[ThinLinc-technical] Client side error, smart cards

[Per Andersson]

Dear all

TL;DR: smart cards, Aventra MyEID 4.5, are giving me the error message 
"Smart card malfunction" after I enter the pin. The cards have been 
configured using a script which has worked before, on older cards. 
Anyone familiar with the error message? Is the card from Aventra 
compatible with TL 4.12.0? Any cards out there which are guaranteed to work?

Long version:

I am maintaining a smaller (~10 clients) installation running the 
Thinlinc clients on a mix of Igel terminals and Linux boxes using smart 
cards for authentication. We are running out of our old batch of smart 
cards (of a type not available anymore) and need to configure new cards. 
We had no success with the ever-present Gemalto MD840 cards, probably 
due to the only partial PKCS#15 support. I have had some success with 
Aventra MyEID 4.5, but I am getting a troubling error message.

On the Igel terminals we are for reasons using version 4.8.1 and on the 
linux boxes (Centos 8.2) version 4.12.0, but I get the same error 
message on both. The client reads the card and I can enter the pin code, 
but then a window pops up saying "Smart card malfunction". There is no 
trace of the transaction on the server side in any log file.

The cards have been prepared using the script published here in the 
mailing list by Peter Å, way back in October 2013 (I think) and we have 
successfully used it for the old batch of cards back then, adopted to 
our environment. I can read the new cards on the linux boxes using 
pkcs11-tools and pkcs15-tools.

My question is two-fold: have anyone seen this error message before and 
can guide me in the troubleshooting, and have anyone successfully used 
Aventra MyEID 4.5 cards? As a bonus question, can anyone tell me if 
there are any smart cards out on the market today which will work in 
combination with a newer version of the TL client?

Best regards

Per
--