Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 24

Thread: How do I use smart card for computer login.

  1. #11

    Default Re: How do I use smart card for computer login.

    Hi Malcolm and Tsu and thanks again.

    I think Tsu reflects the difficulties I have found in using the Nitrokey instructions on their website including the absence of a blow by blow instruction for using pam_p11 on the Nitrokey Storage device and the fact that the Nitrokey instructions link for pam_p11 takes me to pam_pkcs11.

    I am advised pam_pkcs11 can deal with either gpg type authorisation keys and X.509 cerificates, I have concluded however, given that poldi is not in openSUSE repo and receives little and infrequent support and I know nothing of the differences between pam_pkcs11 and pam_p11 that I would be better advised to stay with pam_p11. I see that poldi has now been built on openSUSE for which very many thanks, I may need to come back to that but will try first with pam_p11.

    If I use the initial Nitrokey instructions for Key Creation with OpenPGP I can either generate keys on the Nitrokey device or generate them locally and copy them to the Nitrokey device. Before making this decision I have a question;

    I already have a working key pair on my keyring so should I copy this keypair and required subkeys to the Nitrokey or would I be better starting afresh and not interfering with the existing key pair already in use.

    If I start by creating a new key pair will this cause confusion with existing keys or would it be better to use the new keypair only for the Nitrokey login use.

  2. #12
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,278
    Blog Entries
    2

    Default Re: How do I use smart card for computer login.

    Quote Originally Posted by Budgie2 View Post
    Hi Malcolm and Tsu and thanks again.

    I think Tsu reflects the difficulties I have found in using the Nitrokey instructions on their website including the absence of a blow by blow instruction for using pam_p11 on the Nitrokey Storage device and the fact that the Nitrokey instructions link for pam_p11 takes me to pam_pkcs11.

    I am advised pam_pkcs11 can deal with either gpg type authorisation keys and X.509 cerificates, I have concluded however, given that poldi is not in openSUSE repo and receives little and infrequent support and I know nothing of the differences between pam_pkcs11 and pam_p11 that I would be better advised to stay with pam_p11. I see that poldi has now been built on openSUSE for which very many thanks, I may need to come back to that but will try first with pam_p11.

    If I use the initial Nitrokey instructions for Key Creation with OpenPGP I can either generate keys on the Nitrokey device or generate them locally and copy them to the Nitrokey device. Before making this decision I have a question;

    I already have a working key pair on my keyring so should I copy this keypair and required subkeys to the Nitrokey or would I be better starting afresh and not interfering with the existing key pair already in use.

    If I start by creating a new key pair will this cause confusion with existing keys or would it be better to use the new keypair only for the Nitrokey login use.
    First, it should be noted that when I looked at the Poldark project repo, it was and is still very active with submits as recently as weeks anda couple months ago, so if the OBS is pulling directly from that repo then should also be very current.

    As long as the keys are GPG ((or possibly PGP), i doubt there is any difference where they may be created but of course if not created by the Nitrokey utilities may not be managed properly by those utilities. When I read the PAM-PKCS configuration guide, it was unclear to me whether the key source or at least the manager would have to be authenticated...for instance I remember configurations for the CA but was unclear to me what that would really mean. I'm more used to working with a proper CA architecture where where the CA is available across the network and can be queried, not on a dongle. Would a "CA on a dongle" be queried the same way? I don't know. Of course, if the CA isn't authenticated, then the cert key would just be trusted without further authentication and authorization.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #13

    Default Re: How do I use smart card for computer login.

    Hi Tsu,
    What is Poldark project and do you have a link? Couldn't get past the tv series!!!

    Going to line 1 of the Nitrokey installation page it suggests I install libccid. This is not available in my Tumbleweed repos. How should I proceed?

  4. #14
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,824
    Blog Entries
    15

    Default Re: How do I use smart card for computer login.

    Quote Originally Posted by Budgie2 View Post
    Hi Tsu,
    What is Poldark project and do you have a link? Couldn't get past the tv series!!!

    Going to line 1 of the Nitrokey installation page it suggests I install libccid. This is not available in my Tumbleweed repos. How should I proceed?
    Hi
    It's a library name not a package name, libccid.so is provided by pcsc-ccid package, install that
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  5. #15

    Default Re: How do I use smart card for computer login.

    Hi Malcolm many thanks. It seems I already have it installed.

  6. #16
    Join Date
    Sep 2012
    Posts
    5,129

    Default Re: How do I use smart card for computer login.

