Page 1 of 3 123 LastLast
Results 1 to 10 of 24

Thread: How do I use smart card for computer login.

  1. #1

    Default How do I use smart card for computer login.

    I wish to use a smart card to log in to my computer. I have purchased a Nitrokey Storage device which I understand has the required capability once set up. I tried following the Nitrokey instructions and although they referred both to pam_p11 and poldi, unfortunately they only gave instructions for poldi which I cannot find on my Tumbleweed installation.

    If somebody could help me with the instructions for setting up and using pam_p11 and my smart card device for computer login on my Tumbleweed computer I would be most grateful.

  2. #2
    Join Date
    Sep 2012
    Posts
    5,122

    Default Re: How do I use smart card for computer login.

    Quote Originally Posted by Budgie2 View Post
    If somebody could help me with the instructions for setting up and using pam_p11
    It would be more productive if you asked specific questions about pam_p11 documentation where you need clarification. Because as far as I can tell it is pretty complete (as far as generic documentation goes).
    and my smart card device
    Well, does gpg see your card? Can you set PIN, create keys etc? It should just work, you should not need any extra software.

    Can opensc see your card? You will need opensc, pcsc-lite and pcsc-ccid as far as I can tell. Can you use pkcs11-tool or pkcs15-tool to list keys and certificates on this card?

    P.S. I do not own physical smartcard and unfortunately QEMU emulated smartcard does not correctly work with OpenSC (or may be I demand to much) so I am happy to have guinea pig to become more familiar with this topic

  3. #3
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,819
    Blog Entries
    15

    Default Re: How do I use smart card for computer login.

    Hi
    Did you install the nitrokey-app from the security repository (only place it lives) which seems to be required to configure these devices?

    These instructions seems to be the one to use (as well as the packages indicated by user arvidjaar)? https://www.nitrokey.com/documentati...orage&os:linux
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  4. #4

    Default Re: How do I use smart card for computer login.

    Quote Originally Posted by arvidjaar View Post
    It would be more productive if you asked specific questions about pam_p11 documentation where you need clarification. Because as far as I can tell it is pretty complete (as far as generic documentation goes).
    You may be able to see that far but I have no idea where you are looking. It would be more productive if you told me specifically how you can tell by giving me the reference for me to read!

    Well, does gpg see your card? Can you set PIN, create keys etc? It should just work, you should not need any extra software.

    Can opensc see your card? You will need opensc, pcsc-lite and pcsc-ccid as far as I can tell. Can you use pkcs11-tool or pkcs15-tool to list keys and certificates on this card?

    P.S. I do not own physical smartcard and unfortunately QEMU emulated smartcard does not correctly work with OpenSC (or may be I demand to much) so I am happy to have guinea pig to become more familiar with this topic
    Without entering any pin or any login requirements on the card I cannot see any directories in the way I expect and although the Nitrokey instructions suggest I should have gpg keys built on card I cannot see any evidence that a key pair has been installed. I couldn't find either tool on my system.

  5. #5

    Default Re: How do I use smart card for computer login.

    Quote Originally Posted by malcolmlewis View Post
    Hi
    Did you install the nitrokey-app from the security repository (only place it lives) which seems to be required to configure these devices?

    These instructions seems to be the one to use (as well as the packages indicated by user arvidjaar)? https://www.nitrokey.com/documentati...orage&os:linux
    Hi Malcolm,
    Yes I installed Nitrokey-app from security repo which is where I found it and have read all the installation instructions but I will do it alla gain in case I have missed something. If you have time to look at the application instructions for Nitrokey Storage Linux> Applications>Computer Login I hope you will see where I run into difficulty. I will try again.

  6. #6
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,819
    Blog Entries
    15

    Default Re: How do I use smart card for computer login.

    Quote Originally Posted by Budgie2 View Post
    Hi Malcolm,
    Yes I installed Nitrokey-app from security repo which is where I found it and have read all the installation instructions but I will do it alla gain in case I have missed something. If you have time to look at the application instructions for Nitrokey Storage Linux> Applications>Computer Login I hope you will see where I run into difficulty. I will try again.
    Hi
    So you get output from;

    Code:
    gpg --card-status | grep Application
    This could look like 'D00600012401020000000000xxxxxxxx nitrokeyuser'?
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,270
    Blog Entries
    2

    Default Re: How do I use smart card for computer login.

    Configuring to support coputer logins seems not to be clearly documented in an easy to use with clears step by step by step instructions.
    If instead you simply wanted to use your dongle to authenticate use of an application like a website or email, it would be a lot easier...

    For configuring logging into a Linux machine, I can at least help you along the various Nitrokey documentation links...

    Start with the link Malcolm gave you...
    https://www.nitrokey.com/documentati...orage&os:linux

    I might have overlooked something but I don't know if it makes any difference whether you create a GPG or an S/MIME cert, maybe somewhere down the road it might make a diff... If you follow the Poldi documentation though, you will be expected to have set up an OpenPGP key...

    Anyway, back to the present. Just create your cert key, and if it's not created correctly for some undocumented reason, you'll just have to re-do this step later.

    From this page, there is link to configuring for specific Use Cases and the 3rd "computer login" link is for configuring Linux, the following link should be what you want
    https://www.nitrokey.com/documentati...computer-login

    The preferred method appears to be to use Poldi
    Looks like no Poldi rpms have been created for a long time, since 2013 and I see recent requests for this in Fedora.
    If you choose this route, then you can continue to follow the main instructions for setup in the Nitrokey documentation
    I took a quick look at the Github source for Poldi and didn't see anything that is specific to Debian, AFAICS it should build without issues for a system like openSUSE
    The Poldi github repo
    https://github.com/gpg/poldi
    The build instructions, looks simple and straightforward, not particularly complicated
    https://github.com/gpg/poldi/blob/master/INSTALL

    There is also a link to the following (might need to be translated to your native language if you don't read German)
    https://wiki.ubuntuusers.de/Archiv/A...PGP_SmartCard/

    The alternative to Poldi is what you're currently doing which I must warn will lead to confusing, generic documentation...
    The next link to setting up PAM-PKCS is the following page
    https://github.com/OpenSC/pam_pkcs11

    If you installed PAM-PKCS from an openSUSE repo or successfully compiled it and it's in the right place so apps can find it, then all the install instructions can be skipped and your next page should be the following page for configuring PAM-PKCS. Skimming this page, of course again you should be able to skip any installation but it's less certain exactly which configuration steps are required and which can be skipped. At the least, IMO the mapping cert to User account in 5.3 would be required. Maybe the Card Event Manager can do everything, I don't know without actually trying to see what it does.
    http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html

    Good Luck.
    Maybe some kind of Nitrokey support would have some special insight based on experience.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #8
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,819
    Blog Entries
    15

    Default Re: How do I use smart card for computer login.

    Hi
    Poldi seems to have very little maintenance... https://git.gnupg.org/cgi-bin/gitweb....git;a=summary
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  9. #9
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,819
    Blog Entries
    15

    Default Re: How do I use smart card for computer login.

    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  10. #10
    Join Date
    Sep 2012
    Posts
    5,122

    Default Re: How do I use smart card for computer login.

    Quote Originally Posted by Budgie2 View Post
    You may be able to see that far but I have no idea where you are looking.
    Neither have we any idea what you have read. You repeatedly say that you have read something and it was of no help without providing any link to what you have read.
    It would be more productive if you told me specifically how you can tell by giving me the reference for me to read!
    You quoted large part of these instructions in your other thread.

Page 1 of 3 123 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •