

To answer this request for more information, you can either reply to

this email or enter your reply at the following page:

https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_pam-2Dpkcs11_-2Bquestion_676600&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=xjQpo_Ow8o3mGHgPfyWQ80UgrprVisTz8uNq1yDb_Lk&s=iMN8oM8mPJxw7N-77edlOGZmh6vP5V9OFEpec16lmtY&e=

You received this question notification because you asked the question.

Manfred Hampl (m-hampl) said : #3

1. I suggest that you look at your question document at launchpad: https://answers.launchpad.net/ubuntu/+source/pam-pkcs11/+question/676600 to see that the information that you sent is not usable.

It is not possible to attach images for launchpad questions.
The question document is cluttered up with irrelevant reply information from your e-mail system.

Please just copy/paste the text of the apt-cache command as requested as text, and not as an image. Furthermore please remove all old information if you prefer to answer by e-mail reply.

2. And now to your problem: You have to verify whether the contents of the example config file agree with the setup of your system.

I assume that you have to correct the file location in line ~30
from
  pkcs11_module opensc {
    module = /usr/lib/opensc-pkcs11.so;
to
  pkcs11_module opensc {
    module = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so;
(or whatever the real location of the opensc-pkcs11.so file is on your system).

Bill Eccles (weccles) said : #4

I did not change that line initially...so it is changed now and a new error appeared....

SmartCard authentication starts
ERROR:pam_pkcs11.c:357: no suitable token available
Error 2306: No suitable token available

Output to apt-cache policy libpam-pkcs11 opensc-pkcs11 libpam-runtime libpam-modules libpam0g

libpam-pkcs11:
 Installed: 0.6.8-4
 Candidate: 0.6.8-4
 Version table:
           *** 0.6.8-4 500
  500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
  100 /var/lib/dpkg/status
opensc-pkcs11:
 Installed: 0.15.0-1ubuntu1
 Candidate: 0.15.0-1ubuntu1
 Version table:
          *** 0.15.0-1ubuntu1 500
  500 http://us.archive.ubuntu.com/ubuntu xenial/universe amd64 Packages
  100 /var/lib/dpkg/status
libpam-runtime:
 Installed: 1.1.8-3.2ubuntu2.1
 Candidate: 1.1.8-3.2ubuntu2.1
 Version table:
           *** 1.1.8-3.2ubuntu2.1 500
  500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
  500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main i386 Packages
  100 /var/lib/dpkg/status
           *** 1.1.8-3.2ubuntu2 500
  500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
  500 http://us.archive.ubuntu.com/ubuntu xenial/main i386 Packages
libpam-modules:
 Installed: 1.1.8-3.2ubuntu2.1
 Candidate: 1.1.8-3.2ubuntu2.1
 Version table:
           *** 1.1.8-3.2ubuntu2.1 500
  500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
  100 /var/lib/dpkg/status
                  1.1.8-3.2ubuntu2.1 500
  500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages
libpam0g:
 Installed: 1.1.8-3.2ubuntu2.1
 Candidate: 1.1.8-3.2ubuntu2.1
 Version table:
           *** 1.1.8-3.2ubuntu2.1 500
  500 http://us.archive.ubuntu.com/ubuntu xenial-updates/main amd64 Packages
  100 /var/lib/dpkg/status
                  1.1.8-3.2ubuntu2 500
  500 http://us.archive.ubuntu.com/ubuntu xenial/main amd64 Packages

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Manfred Hampl
Sent: Wednesday, December 05, 2018 8:23 AM
To: ECCLES, WILLIAM <email address hidden>
Subject: Re: [Question #676600]: load_pkcs11_module() failed loading....

Your question #676600 on pam-pkcs11 in Ubuntu changed:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_pam-2Dpkcs11_-2Bquestion_676600&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=V_2sby7iFJYgnDPRUxXdeSAwQBL3VyLtOiBHAbk0nSc&s=DOONCh1oquVFsUa7GfXuIZSbFHwj1tIKAHTVSAyp4A4&e=

    Status: Open => Answered

Manfred Hampl proposed the following answer:
1. I suggest that you look at your question document at launchpad:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_pam-2Dpkcs11_-2Bquestion_676600&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=V_2sby7iFJYgnDPRUxXdeSAwQBL3VyLtOiBHAbk0nSc&s=DOONCh1oquVFsUa7GfXuIZSbFHwj1tIKAHTVSAyp4A4&e=
to see that the information that you sent is not usable.

It is not possible to attach images for launchpad questions.
The question document is cluttered up with irrelevant reply information from your e-mail system.

Please just copy/paste the text of the apt-cache command as requested as
text, and not as an image. Furthermore please remove all old information
if you prefer to answer by e-mail reply.

2. And now to your problem: You have to verify whether the contents of
the example config file agree with the setup of your system.