    Quote Originally Posted by arvidjaar View Post
    unfortunately QEMU emulated smartcard does not correctly work with OpenSC
    I finally tracked it down to QEMU emulated card reader which claims it has external pinpad so OpenSC did not even attempt to request PIN (but neither does QEMU). After changing QEMU to not announce non-existing capability OpenSC works and so does pam_p11. Nothing beyond what is described in pam_p11 readme is required to configure it. As already mentioned, I needed packages opensc, pcsc-lite, pcsc-ccid, pam_p11 (and their dependencies).

    Code:
    bor@tw:~> pkcs15-tool --list-info
    Using reader with a card: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:1d.7-1) 00 00
    PKCS#15 Card [John Doe]:
        Version        : 0
        Serial number  : 40705072360e000058bd002c19b5
        Manufacturer ID: Common Access Card
        Flags          : 
    
    
    bor@tw:~> pkcs15-tool --list-keys
    Using reader with a card: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:1d.7-1) 00 00
    Private RSA Key [CAC ID Certificate]
        Object Flags   : [0x1], private
        Usage          : [0xE], decrypt, sign, signRecover
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : a0000000790100::3f000100
        Auth ID        : 01
        ID             : 0001
        MD:guid        : e420d0e6-7463-1b83-5033-acaad9ccf2b5
    
    
    Private RSA Key [CAC Email Signature Certificate]
        Object Flags   : [0x1], private
        Usage          : [0xE], decrypt, sign, signRecover
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 2 (0x2)
        Native         : yes
        Path           : a0000000790101::3f000101
        Auth ID        : 01
        ID             : 0002
        MD:guid        : 248b7dd3-d1eb-60ed-ed34-5d2a75389efe
    
    
    Private RSA Key [CAC Email Encryption Certificate]
        Object Flags   : [0x1], private
        Usage          : [0xE], decrypt, sign, signRecover
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 3 (0x3)
        Native         : yes
        Path           : a0000000790102::3f000102
        Auth ID        : 01
        ID             : 0003
        MD:guid        : 4ef7bef4-ea00-1b73-ff0f-22872d388384
    
    
    bor@tw:~> pkcs15-tool --list-certificates
    Using reader with a card: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:1d.7-1) 00 00
    X.509 Certificate [CAC ID Certificate]
        Object Flags   : [0x0]
        Authority      : no
        Path           : a0000000790100::
        ID             : 0001
        Encoded serial : 02 05 00B252AF30
    
    
    X.509 Certificate [CAC Email Signature Certificate]
        Object Flags   : [0x0]
        Authority      : no
        Path           : a0000000790101::
        ID             : 0002
        Encoded serial : 02 05 00B252AF4F
    
    
    X.509 Certificate [CAC Email Encryption Certificate]
        Object Flags   : [0x0]
        Authority      : no
        Path           : a0000000790102::
        ID             : 0003
        Encoded serial : 02 05 00B252AF70
    
    
    bor@tw:~> 
    
    
    tw:/home/bor # pkcs11-tool --module opensc-pkcs11.so -l -t
    Using slot 0 with a present token (0x0)
    Logging in to "John Doe".
    Please enter User PIN: 
    C_SeedRandom() and C_GenerateRandom():
      seeding (C_SeedRandom) not supported
      ERR: C_GenerateRandom failed: CKR_GENERAL_ERROR (0x5)
    Digests:
      all 4 digest functions seem to work
      MD5: OK
      SHA-1: OK
      RIPEMD160: OK
    Signatures (currently only for RSA)
      testing key 0 (CAC ID Certificate) 
      all 4 signature functions seem to work
      testing signature mechanisms:
        RSA-X-509: OK
        RSA-PKCS: OK
        SHA1-RSA-PKCS: OK
        MD5-RSA-PKCS: OK
        RIPEMD160-RSA-PKCS: OK
        SHA256-RSA-PKCS: OK
      testing key 1 (2048 bits, label=CAC Email Signature Certificate) with 1 signature mechanism
        RSA-X-509: OK
      testing key 2 (2048 bits, label=CAC Email Encryption Certificate) with 1 signature mechanism
        RSA-X-509: OK
    Verify (currently only for RSA)
      testing key 0 (CAC ID Certificate)
        RSA-X-509: OK
        RSA-PKCS: OK
        SHA1-RSA-PKCS: OK
        MD5-RSA-PKCS: OK
        RIPEMD160-RSA-PKCS: OK
      testing key 1 (CAC Email Signature Certificate) with 1 mechanism
        RSA-X-509: OK
      testing key 2 (CAC Email Encryption Certificate) with 1 mechanism
        RSA-X-509: OK
    Unwrap: not implemented
    Decryption (currently only for RSA)
      testing key 0 (CAC ID Certificate) 
        RSA-X-509: OK
        RSA-PKCS: OK
      testing key 1 (CAC Email Signature Certificate) 
        RSA-X-509: OK
        RSA-PKCS: OK
      testing key 2 (CAC Email Encryption Certificate) 
        RSA-X-509: OK
        RSA-PKCS: OK
    1 errors
    tw:/home/bor # 
    
