How do I use smart card for computer login.

I wish to use a smart card to log in to my computer. I have purchased a Nitrokey Storage device which I understand has the required capability once set up. I tried following the Nitrokey instructions and although they referred both to pam_p11 and poldi, unfortunately they only gave instructions for poldi which I cannot find on my Tumbleweed installation.

If somebody could help me with the instructions for setting up and using pam_p11 and my smart card device for computer login on my Tumbleweed computer I would be most grateful.

It would be more productive if you asked specific questions about pam_p11 documentation where you need clarification. Because as far as I can tell it is pretty complete (as far as generic documentation goes).

and my smart card device

Well, does gpg see your card? Can you set PIN, create keys etc? It should just work, you should not need any extra software.

Can opensc see your card? You will need opensc, pcsc-lite and pcsc-ccid as far as I can tell. Can you use pkcs11-tool or pkcs15-tool to list keys and certificates on this card?

P.S. I do not own physical smartcard and unfortunately QEMU emulated smartcard does not correctly work with OpenSC (or may be I demand to much) so I am happy to have guinea pig to become more familiar with this topic :slight_smile:

Hi
Did you install the nitrokey-app from the security repository (only place it lives) which seems to be required to configure these devices?

These instructions seems to be the one to use (as well as the packages indicated by user arvidjaar)? https://www.nitrokey.com/documentation/installation#p:nitrokey-storage&os:linux

You may be able to see that far but I have no idea where you are looking. It would be more productive if you told me specifically how you can tell by giving me the reference for me to read!

Well, does gpg see your card? Can you set PIN, create keys etc? It should just work, you should not need any extra software.

Can opensc see your card? You will need opensc, pcsc-lite and pcsc-ccid as far as I can tell. Can you use pkcs11-tool or pkcs15-tool to list keys and certificates on this card?

P.S. I do not own physical smartcard and unfortunately QEMU emulated smartcard does not correctly work with OpenSC (or may be I demand to much) so I am happy to have guinea pig to become more familiar with this topic :slight_smile:

Without entering any pin or any login requirements on the card I cannot see any directories in the way I expect and although the Nitrokey instructions suggest I should have gpg keys built on card I cannot see any evidence that a key pair has been installed. I couldn’t find either tool on my system.

Hi Malcolm,
Yes I installed Nitrokey-app from security repo which is where I found it and have read all the installation instructions but I will do it alla gain in case I have missed something. If you have time to look at the application instructions for Nitrokey Storage Linux> Applications>Computer Login I hope you will see where I run into difficulty. I will try again.

Hi
So you get output from;

gpg --card-status | grep Application

This could look like ‘D00600012401020000000000xxxxxxxx nitrokeyuser’?

Configuring to support coputer logins seems not to be clearly documented in an easy to use with clears step by step by step instructions.
If instead you simply wanted to use your dongle to authenticate use of an application like a website or email, it would be a lot easier…

For configuring logging into a Linux machine, I can at least help you along the various Nitrokey documentation links…

Start with the link Malcolm gave you…
https://www.nitrokey.com/documentation/installation#p:nitrokey-storage&os:linux

I might have overlooked something but I don’t know if it makes any difference whether you create a GPG or an S/MIME cert, maybe somewhere down the road it might make a diff… If you follow the Poldi documentation though, you will be expected to have set up an OpenPGP key…

Anyway, back to the present. Just create your cert key, and if it’s not created correctly for some undocumented reason, you’ll just have to re-do this step later.

