I have been struggling with setting up a NitroKey Storage key device and there are instructions on the NitroKey web site but…
The instructions which seem to me simplest require Poldi and I cannot find this on the Tumbleweed repos I have installed.
Pam_p11 is also suggested and is available in the repo but this approach appears to use X509 CA Certificates and this is well above my ability at present.
How can I get Poldi and can anybody give any advice or experience using it please?
a) find someone who already built it for your distribution
b) build it yourself
c) ask someone to do it for you
d) pay someone to do it for you
I do not see anyone building it in OBS which with high probability means you realistically have only three options.
According to readme on pam_p11 site
Pam_p11 implements two authentication methods:
- verify a token using a known public key found in OpenSSH's ~/.ssh/authorized_keys.
- verify a token using a known certificate found in ~/.eid/authorized_certificates.
OK and thanks again for the advice. I will research more on the Pam_p11 as I only checked one article by the author and it was over my head.
Will also have a go at building poldi.
Many thanks,
Budge
Hi and thanks again. I had been looking in the wrong place. The Nitrokey Applications gave me the link for Pam-PKCS11 manual which, not surprisingly, gives instructions for CS Certificate application. The documentation from Pam_p11 download is what you showed me and clearly covers both cases and I shall try and get working.
There is one minor issue which is that the Pam_p11 version on repo site is slightly older than that on oss-sec website and when I tried to build it I ran into too many conflicts for my liking.
Worth reposting general posting “Best Practice”
If you’re following guide or instructions on the Internet, post a link to it.
If you experience an error, post the command you ran and the exact output that results.
An x509 certificate is simply a string of text characters that’s used to authenticate, more specifically in web applications like a website or authenticating Users, commonly used in SSL connections.
So, as described, an x509 certificate can be generated by various utilities like openssh and openssl.
TSU
Hi Tsu, sorry I was thinking out loud as it were. OK I have file in~/Downloads/pam_p11-0.3.1.tar.gz where I have extracted it. The installation instructions are straight forward so as instructed I ran:-
alastair@AJBR-W530:~/Downloads/pam_p11-0.3.1> ./configure --prefix=/usr --libdir=/lib/
I ran this as me not root. I think all went OK after I had sorted out some conflicts.
Running make gave me information which seemed to include errors and when I ran make install and this told me there were insufficient permissions for the installation. It seems to me I should run make install as root but possibly I should have run make also as root.
Having run sudo make install everything ran as expected but I suspect some libraries may be in wrong place because I only ran make as me not sudo make.
I hope this is making sense and would appreciate your advice before proceeding as there are instructions I do not understand at the end. Here is my console output, warts and all and I would very much appreciate your advice here.
Yes, your “make” returned a critical error.
You should generally run a 3 commands as root (This is where you can take advantage of openSUSE permissive use of root to just run the commands in a root console instead of using sudo).
So, as is typically, the case, just do that… run all 3 commands as root and you should be fine, the results should over-write your mistakes.
TSU
Hi Tsu,
Many thanks for the advice. I have rebuilt and installed pam_p11 and there were no errors this time so I think all is OK except for the comment, still repeated after the install. The script for the whole process is in the suse past file above and in particular lines 393 to 418 and in particular line 405:-
- have your system administrator add LIBDIR to ‘/etc/ld.so.conf’
I do not understand the reference to LIBDIR.
I had ignored this earlier thinking I would not need it but out of the blue, after logging in just now, a window opened with the text:-
add LIBDIR to etc/ld.so.conf
the window appeared as a plain screen, no other text and I had difficulty removing it.
Clearly I need to do as instructed if only I knew about LIBDIR.
Hi
That is just plain asinine, configure and build as your user, install as root…
Still on the same problem there are instructions included in the README.md file included with pam_p11 package which after installation go on to explain usage of pam_p11 and this has details which I do not follow as the instructions included refer to files not actually installed. As you can tell I am working well beyond my paygrade but am determined to sort this out with help please. I have quoted the instructions below and not all but after the instructions for installation. I fall at the first fence because the second line, repeated here does not have line /usr/local/lib/security/pam_p11.so.
auth sufficient /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so
The instructions gpo on as follows.
Using pam_p11
Login
To use pam_p11 with some application like
sudo, edit/etc/pam.d/sudoand add something like the following at the beginning of the file:
auth sufficient /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so
Replace
/usr/local/lib/opensc-pkcs11.sowith your PKCS#11 implementation. Using an absolute path topam_p11.soavoids the need to write to a system directory, which is especially useful for macOS with system integrity protection (SIP) enabled.
An optional second argument to
pam_p11.somay be used to check for a specific format when prompting for the token’s password. On macOS this defaults to the regular expression^:digit:]]*$to avoid confusion with the user’s password in the login screen. pam_p11 uses POSIX-Extended Regular Expressions for matching.
While testing it is best to keep a door open. Editing the configuration files from a different machine via SSH helps reverting a bad PAM login configuration. Replace
sufficientwithrequiredand remove other unwanted PAM modules from the file only when you’ve successfully verified the configuration.
To enable pam_p11 for all logins (graphical and terminal based), change the following configuration files as described above:
Operating System PAM configuration file macOS /etc/pam.d/authorizationDebian /etc/pam.d/common-authArch Linux /etc/pam.d/system-auth
PIN change and unblock
To allow changing and unblocking the PIN via pam_p11, add the following to your configuration:
password optional /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so
An optional second argument to
pam_p11.somay be used to check for a specific format when prompting for the token’s password. On macOS this defaults to the regular expression^:digit:]]*$to avoid confusion with the user’s password in the login screen. pam_p11 uses POSIX-Extended Regular Expressions for matching.