    
    bor@tw:~> cat /etc/pam.d/su-l
    #%PAM-1.0
    auth      sufficient  pam_p11.so opensc-pkcs11.so
    auth      sufficient  pam_rootok.so
    auth      include     common-auth
    account   sufficient  pam_rootok.so
    account   include     common-account
    password  include     common-password
    session   optional    pam_keyinit.so force revoke
    session   include     common-session
    session   optional    pam_xauth.so
    bor@tw:~> 
    
    
    bor@tw:~> su - user2
    Login with John Doe:
    user2@tw:~> cat .ssh/authorized_keys
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbFCYmGW7txK9CKoDRJsS+YZILJFttT7RslUjUS0kb4vdF6upQBA0Mbav8RQIPvYzFgQ6QsX3/SEb4WEpNOgcOHuK/vwAtdg9yizykXF0vw80fqE5clxuL5upWkYGYXU6ta5AbiVV8YJnE7H8/+FxMneZKplwFfbNg3liTpK39qvbmqMOPswowMoFr+ygiP2+hwnWnnjGk4Y7mFwFvpf+v680amNA+l4ne7PWk/+xlKQbpQwmYaTIrUS1pioWpDHMZ9bovBM9wdC7c9zbAT6FfpNNn8vtxtD0AUmK388FmTTFSpc6ThGlgJA64txS1foOqKSRtjrl1yZhdJWAPsFmD
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC76GxHzgV7pBJoEtwcP+sXU7ZP+gEc+6cdiQjqK+M7nHvGVeJcP7jew6Gk/zvh5c3o0ioWq8tbt38XaLCDZuUVb266a7OD8C/UHZ/ByQzxTC7Fkcp3r2bGUmbCEZNCiem36lZI10hXNMGbCCBvBKJmn/K+RnZ6BgFpofvyhRoqybv2VAn38jVrq5U9ze5QtOONNApzf3CIkjtWvbZVeRtkn03NDnXK0B6rhEAkA4KeOntprx+E0DxnhTshxrSobRg733WfhSHPP6WD7cm2J+DNk7oGP4oNa6iC7nB4q+xFJ2np4K2oVZX28SDiUaw8mUfZY/f/2noQilhu0F9KEDaF
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnRvvLDSdh9XsGm3lZVlyxagKWiB6phv4fWCaOFbRrQR7EARErym+PBkcjGV9IgAmSUdtlEYnVuj7kvLsDnhLN73Vn5IlQxtSJPMKqaSSbMUdt/rYOyrpU4b34fb7s8goRvTN9EycIQ9zXCEwlZgYmASrnMTc2XFmnt0kN/9e12XIt7HXcveJhIsCVoeww0B+vs9j9zjk5T1HLR6TWdZwjxMc/TOOywRGGrrEZnnC9Qf3XNaSzEK+O/NVhZvwX2LxsQm/RPCN4ZmsL0Xo+HJpbvAIj1MQSN0Bsz4JA5FY9oWS6nKcG3FsJSzSsJlERJbeBnDyvhpCeBBf9n1AnQaul
    user2@tw:~> ssh-keygen -D opensc-pkcs11.so
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbFCYmGW7txK9CKoDRJsS+YZILJFttT7RslUjUS0kb4vdF6upQBA0Mbav8RQIPvYzFgQ6QsX3/SEb4WEpNOgcOHuK/vwAtdg9yizykXF0vw80fqE5clxuL5upWkYGYXU6ta5AbiVV8YJnE7H8/+FxMneZKplwFfbNg3liTpK39qvbmqMOPswowMoFr+ygiP2+hwnWnnjGk4Y7mFwFvpf+v680amNA+l4ne7PWk/+xlKQbpQwmYaTIrUS1pioWpDHMZ9bovBM9wdC7c9zbAT6FfpNNn8vtxtD0AUmK388FmTTFSpc6ThGlgJA64txS1foOqKSRtjrl1yZhdJWAPsFmD
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC76GxHzgV7pBJoEtwcP+sXU7ZP+gEc+6cdiQjqK+M7nHvGVeJcP7jew6Gk/zvh5c3o0ioWq8tbt38XaLCDZuUVb266a7OD8C/UHZ/ByQzxTC7Fkcp3r2bGUmbCEZNCiem36lZI10hXNMGbCCBvBKJmn/K+RnZ6BgFpofvyhRoqybv2VAn38jVrq5U9ze5QtOONNApzf3CIkjtWvbZVeRtkn03NDnXK0B6rhEAkA4KeOntprx+E0DxnhTshxrSobRg733WfhSHPP6WD7cm2J+DNk7oGP4oNa6iC7nB4q+xFJ2np4K2oVZX28SDiUaw8mUfZY/f/2noQilhu0F9KEDaF
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnRvvLDSdh9XsGm3lZVlyxagKWiB6phv4fWCaOFbRrQR7EARErym+PBkcjGV9IgAmSUdtlEYnVuj7kvLsDnhLN73Vn5IlQxtSJPMKqaSSbMUdt/rYOyrpU4b34fb7s8goRvTN9EycIQ9zXCEwlZgYmASrnMTc2XFmnt0kN/9e12XIt7HXcveJhIsCVoeww0B+vs9j9zjk5T1HLR6TWdZwjxMc/TOOywRGGrrEZnnC9Qf3XNaSzEK+O/NVhZvwX2LxsQm/RPCN4ZmsL0Xo+HJpbvAIj1MQSN0Bsz4JA5FY9oWS6nKcG3FsJSzSsJlERJbeBnDyvhpCeBBf9n1AnQaul
    user2@tw:~>
    It even works with SSH (which fetches private keys from smartcard)
    Code:
    bor@tw:~> ssh -I opensc-pkcs11.so -l user2 localhost
    Enter PIN for 'John Doe':
    Last login: Sat Sep 21 11:34:24 2019 from ::1
    Have a lot of fun...
    user2@tw:~>

