
Originally Posted by
arvidjaar
unfortunately QEMU emulated smartcard does not correctly work with OpenSC
I finally tracked it down to QEMU emulated card reader which claims it has external pinpad so OpenSC did not even attempt to request PIN (but neither does QEMU). After changing QEMU to not announce non-existing capability OpenSC works and so does pam_p11. Nothing beyond what is described in pam_p11 readme is required to configure it. As already mentioned, I needed packages opensc, pcsc-lite, pcsc-ccid, pam_p11 (and their dependencies).
Code:
bor@tw:~> pkcs15-tool --list-info
Using reader with a card: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:1d.7-1) 00 00
PKCS#15 Card [John Doe]:
Version : 0
Serial number : 40705072360e000058bd002c19b5
Manufacturer ID: Common Access Card
Flags :
bor@tw:~> pkcs15-tool --list-keys
Using reader with a card: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:1d.7-1) 00 00
Private RSA Key [CAC ID Certificate]
Object Flags : [0x1], private
Usage : [0xE], decrypt, sign, signRecover
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 1 (0x1)
Native : yes
Path : a0000000790100::3f000100
Auth ID : 01
ID : 0001
MD:guid : e420d0e6-7463-1b83-5033-acaad9ccf2b5
Private RSA Key [CAC Email Signature Certificate]
Object Flags : [0x1], private
Usage : [0xE], decrypt, sign, signRecover
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 2 (0x2)
Native : yes
Path : a0000000790101::3f000101
Auth ID : 01
ID : 0002
MD:guid : 248b7dd3-d1eb-60ed-ed34-5d2a75389efe
Private RSA Key [CAC Email Encryption Certificate]
Object Flags : [0x1], private
Usage : [0xE], decrypt, sign, signRecover
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 3 (0x3)
Native : yes
Path : a0000000790102::3f000102
Auth ID : 01
ID : 0003
MD:guid : 4ef7bef4-ea00-1b73-ff0f-22872d388384
bor@tw:~> pkcs15-tool --list-certificates
Using reader with a card: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:1d.7-1) 00 00
X.509 Certificate [CAC ID Certificate]
Object Flags : [0x0]
Authority : no
Path : a0000000790100::
ID : 0001
Encoded serial : 02 05 00B252AF30
X.509 Certificate [CAC Email Signature Certificate]
Object Flags : [0x0]
Authority : no
Path : a0000000790101::
ID : 0002
Encoded serial : 02 05 00B252AF4F
X.509 Certificate [CAC Email Encryption Certificate]
Object Flags : [0x0]
Authority : no
Path : a0000000790102::
ID : 0003
Encoded serial : 02 05 00B252AF70
bor@tw:~>
tw:/home/bor # pkcs11-tool --module opensc-pkcs11.so -l -t
Using slot 0 with a present token (0x0)
Logging in to "John Doe".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
ERR: C_GenerateRandom failed: CKR_GENERAL_ERROR (0x5)
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only for RSA)
testing key 0 (CAC ID Certificate)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
testing key 1 (2048 bits, label=CAC Email Signature Certificate) with 1 signature mechanism
RSA-X-509: OK
testing key 2 (2048 bits, label=CAC Email Encryption Certificate) with 1 signature mechanism
RSA-X-509: OK
Verify (currently only for RSA)
testing key 0 (CAC ID Certificate)
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
testing key 1 (CAC Email Signature Certificate) with 1 mechanism
RSA-X-509: OK
testing key 2 (CAC Email Encryption Certificate) with 1 mechanism
RSA-X-509: OK
Unwrap: not implemented
