0

I'm having trouble getting PKCS#11 and PAM to work, for whatever reason nss has stopped working and I can't create a new database.

Here's the output from PKCS11 and NSS:

DEBUG:pkcs11_lib.c:187: Initializing NSS ...
DEBUG:pkcs11_lib.c:197: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:206: NSS_Initialize failed: (null)
ERROR:pam_pkcs11.c:250: Failed to initialize crypto

After checking all my configs and howto's I googled and found this: certutil: function failed: security library: bad database

Which reminded me that I probably never created a new nss database. (which, however, I thought would be done automatically?)

But when trying to create a new database, i get the following:

# certutil -d /etc/pam_pkcs11/nssdb -N
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

So I did some digging and tried:

# certutil -d sql:/etc/pam_pkcs11/nssdb -N
certutil: function failed: SEC_ERROR_BAD_DATABASE: security library: bad database.

System: Fedora 21 (This is as new as it gets)
NSS: nss-tools-3.20.1-1.0 + nss-3.20.1-1.0
PAM: pam_pkcs11-0.6.8-6
OpenSC: opensc-0.14.0-2
OpenSSL: openssl-1.0.1k-12
SqlLite: sqlite-3.8.11.1-1

Community
  • 1
Torxed
  • 215
  • 1
  • 5
  • 17

1 Answers1

1

I should probably go home and have some food or something.

Forgot to create the folder nssdb (yes, it's a folder and not a file.. which is so clearly stated in every forum google came up with during my debugging).

I should know this.

# mkdir -p /etc/pam_pkcs11/nssdb
# chmod 700 /etc/pam_pkcs11/nssdb
# certutil -d /etc/pam_pkcs11/nssdb -N

Also note that when using NSS with PAM, especially on older systems.
Never use sql: style nss databases.

Torxed
  • 215
  • 1
  • 5
  • 17