From this page, there is link to configuring for specific Use Cases and the 3rd “computer login” link is for configuring Linux, the following link should be what you want
https://www.nitrokey.com/documentation/applications#a:computer-login

The preferred method appears to be to use Poldi
Looks like no Poldi rpms have been created for a long time, since 2013 and I see recent requests for this in Fedora.
If you choose this route, then you can continue to follow the main instructions for setup in the Nitrokey documentation
I took a quick look at the Github source for Poldi and didn’t see anything that is specific to Debian, AFAICS it should build without issues for a system like openSUSE
The Poldi github repo
https://github.com/gpg/poldi
The build instructions, looks simple and straightforward, not particularly complicated
https://github.com/gpg/poldi/blob/master/INSTALL

There is also a link to the following (might need to be translated to your native language if you don’t read German)
https://wiki.ubuntuusers.de/Archiv/Authentifizierung_OpenPGP_SmartCard/

The alternative to Poldi is what you’re currently doing which I must warn will lead to confusing, generic documentation…
The next link to setting up PAM-PKCS is the following page
https://github.com/OpenSC/pam_pkcs11

If you installed PAM-PKCS from an openSUSE repo or successfully compiled it and it’s in the right place so apps can find it, then all the install instructions can be skipped and your next page should be the following page for configuring PAM-PKCS. Skimming this page, of course again you should be able to skip any installation but it’s less certain exactly which configuration steps are required and which can be skipped. At the least, IMO the mapping cert to User account in 5.3 would be required. Maybe the Card Event Manager can do everything, I don’t know without actually trying to see what it does.
http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html

Good Luck.
Maybe some kind of Nitrokey support would have some special insight based on experience.

TSU

Hi
Poldi seems to have very little maintenance… https://git.gnupg.org/cgi-bin/gitweb.cgi?p=poldi.git;a=summary

Hi
Building poldi for you…
https://build.opensuse.org/package/show/home:malcolmlewis:TESTING/poldi

Neither have we any idea what you have read. You repeatedly say that you have read something and it was of no help without providing any link to what you have read.

It would be more productive if you told me specifically how you can tell by giving me the reference for me to read!

You quoted large part of these instructions in your other thread.

Hi Malcolm and Tsu and thanks again.

I think Tsu reflects the difficulties I have found in using the Nitrokey instructions on their website including the absence of a blow by blow instruction for using pam_p11 on the Nitrokey Storage device and the fact that the Nitrokey instructions link for pam_p11 takes me to pam_pkcs11.

I am advised pam_pkcs11 can deal with either gpg type authorisation keys and X.509 cerificates, I have concluded however, given that poldi is not in openSUSE repo and receives little and infrequent support and I know nothing of the differences between pam_pkcs11 and pam_p11 that I would be better advised to stay with pam_p11. I see that poldi has now been built on openSUSE for which very many thanks, I may need to come back to that but will try first with pam_p11.

If I use the initial Nitrokey instructions for Key Creation with OpenPGP I can either generate keys on the Nitrokey device or generate them locally and copy them to the Nitrokey device. Before making this decision I have a question;

I already have a working key pair on my keyring so should I copy this keypair and required subkeys to the Nitrokey or would I be better starting afresh and not interfering with the existing key pair already in use.

If I start by creating a new key pair will this cause confusion with existing keys or would it be better to use the new keypair only for the Nitrokey login use.

First, it should be noted that when I looked at the Poldark project repo, it was and is still very active with submits as recently as weeks anda couple months ago, so if the OBS is pulling directly from that repo then should also be very current.

As long as the keys are GPG ((or possibly PGP), i doubt there is any difference where they may be created but of course if not created by the Nitrokey utilities may not be managed properly by those utilities. When I read the PAM-PKCS configuration guide, it was unclear to me whether the key source or at least the manager would have to be authenticated…for instance I remember configurations for the CA but was unclear to me what that would really mean. I’m more used to working with a proper CA architecture where where the CA is available across the network and can be queried, not on a dongle. Would a “CA on a dongle” be queried the same way? I don’t know. Of course, if the CA isn’t authenticated, then the cert key would just be trusted without further authentication and authorization.

TSU

Hi Tsu,
What is Poldark project and do you have a link? Couldn’t get past the tv series!!!

Going to line 1 of the Nitrokey installation page it suggests I install libccid. This is not available in my Tumbleweed repos. How should I proceed?