User configuration via
~/.eid/authorized_certificates
A user may create a
~/.eid/directory and create a file~/.eid/authorized_certificateswith authorized certificates. You can do that via
mkdir -p ~/.eid chmod 0755 ~/.eid pkcs11-tool --read-object --type cert --id 45 --module /usr/lib/opensc-pkcs11.so --output-file cert.cer openssl x509 -inform DER -in cert.cer -outform PEM >> ~/.eid/authorized_certificates chmod 0644 ~/.eid/authorized_certificates
This example uses the
pkcs11-toolcommand from opensc to read a certificate (id45) from the smart card. Usepkcs11-tool --list-objects --type cert --module /usr/lib/opensc-pkcs11.soto view all certificates available on the card.
It is very important that only the user of the file can write to it. You can have any number of certificates in that file. The certificates need to be in PEM format. DER format is not supported.
User configuration via
~/.ssh/authorized_keys
A user may create a
~/.ssh/directory and create a file~/.ssh/authorized_keyswith authorized public keys. You can do that via
mkdir -p ~/.ssh chmod 0755 ~/.ssh ssh-keygen -D /usr/lib/opensc-pkcs11.so >> ~/.ssh/authorized_keys chmod 0644 ~/.ssh/authorized_keys
This example uses the
ssh-keygencommand from openssh to read the default user public key (id 45) from the smart card in reader 0. Note that this tool prints the public keys in two formats: ssh v1 and ssh v2 format. It is recommended to edit the file and delete one of those two lines. Also you might want to add a comment / identifier at the end of the line.
It is very important that only the user of the file can write to it. You can have any number of public keys in that file.
Note it is currently not possible to convert existing ssh keys into pem format and store them on a smart card. (To be precise: OpenSC has no such functionality, not sure about other implementations.)
Security Note
pam_p11 simply compares public keys and request the cryptographic token to sign some random data and verifiy the signature with the public key. No CA chain checking is done, no CRL is looked at, and they don’t know what OCSP is. This works fine for small installations, but if you want any of those features, please have a look at Pam_pkcs11 for a fully fledged PAM module for smart card authentication.
I hope this can be resolved and many thanks for all the help so far.
Budgie2
Oh dear I am a bit confused. My first attempt at the three stage process of
./configure, make and make install
was first done as my user and I saw there were permission problems so I ran the last stage again as
sudo make install
which might have been how I now interpret Malcolm’s instruction. Having seen there might have still been similar errors and with Tsu’s advice I ran the whole lot as root.
This might explain why I do not have all that I needed in /usr/local/lib/security. I do not want to provoke an argument through my own ignorance so await further advice.
Hows this for encryption!
If this sentence is supposed to mean “you do not have file /usr/local/lib/security/pam_p11.so on your system” - it was your decision to install pam_p11 from source instead of using package that is part of openSUSE. How should we know where you decided to install this file?
If you intended to say something different, please clarify.
Hi
From the configure command, likely installed in in /lib (–libdir=/lib/), but I do concur as to why the openSUSE packages are not used, if there is an issue, a bug report is always a good stop to get support added?
It’s one of those files that defines the PATHs on your machine.
You can open that file and find that it already contains the usual paths pointing to where libraries are normally installed on your machine.
But, what you just built apparently didn’t install in any of the locations defined,
So you have two options…
Move the files to one of the locations defined in /etc/ld.so.conf (This I recommend)
or
as described, edit the file to add a new path to your library.
Or,
I’m not sure why the above are the recommendations…
I’d instead recommend if not the first option I described, add to your LD_LIBRARY_PATH by making an “export” entry in a /etc/profiles.local
(Well known alternative is to add to your bashrc)
Then run ldconfig or reboot to activate the path.
TSU
Hi Malcolm and thanks for the reply. I am not qualified to go as far as a bug report and it is entirely possible, indeed probable that the fault is mine.
Arvidjaar in his often acerbic manner has pointed out that I should have installed from openSUSE and indeed that is what I would have done if I had found it through YAST but at that time I the required repo (http://download.opensuse.org/repositories/security/openSUSE_Tumbleweed/) was not installed and I didn’t know of this repo but found the download file and fetched it from OpenSC.
Hindsight is a wonderful thing but I am learning all the time and would like to continue if you are willing. What I would like to know is which is the correct way to approach the ./configur, make, make install pattern.
I shall now follow Tsu’s advice on getting the paths correct and try and make progress.
Hi Tsu, I am being thick again and would open it if I could find it, but I cannot find LIBDIR. Could it be it has not been created?
pam_p11 (and opensc) are part of standard Tumbleweed, no additional repository is required. Did you try “zypper in pam_p11”?
Hi arvdjaar and thanks for your question. I transitioned from Leap 15.1 to Tumbleweed only recently and at that time only three repos were initially installed as I recall.
Whatever the case I then added packman and libdvdcss.
For package installation I use yast and have never been accustomed to using zypper although I know I should. It has only been since Tumbleweed that I learned to use zypper for package updates and certainly never thought to try zypper in pam_p11. At the time I could not find pam_p11 using yast software manager. It was only after I installed the security repo that pam_p11 was found using yast.
More important for me is should I unwind from here and start over? Is that what you suggest or would you be able to help me sort this out without removing anything but checking the configuration and rectifying any anomalies?
Hi
Wherever you ran make install from you should be able to just run make uninstall and it will remove everything.
Not sure why you just didn’t install from the main repository?
zypper if pam_p11
Information for package pam_p11:
--------------------------------
Repository : Main Repository (OSS)
Name : pam_p11
Version : 0.3.0-1.1
I would suggest sticking with the distribution version, adding the development repository is somewhat pointless (unless testing a fix, just impatient etc) as the packages here will eventually make it into Tumbleweed.