  7. #17

    Default Re: How do I use smart card for computer login.

    Hi arvidjaar and many thanks for your help. I am following the pam_p11 readme starting with the /etc/pam.d/sudo edit. The files referred to are in different places from the example so I would appreciate you checking that I have it right. It is entirely possible I have it wrong. This is what I have done:-

    Code:
    AJBR-W530:/etc/pam.d # cat sudo
    #%PAM-1.0
    auth sufficient /lib64/security/pam_p11.so /usr/lib64/pkcs11/opensc-pkcs11.so
    auth     include        common-auth
    account  include        common-account
    password include        common-password
    session  optional       pam_keyinit.so revoke
    session  include        common-session
    # session  optional       pam_xauth.so
    AJBR-W530:/etc/pam.d #
    Is it OK please before I edit the rest?

  8. #18

    Default Re: How do I use smart card for computer login.

    There is another question while following these instruction. These instructions include several references to configuration files for example:-

    ### PIN change and unblock

    To allow changing and unblocking the PIN via pam_p11, add the following to your configuration:

    ```
    password optional /usr/local/lib/security/pam_p11.so /usr/local/lib/opensc-pkcs11.so
    ```

    An optional second argument to `pam_p11.so` may be used to check for a specific format when prompting for the token's password. On macOS this defaults to the regular expression `^[[:digit:]]*$` to avoid confusion with the user's password in the login screen. pam_p11 uses [POSIX-Extended Regular Expressions](https://man.openbsd.org/re_format.7) for matching.
    I am spoilt for choice here. Which is the "the configuration file?"

  9. #19
    Join Date
    Sep 2012
    Posts
    5,129

    Default Re: How do I use smart card for computer login.

    Quote Originally Posted by Budgie2 View Post
    Code:
    AJBR-W530:/etc/pam.d # cat sudo
    #%PAM-1.0
    auth sufficient /lib64/security/pam_p11.so /usr/lib64/pkcs11/opensc-pkcs11.so
    Is it OK?
    It won't work for 32 bit applications.

  10. #20
    Join Date
    Sep 2012
    Posts
    5,129

    Default Re: How do I use smart card for computer login.

    Quote Originally Posted by Budgie2 View Post
    Which is the "the configuration file?"
    PAM configuration for application with which you want to change PIN. The problem is that application needs to call corresponding PAM functions to change authentication information, so adding it to arbitrary application makes no sense. I am pretty sure that passwd does it (after all this is one you are using to change your password).

    Unlocking PIN with PUK would be interesting as part of login though assuming login is capable of actually making use of it. I have no way to test it as emulated card simply does not offer this functionality.

    And this is entirely optional unless you want to use smart card as the only authentication possibility.

Page 2 of 3 FirstFirst 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •