How do I use smart card for computer login.

[Budgie2]

Hi Malcolm and Tsu and thanks again.

I think Tsu reflects the difficulties I have found in using the Nitrokey instructions on their website including the absence of a blow by blow instruction for using pam_p11 on the Nitrokey Storage device and the fact that the Nitrokey instructions link for pam_p11 takes me to pam_pkcs11.

I am advised pam_pkcs11 can deal with either gpg type authorisation keys and X.509 cerificates, I have concluded however, given that poldi is not in openSUSE repo and receives little and infrequent support and I know nothing of the differences between pam_pkcs11 and pam_p11 that I would be better advised to stay with pam_p11. I see that poldi has now been built on openSUSE for which very many thanks, I may need to come back to that but will try first with pam_p11.

If I use the initial Nitrokey instructions for Key Creation with OpenPGP I can either generate keys on the Nitrokey device or generate them locally and copy them to the Nitrokey device. Before making this decision I have a question;

I already have a working key pair on my keyring so should I copy this keypair and required subkeys to the Nitrokey or would I be better starting afresh and not interfering with the existing key pair already in use.

If I start by creating a new key pair will this cause confusion with existing keys or would it be better to use the new keypair only for the Nitrokey login use.

[tsu2]

Hi Malcolm and Tsu and thanks again.

I think Tsu reflects the difficulties I have found in using the Nitrokey instructions on their website including the absence of a blow by blow instruction for using pam_p11 on the Nitrokey Storage device and the fact that the Nitrokey instructions link for pam_p11 takes me to pam_pkcs11.

I am advised pam_pkcs11 can deal with either gpg type authorisation keys and X.509 cerificates, I have concluded however, given that poldi is not in openSUSE repo and receives little and infrequent support and I know nothing of the differences between pam_pkcs11 and pam_p11 that I would be better advised to stay with pam_p11. I see that poldi has now been built on openSUSE for which very many thanks, I may need to come back to that but will try first with pam_p11.

If I use the initial Nitrokey instructions for Key Creation with OpenPGP I can either generate keys on the Nitrokey device or generate them locally and copy them to the Nitrokey device. Before making this decision I have a question;

I already have a working key pair on my keyring so should I copy this keypair and required subkeys to the Nitrokey or would I be better starting afresh and not interfering with the existing key pair already in use.

If I start by creating a new key pair will this cause confusion with existing keys or would it be better to use the new keypair only for the Nitrokey login use.

First, it should be noted that when I looked at the Poldark project repo, it was and is still very active with submits as recently as weeks anda couple months ago, so if the OBS is pulling directly from that repo then should also be very current.

As long as the keys are GPG ((or possibly PGP), i doubt there is any difference where they may be created but of course if not created by the Nitrokey utilities may not be managed properly by those utilities. When I read the PAM-PKCS configuration guide, it was unclear to me whether the key source or at least the manager would have to be authenticated...for instance I remember configurations for the CA but was unclear to me what that would really mean. I'm more used to working with a proper CA architecture where where the CA is available across the network and can be queried, not on a dongle. Would a "CA on a dongle" be queried the same way? I don't know. Of course, if the CA isn't authenticated, then the cert key would just be trusted without further authentication and authorization.

TSU

[Budgie2]

Hi Tsu,
What is Poldark project and do you have a link? Couldn't get past the tv series!!!

Going to line 1 of the Nitrokey installation page it suggests I install libccid. This is not available in my Tumbleweed repos. How should I proceed?

[malcolmlewis]

Hi Tsu,
What is Poldark project and do you have a link? Couldn't get past the tv series!!!

Going to line 1 of the Nitrokey installation page it suggests I install libccid. This is not available in my Tumbleweed repos. How should I proceed?

Hi
It's a library name not a package name, libccid.so is provided by pcsc-ccid package, install that

[Budgie2]

Hi Malcolm many thanks. It seems I already have it installed.