Hi
It’s a library name not a package name, libccid.so is provided by pcsc-ccid package, install that :wink:

Hi Malcolm many thanks. It seems I already have it installed.

I finally tracked it down to QEMU emulated card reader which claims it has external pinpad so OpenSC did not even attempt to request PIN (but neither does QEMU). After changing QEMU to not announce non-existing capability OpenSC works and so does pam_p11. Nothing beyond what is described in pam_p11 readme is required to configure it. As already mentioned, I needed packages opensc, pcsc-lite, pcsc-ccid, pam_p11 (and their dependencies).

bor@tw:~> pkcs15-tool --list-info
Using reader with a card: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:1d.7-1) 00 00
PKCS#15 Card [John Doe]:
    Version        : 0
    Serial number  : 40705072360e000058bd002c19b5
    Manufacturer ID: Common Access Card
    Flags          : 


bor@tw:~> pkcs15-tool --list-keys
Using reader with a card: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:1d.7-1) 00 00
Private RSA Key [CAC ID Certificate]
    Object Flags   : [0x1], private
    Usage          : [0xE], decrypt, sign, signRecover
    Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
    ModLength      : 2048
    Key ref        : 1 (0x1)
    Native         : yes
    Path           : a0000000790100::3f000100
    Auth ID        : 01
    ID             : 0001
    MD:guid        : e420d0e6-7463-1b83-5033-acaad9ccf2b5


Private RSA Key [CAC Email Signature Certificate]
    Object Flags   : [0x1], private
    Usage          : [0xE], decrypt, sign, signRecover
    Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
    ModLength      : 2048
    Key ref        : 2 (0x2)
    Native         : yes
    Path           : a0000000790101::3f000101
    Auth ID        : 01
    ID             : 0002
    MD:guid        : 248b7dd3-d1eb-60ed-ed34-5d2a75389efe


Private RSA Key [CAC Email Encryption Certificate]
    Object Flags   : [0x1], private
    Usage          : [0xE], decrypt, sign, signRecover
    Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
    ModLength      : 2048
    Key ref        : 3 (0x3)
    Native         : yes
    Path           : a0000000790102::3f000102
    Auth ID        : 01
    ID             : 0003
    MD:guid        : 4ef7bef4-ea00-1b73-ff0f-22872d388384


bor@tw:~> pkcs15-tool --list-certificates
Using reader with a card: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:1d.7-1) 00 00
X.509 Certificate [CAC ID Certificate]
    Object Flags   : [0x0]
    Authority      : no
    Path           : a0000000790100::
    ID             : 0001
    Encoded serial : 02 05 00B252AF30


X.509 Certificate [CAC Email Signature Certificate]
    Object Flags   : [0x0]
    Authority      : no
    Path           : a0000000790101::
    ID             : 0002
    Encoded serial : 02 05 00B252AF4F


X.509 Certificate [CAC Email Encryption Certificate]
    Object Flags   : [0x0]
    Authority      : no
    Path           : a0000000790102::
    ID             : 0003
    Encoded serial : 02 05 00B252AF70


bor@tw:~> 


tw:/home/bor # pkcs11-tool --module opensc-pkcs11.so -l -t
Using slot 0 with a present token (0x0)
Logging in to "John Doe".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  ERR: C_GenerateRandom failed: CKR_GENERAL_ERROR (0x5)
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 (CAC ID Certificate) 
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
  testing key 1 (2048 bits, label=CAC Email Signature Certificate) with 1 signature mechanism
    RSA-X-509: OK
  testing key 2 (2048 bits, label=CAC Email Encryption Certificate) with 1 signature mechanism
    RSA-X-509: OK
Verify (currently only for RSA)
  testing key 0 (CAC ID Certificate)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
  testing key 1 (CAC Email Signature Certificate) with 1 mechanism
    RSA-X-509: OK
  testing key 2 (CAC Email Encryption Certificate) with 1 mechanism
    RSA-X-509: OK
Unwrap: not implemented
Decryption (currently only for RSA)
  testing key 0 (CAC ID Certificate) 
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 1 (CAC Email Signature Certificate) 
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 2 (CAC Email Encryption Certificate) 
    RSA-X-509: OK
    RSA-PKCS: OK
1 errors
tw:/home/bor # 