I assume that you have to correct the file location in line ~30
from
  pkcs11_module opensc {
    module = /usr/lib/opensc-pkcs11.so;
to
  pkcs11_module opensc {
    module = /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so;
(or whatever the real location of the opensc-pkcs11.so file is on your system).

--
If this answers your question, please go to the following page to let us
know that it is solved:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_pam-2Dpkcs11_-2Bquestion_676600_-2Bconfirm-3Fanswer-5Fid-3D2&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=V_2sby7iFJYgnDPRUxXdeSAwQBL3VyLtOiBHAbk0nSc&s=WPaRSZcO_ixxCj_r3GbM8bdhpE0LrKiw9Gygw7HrCa4&e=

If you still need help, you can reply to this email or go to the
following page to enter your feedback:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_pam-2Dpkcs11_-2Bquestion_676600&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=V_2sby7iFJYgnDPRUxXdeSAwQBL3VyLtOiBHAbk0nSc&s=DOONCh1oquVFsUa7GfXuIZSbFHwj1tIKAHTVSAyp4A4&e=

You received this question notification because you asked the question.

Manfred Hampl (m-hampl) said : #5

What kind of authentication do you want to use?
What kind of token do you have?
Is it correctly configured?
Are you following some instructions how to (re)configure the authorization system using PAM and tokens?

And again:
Remove the original mail when you reply to launchpad question e-mails.

Bill Eccles (weccles) said : #6

What kind of authentication do you want to use?
 We will be using card authentication
What kind of token do you have?
 Card
Is it correctly configured?
 I do not know....first time configuring PAM
Are you following some instructions how to (re)configure the authorization system using PAM and tokens?
 Just what I find on the internet/search

Manfred Hampl (m-hampl) said : #7

The message:
"Error 2306: No suitable token available" tells that at this moment no card for authentication could be found. Was it inserted in the reader at that moment?

Bill Eccles (weccles) said : #8

No it was not....just trying to set the server up to be able to accept a card.

If that is the message for no card read....or no card available....then it seems that is the correct message.

Thank you for your assistance.
You are very knowledgeable and sharing that knowledge is very much appreciated!!!!!!
Bill

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Manfred Hampl
Sent: Wednesday, December 05, 2018 3:33 PM
To: ECCLES, WILLIAM <email address hidden>
Subject: Re: [Question #676600]: load_pkcs11_module() failed loading....

Your question #676600 on pam-pkcs11 in Ubuntu changed:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_pam-2Dpkcs11_-2Bquestion_676600&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=TLWn9YV78IpzupbrkcdPVguhc0KuKlNLJotSDDVMMNc&s=NPN4uNIr_07GcPQd9qAODJgM25n6m29afcScmPDLYFg&e=

    Status: Open => Needs information

Manfred Hampl requested more information:
The message:
"Error 2306: No suitable token available" tells that at this moment no card for authentication could be found. Was it inserted in the reader at that moment?

--
To answer this request for more information, you can either reply to
this email or enter your reply at the following page:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_pam-2Dpkcs11_-2Bquestion_676600&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=TLWn9YV78IpzupbrkcdPVguhc0KuKlNLJotSDDVMMNc&s=NPN4uNIr_07GcPQd9qAODJgM25n6m29afcScmPDLYFg&e=

You received this question notification because you asked the question.

Bill Eccles (weccles) said : #9

I accidentally deleted the /etc/pam.d/login file

Can you please tell me what I need to do to recreate it?

Manfred Hampl (m-hampl) said : #10

Don't you have a backup to restore it?

I assume that /etc/pam.d/login is provided by the "login" package.
Reinstalling that package may restore the file (but might also have undesired side effects).

Bill Eccles (weccles) said : #11

I was running through a STIG list and inadvertently installed APM and pkcs11
We do not have any cards to use for authentication....

My login would not work at all.....received authentication errors

It did not seem possible to disable pkcs11 so I tried to uninstall it.....
I used....
sudo apt-get remove --auto-remove opensc-pkcs11
sudo apt-get purge --auto-remove opensc-pkcs11

However, there still seems to remnants of the package in the system.

I still get login errors as follows when I try to login with my user....sdn....

Smartcard authentication starts
DEBUG:pam_pkcs11.c:308: username = [sdn]
DEBUG:pam_pkcs11.c:319: losding pkcs #11 module...
DEBUG:pam_pkcs11.c:975: PKCS #11 module = [/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so]
ERROR:pam_pkcs11.c:323: load_pkcs11_module() failed loading /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: stat() failed: No such file or directory
Error 2303: PKCS#11module failed loading

Any guidance to remove pkcs11 so I can login would be appreciated.

Should I also remove PAM?