[arvidjaar]

unfortunately QEMU emulated smartcard does not correctly work with OpenSC

I finally tracked it down to QEMU emulated card reader which claims it has external pinpad so OpenSC did not even attempt to request PIN (but neither does QEMU). After changing QEMU to not announce non-existing capability OpenSC works and so does pam_p11. Nothing beyond what is described in pam_p11 readme is required to configure it. As already mentioned, I needed packages opensc, pcsc-lite, pcsc-ccid, pam_p11 (and their dependencies).

Code:

bor@tw:~> pkcs15-tool --list-info
Using reader with a card: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:1d.7-1) 00 00
PKCS#15 Card [John Doe]:
    Version        : 0
    Serial number  : 40705072360e000058bd002c19b5
    Manufacturer ID: Common Access Card
    Flags          : 


bor@tw:~> pkcs15-tool --list-keys
Using reader with a card: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:1d.7-1) 00 00
Private RSA Key [CAC ID Certificate]
    Object Flags   : [0x1], private
    Usage          : [0xE], decrypt, sign, signRecover
    Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
    ModLength      : 2048
    Key ref        : 1 (0x1)
    Native         : yes
    Path           : a0000000790100::3f000100
    Auth ID        : 01
    ID             : 0001
    MD:guid        : e420d0e6-7463-1b83-5033-acaad9ccf2b5


Private RSA Key [CAC Email Signature Certificate]
    Object Flags   : [0x1], private
    Usage          : [0xE], decrypt, sign, signRecover
    Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
    ModLength      : 2048
    Key ref        : 2 (0x2)
    Native         : yes
    Path           : a0000000790101::3f000101
    Auth ID        : 01
    ID             : 0002
    MD:guid        : 248b7dd3-d1eb-60ed-ed34-5d2a75389efe


Private RSA Key [CAC Email Encryption Certificate]
    Object Flags   : [0x1], private
    Usage          : [0xE], decrypt, sign, signRecover
    Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
    ModLength      : 2048
    Key ref        : 3 (0x3)
    Native         : yes
    Path           : a0000000790102::3f000102
    Auth ID        : 01
    ID             : 0003
    MD:guid        : 4ef7bef4-ea00-1b73-ff0f-22872d388384


bor@tw:~> pkcs15-tool --list-certificates
Using reader with a card: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:1d.7-1) 00 00
X.509 Certificate [CAC ID Certificate]
    Object Flags   : [0x0]
    Authority      : no
    Path           : a0000000790100::
    ID             : 0001
    Encoded serial : 02 05 00B252AF30


X.509 Certificate [CAC Email Signature Certificate]
    Object Flags   : [0x0]
    Authority      : no
    Path           : a0000000790101::
    ID             : 0002
    Encoded serial : 02 05 00B252AF4F


X.509 Certificate [CAC Email Encryption Certificate]
    Object Flags   : [0x0]
    Authority      : no
    Path           : a0000000790102::
    ID             : 0003
    Encoded serial : 02 05 00B252AF70


bor@tw:~> 


tw:/home/bor # pkcs11-tool --module opensc-pkcs11.so -l -t
Using slot 0 with a present token (0x0)
Logging in to "John Doe".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  ERR: C_GenerateRandom failed: CKR_GENERAL_ERROR (0x5)
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 (CAC ID Certificate) 
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
  testing key 1 (2048 bits, label=CAC Email Signature Certificate) with 1 signature mechanism
    RSA-X-509: OK
  testing key 2 (2048 bits, label=CAC Email Encryption Certificate) with 1 signature mechanism
    RSA-X-509: OK
Verify (currently only for RSA)
  testing key 0 (CAC ID Certificate)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
  testing key 1 (CAC Email Signature Certificate) with 1 mechanism
    RSA-X-509: OK
  testing key 2 (CAC Email Encryption Certificate) with 1 mechanism
    RSA-X-509: OK
Unwrap: not implemented
Decryption (currently only for RSA)
  testing key 0 (CAC ID Certificate) 
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 1 (CAC Email Signature Certificate) 
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 2 (CAC Email Encryption Certificate) 
    RSA-X-509: OK
    RSA-PKCS: OK
1 errors
tw:/home/bor # 