Decryption (currently only for RSA)
testing key 0 (CAC ID Certificate)
RSA-X-509: OK
RSA-PKCS: OK
testing key 1 (CAC Email Signature Certificate)
RSA-X-509: OK
RSA-PKCS: OK
testing key 2 (CAC Email Encryption Certificate)
RSA-X-509: OK
RSA-PKCS: OK
1 errors
tw:/home/bor #
bor@tw:~> cat /etc/pam.d/su-l
#%PAM-1.0
auth sufficient pam_p11.so opensc-pkcs11.so
auth sufficient pam_rootok.so
auth include common-auth
account sufficient pam_rootok.so
account include common-account
password include common-password
session optional pam_keyinit.so force revoke
session include common-session
session optional pam_xauth.so
bor@tw:~>
bor@tw:~> su - user2
Login with John Doe:
user2@tw:~> cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbFCYmGW7txK9CKoDRJsS+YZILJFttT7RslUjUS0kb4vdF6upQBA0Mbav8RQIPvYzFgQ6QsX3/SEb4WEpNOgcOHuK/vwAtdg9yizykXF0vw80fqE5clxuL5upWkYGYXU6ta5AbiVV8YJnE7H8/+FxMneZKplwFfbNg3liTpK39qvbmqMOPswowMoFr+ygiP2+hwnWnnjGk4Y7mFwFvpf+v680amNA+l4ne7PWk/+xlKQbpQwmYaTIrUS1pioWpDHMZ9bovBM9wdC7c9zbAT6FfpNNn8vtxtD0AUmK388FmTTFSpc6ThGlgJA64txS1foOqKSRtjrl1yZhdJWAPsFmD
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC76GxHzgV7pBJoEtwcP+sXU7ZP+gEc+6cdiQjqK+M7nHvGVeJcP7jew6Gk/zvh5c3o0ioWq8tbt38XaLCDZuUVb266a7OD8C/UHZ/ByQzxTC7Fkcp3r2bGUmbCEZNCiem36lZI10hXNMGbCCBvBKJmn/K+RnZ6BgFpofvyhRoqybv2VAn38jVrq5U9ze5QtOONNApzf3CIkjtWvbZVeRtkn03NDnXK0B6rhEAkA4KeOntprx+E0DxnhTshxrSobRg733WfhSHPP6WD7cm2J+DNk7oGP4oNa6iC7nB4q+xFJ2np4K2oVZX28SDiUaw8mUfZY/f/2noQilhu0F9KEDaF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnRvvLDSdh9XsGm3lZVlyxagKWiB6phv4fWCaOFbRrQR7EARErym+PBkcjGV9IgAmSUdtlEYnVuj7kvLsDnhLN73Vn5IlQxtSJPMKqaSSbMUdt/rYOyrpU4b34fb7s8goRvTN9EycIQ9zXCEwlZgYmASrnMTc2XFmnt0kN/9e12XIt7HXcveJhIsCVoeww0B+vs9j9zjk5T1HLR6TWdZwjxMc/TOOywRGGrrEZnnC9Qf3XNaSzEK+O/NVhZvwX2LxsQm/RPCN4ZmsL0Xo+HJpbvAIj1MQSN0Bsz4JA5FY9oWS6nKcG3FsJSzSsJlERJbeBnDyvhpCeBBf9n1AnQaul
user2@tw:~> ssh-keygen -D opensc-pkcs11.so
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbFCYmGW7txK9CKoDRJsS+YZILJFttT7RslUjUS0kb4vdF6upQBA0Mbav8RQIPvYzFgQ6QsX3/SEb4WEpNOgcOHuK/vwAtdg9yizykXF0vw80fqE5clxuL5upWkYGYXU6ta5AbiVV8YJnE7H8/+FxMneZKplwFfbNg3liTpK39qvbmqMOPswowMoFr+ygiP2+hwnWnnjGk4Y7mFwFvpf+v680amNA+l4ne7PWk/+xlKQbpQwmYaTIrUS1pioWpDHMZ9bovBM9wdC7c9zbAT6FfpNNn8vtxtD0AUmK388FmTTFSpc6ThGlgJA64txS1foOqKSRtjrl1yZhdJWAPsFmD
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC76GxHzgV7pBJoEtwcP+sXU7ZP+gEc+6cdiQjqK+M7nHvGVeJcP7jew6Gk/zvh5c3o0ioWq8tbt38XaLCDZuUVb266a7OD8C/UHZ/ByQzxTC7Fkcp3r2bGUmbCEZNCiem36lZI10hXNMGbCCBvBKJmn/K+RnZ6BgFpofvyhRoqybv2VAn38jVrq5U9ze5QtOONNApzf3CIkjtWvbZVeRtkn03NDnXK0B6rhEAkA4KeOntprx+E0DxnhTshxrSobRg733WfhSHPP6WD7cm2J+DNk7oGP4oNa6iC7nB4q+xFJ2np4K2oVZX28SDiUaw8mUfZY/f/2noQilhu0F9KEDaF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnRvvLDSdh9XsGm3lZVlyxagKWiB6phv4fWCaOFbRrQR7EARErym+PBkcjGV9IgAmSUdtlEYnVuj7kvLsDnhLN73Vn5IlQxtSJPMKqaSSbMUdt/rYOyrpU4b34fb7s8goRvTN9EycIQ9zXCEwlZgYmASrnMTc2XFmnt0kN/9e12XIt7HXcveJhIsCVoeww0B+vs9j9zjk5T1HLR6TWdZwjxMc/TOOywRGGrrEZnnC9Qf3XNaSzEK+O/NVhZvwX2LxsQm/RPCN4ZmsL0Xo+HJpbvAIj1MQSN0Bsz4JA5FY9oWS6nKcG3FsJSzSsJlERJbeBnDyvhpCeBBf9n1AnQaul
user2@tw:~>
It even works with SSH (which fetches private keys from smartcard)
Code:
bor@tw:~> ssh -I opensc-pkcs11.so -l user2 localhost
Enter PIN for 'John Doe':
Last login: Sat Sep 21 11:34:24 2019 from ::1
Have a lot of fun...
user2@tw:~>
Bookmarks