Thank you
Bill

Manfred Hampl (m-hampl) said : #12

Sorry, I do not know what modifications you did to your system in an attempt to enable pam-pkcs11 authentication. You probably would have to undo them.

Maybe there are some remnants in the /etc/pam_pkcs11 directory or in the /etc/pam.conf and /etc/pam.d/* configuration files.

Bill Eccles (weccles) said : #13

That is the problem....
I did not make changes to the files....
But I seem to be going through the authentication process...
Not sure where to look.....

Should these directories/files be deleted?
/etc/pam_pkcs11 directory or in the
/etc/pam.conf
/etc/pam.d/* configuration files.

-----Original Message-----
From: <email address hidden> [mailto:<email address hidden>] On Behalf Of Manfred Hampl
Sent: Monday, January 14, 2019 12:13 PM
To: ECCLES, WILLIAM <email address hidden>
Subject: Re: [Question #676600]: load_pkcs11_module() failed loading....

Your question #676600 on pam-pkcs11 in Ubuntu changed:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_pam-2Dpkcs11_-2Bquestion_676600&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=7xegOoDvrmo0bDyDSSPZ_11PBKftRLlziBAF12ilE2I&s=Y4eN1eT0W-KZJFU4E4GaO6IcQ6Bo2xoimBt9ER9CG_w&e=

    Status: Open => Answered

Manfred Hampl proposed the following answer:
Sorry, I do not know what modifications you did to your system in an
attempt to enable pam-pkcs11 authentication. You probably would have to
undo them.

Maybe there are some remnants in the /etc/pam_pkcs11 directory or in the
/etc/pam.conf and /etc/pam.d/* configuration files.

--
If this answers your question, please go to the following page to let us
know that it is solved:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_pam-2Dpkcs11_-2Bquestion_676600_-2Bconfirm-3Fanswer-5Fid-3D11&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=7xegOoDvrmo0bDyDSSPZ_11PBKftRLlziBAF12ilE2I&s=k4qSwXzFP776IgSEZ-wFhU1uEwnHKBXWXFYhrPXw1NI&e=

If you still need help, you can reply to this email or go to the
following page to enter your feedback:
https://urldefense.proofpoint.com/v2/url?u=https-3A__answers.launchpad.net_ubuntu_-2Bsource_pam-2Dpkcs11_-2Bquestion_676600&d=DwIFaQ&c=LFYZ-o9_HUMeMTSQicvjIg&r=PpPhkgNrf1luu96xmmdnSg&m=7xegOoDvrmo0bDyDSSPZ_11PBKftRLlziBAF12ilE2I&s=Y4eN1eT0W-KZJFU4E4GaO6IcQ6Bo2xoimBt9ER9CG_w&e=

You received this question notification because you asked the question.

Manfred Hampl (m-hampl) said : #14

1. I already told twice: Please do not use the "reply with history" function in your e-mail system when you answer. Look at https://answers.launchpad.net/ubuntu/+source/pam-pkcs11/+question/676600 and you see that you can hardly find the relevant information beneath all irrelevant additions from your e-mail system.

2. "I did not make changes to the files...."
You did. At least one of the commands that you entered
"zcat /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz | sudo tee /etc/pam_pkcs11/pam_pkcs11.conf" has created one of the files there, and the proposed solution in comment #3 ("change module = /usr/lib/opensc-pkcs11.so...") should also have resulted in a change to one of the files.

If you cannot remember all changes that you have done, who else should know them?

I can only say: Changes on the authentication system like this should be tried in a test system first where it does not do any harm if it is broken.

Bill Eccles (weccles) said : #15

Thank you for the update....
I will look at the previous mails and the information you sent.
This is a test system....but I would like to still get into it.
I have no clue about pkcs11 nor PAM....
I thank you for sharing your expertise.

Bill Eccles (weccles) said : #16

I believe I removed what was created or what I had changed...
Seems the SmartCard authentication is still starting because when I enter login and password I get....

 Login: sdn
 Password: <password>
 Smartcard authentication starts
 ERROR:pam_pkcs11.c:219: Error setting configuration parameters

 Login incorrect

Is there somewhere to look - or a command to run - to stop the Smartcard authentication from starting?

Thanks

Manfred Hampl (m-hampl) said : #17

There is no need to search previous e-mails. The full conversation is available at https://answers.launchpad.net/ubuntu/+source/pam-pkcs11/+question/676600

If you are unable to log it to that system, you always can boot in recovery mode - root prompt.

I suggest that you compare the contents of all logon-related config files with those on a working system.

Another possible approach is reinstalling the packages related to authentication (maybe login, passwd, libpam06, libpam-mosules, libpam-runtime - check first which of them you have installed!)

Can you help with this problem?

Provide an answer of your own, or ask Bill Eccles for more information if necessary.

To post a message you must log in.