bor@tw:~> cat /etc/pam.d/su-l
#%PAM-1.0
auth      sufficient  pam_p11.so opensc-pkcs11.so
auth      sufficient  pam_rootok.so
auth      include     common-auth
account   sufficient  pam_rootok.so
account   include     common-account
password  include     common-password
session   optional    pam_keyinit.so force revoke
session   include     common-session
session   optional    pam_xauth.so
bor@tw:~> 


bor@tw:~> su - user2
Login with John Doe:
user2@tw:~> cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbFCYmGW7txK9CKoDRJsS+YZILJFttT7RslUjUS0kb4vdF6upQBA0Mbav8RQIPvYzFgQ6QsX3/SEb4WEpNOgcOHuK/vwAtdg9yizykXF0vw80fqE5clxuL5upWkYGYXU6ta5AbiVV8YJnE7H8/+FxMneZKplwFfbNg3liTpK39qvbmqMOPswowMoFr+ygiP2+hwnWnnjGk4Y7mFwFvpf+v680amNA+l4ne7PWk/+xlKQbpQwmYaTIrUS1pioWpDHMZ9bovBM9wdC7c9zbAT6FfpNNn8vtxtD0AUmK388FmTTFSpc6ThGlgJA64txS1foOqKSRtjrl1yZhdJWAPsFmD
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC76GxHzgV7pBJoEtwcP+sXU7ZP+gEc+6cdiQjqK+M7nHvGVeJcP7jew6Gk/zvh5c3o0ioWq8tbt38XaLCDZuUVb266a7OD8C/UHZ/ByQzxTC7Fkcp3r2bGUmbCEZNCiem36lZI10hXNMGbCCBvBKJmn/K+RnZ6BgFpofvyhRoqybv2VAn38jVrq5U9ze5QtOONNApzf3CIkjtWvbZVeRtkn03NDnXK0B6rhEAkA4KeOntprx+E0DxnhTshxrSobRg733WfhSHPP6WD7cm2J+DNk7oGP4oNa6iC7nB4q+xFJ2np4K2oVZX28SDiUaw8mUfZY/f/2noQilhu0F9KEDaF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnRvvLDSdh9XsGm3lZVlyxagKWiB6phv4fWCaOFbRrQR7EARErym+PBkcjGV9IgAmSUdtlEYnVuj7kvLsDnhLN73Vn5IlQxtSJPMKqaSSbMUdt/rYOyrpU4b34fb7s8goRvTN9EycIQ9zXCEwlZgYmASrnMTc2XFmnt0kN/9e12XIt7HXcveJhIsCVoeww0B+vs9j9zjk5T1HLR6TWdZwjxMc/TOOywRGGrrEZnnC9Qf3XNaSzEK+O/NVhZvwX2LxsQm/RPCN4ZmsL0Xo+HJpbvAIj1MQSN0Bsz4JA5FY9oWS6nKcG3FsJSzSsJlERJbeBnDyvhpCeBBf9n1AnQaul
user2@tw:~> ssh-keygen -D opensc-pkcs11.so
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbFCYmGW7txK9CKoDRJsS+YZILJFttT7RslUjUS0kb4vdF6upQBA0Mbav8RQIPvYzFgQ6QsX3/SEb4WEpNOgcOHuK/vwAtdg9yizykXF0vw80fqE5clxuL5upWkYGYXU6ta5AbiVV8YJnE7H8/+FxMneZKplwFfbNg3liTpK39qvbmqMOPswowMoFr+ygiP2+hwnWnnjGk4Y7mFwFvpf+v680amNA+l4ne7PWk/+xlKQbpQwmYaTIrUS1pioWpDHMZ9bovBM9wdC7c9zbAT6FfpNNn8vtxtD0AUmK388FmTTFSpc6ThGlgJA64txS1foOqKSRtjrl1yZhdJWAPsFmD
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC76GxHzgV7pBJoEtwcP+sXU7ZP+gEc+6cdiQjqK+M7nHvGVeJcP7jew6Gk/zvh5c3o0ioWq8tbt38XaLCDZuUVb266a7OD8C/UHZ/ByQzxTC7Fkcp3r2bGUmbCEZNCiem36lZI10hXNMGbCCBvBKJmn/K+RnZ6BgFpofvyhRoqybv2VAn38jVrq5U9ze5QtOONNApzf3CIkjtWvbZVeRtkn03NDnXK0B6rhEAkA4KeOntprx+E0DxnhTshxrSobRg733WfhSHPP6WD7cm2J+DNk7oGP4oNa6iC7nB4q+xFJ2np4K2oVZX28SDiUaw8mUfZY/f/2noQilhu0F9KEDaF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnRvvLDSdh9XsGm3lZVlyxagKWiB6phv4fWCaOFbRrQR7EARErym+PBkcjGV9IgAmSUdtlEYnVuj7kvLsDnhLN73Vn5IlQxtSJPMKqaSSbMUdt/rYOyrpU4b34fb7s8goRvTN9EycIQ9zXCEwlZgYmASrnMTc2XFmnt0kN/9e12XIt7HXcveJhIsCVoeww0B+vs9j9zjk5T1HLR6TWdZwjxMc/TOOywRGGrrEZnnC9Qf3XNaSzEK+O/NVhZvwX2LxsQm/RPCN4ZmsL0Xo+HJpbvAIj1MQSN0Bsz4JA5FY9oWS6nKcG3FsJSzSsJlERJbeBnDyvhpCeBBf9n1AnQaul
user2@tw:~>

It even works with SSH (which fetches private keys from smartcard)

Code:

bor@tw:~> ssh -I opensc-pkcs11.so -l user2 localhost
Enter PIN for 'John Doe':
Last login: Sat Sep 21 11:34:24 2019 from ::1
Have a lot of fun...
user2@tw:~>

[Budgie2]

Hi arvidjaar and many thanks for your help. I am following the pam_p11 readme starting with the /etc/pam.d/sudo edit. The files referred to are in different places from the example so I would appreciate you checking that I have it right. It is entirely possible I have it wrong. This is what I have done:-

Code:

AJBR-W530:/etc/pam.d # cat sudo
#%PAM-1.0
auth sufficient /lib64/security/pam_p11.so /usr/lib64/pkcs11/opensc-pkcs11.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  optional       pam_keyinit.so revoke
session  include        common-session
# session  optional       pam_xauth.so
AJBR-W530:/etc/pam.d #

Is it OK please before I edit the rest?

[Budgie2]

There is another question while following these instruction. These instructions include several references to configuration files for example:-

### PIN change and unblock

To allow changing and unblocking the PIN via pam_p11, add the following to your configuration:

```
password optional /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so
```

An optional second argument to `pam_p11.so` may be used to check for a specific format when prompting for the token's password. On macOS this defaults to the regular expression `^[[:digit:]]*$` to avoid confusion with the user's password in the login screen. pam_p11 uses [POSIX-Extended Regular Expressions](https://man.openbsd.org/re_format.7) for matching.

I am spoilt for choice here. Which is the "the configuration file?"

[arvidjaar]

Code:

AJBR-W530:/etc/pam.d # cat sudo
#%PAM-1.0
auth sufficient /lib64/security/pam_p11.so /usr/lib64/pkcs11/opensc-pkcs11.so

Is it OK?

It won't work for 32 bit applications.

[arvidjaar]

Which is the "the configuration file?"

PAM configuration for application with which you want to change PIN. The problem is that application needs to call corresponding PAM functions to change authentication information, so adding it to arbitrary application makes no sense. I am pretty sure that passwd does it (after all this is one you are using to change your password).

Unlocking PIN with PUK would be interesting as part of login though assuming login is capable of actually making use of it. I have no way to test it as emulated card simply does not offer this functionality.

And this is entirely optional unless you want to use smart card as the only authentication possibility.