bor@tw:~> cat /etc/pam.d/su-l
#%PAM-1.0
**auth      sufficient  pam_p11.so opensc-pkcs11.so**
auth      sufficient  pam_rootok.so
auth      include     common-auth
account   sufficient  pam_rootok.so
account   include     common-account
password  include     common-password
session   optional    pam_keyinit.so force revoke
session   include     common-session
session   optional    pam_xauth.so
bor@tw:~> 


bor@tw:~> su - user2
Login with John Doe:
user2@tw:~> cat .ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbFCYmGW7txK9CKoDRJsS+YZILJFttT7RslUjUS0kb4vdF6upQBA0Mbav8RQIPvYzFgQ6QsX3/SEb4WEpNOgcOHuK/vwAtdg9yizykXF0vw80fqE5clxuL5upWkYGYXU6ta5AbiVV8YJnE7H8/+FxMneZKplwFfbNg3liTpK39qvbmqMOPswowMoFr+ygiP2+hwnWnnjGk4Y7mFwFvpf+v680amNA+l4ne7PWk/+xlKQbpQwmYaTIrUS1pioWpDHMZ9bovBM9wdC7c9zbAT6FfpNNn8vtxtD0AUmK388FmTTFSpc6ThGlgJA64txS1foOqKSRtjrl1yZhdJWAPsFmD
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC76GxHzgV7pBJoEtwcP+sXU7ZP+gEc+6cdiQjqK+M7nHvGVeJcP7jew6Gk/zvh5c3o0ioWq8tbt38XaLCDZuUVb266a7OD8C/UHZ/ByQzxTC7Fkcp3r2bGUmbCEZNCiem36lZI10hXNMGbCCBvBKJmn/K+RnZ6BgFpofvyhRoqybv2VAn38jVrq5U9ze5QtOONNApzf3CIkjtWvbZVeRtkn03NDnXK0B6rhEAkA4KeOntprx+E0DxnhTshxrSobRg733WfhSHPP6WD7cm2J+DNk7oGP4oNa6iC7nB4q+xFJ2np4K2oVZX28SDiUaw8mUfZY/f/2noQilhu0F9KEDaF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnRvvLDSdh9XsGm3lZVlyxagKWiB6phv4fWCaOFbRrQR7EARErym+PBkcjGV9IgAmSUdtlEYnVuj7kvLsDnhLN73Vn5IlQxtSJPMKqaSSbMUdt/rYOyrpU4b34fb7s8goRvTN9EycIQ9zXCEwlZgYmASrnMTc2XFmnt0kN/9e12XIt7HXcveJhIsCVoeww0B+vs9j9zjk5T1HLR6TWdZwjxMc/TOOywRGGrrEZnnC9Qf3XNaSzEK+O/NVhZvwX2LxsQm/RPCN4ZmsL0Xo+HJpbvAIj1MQSN0Bsz4JA5FY9oWS6nKcG3FsJSzSsJlERJbeBnDyvhpCeBBf9n1AnQaul
user2@tw:~> ssh-keygen -D opensc-pkcs11.so
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCbFCYmGW7txK9CKoDRJsS+YZILJFttT7RslUjUS0kb4vdF6upQBA0Mbav8RQIPvYzFgQ6QsX3/SEb4WEpNOgcOHuK/vwAtdg9yizykXF0vw80fqE5clxuL5upWkYGYXU6ta5AbiVV8YJnE7H8/+FxMneZKplwFfbNg3liTpK39qvbmqMOPswowMoFr+ygiP2+hwnWnnjGk4Y7mFwFvpf+v680amNA+l4ne7PWk/+xlKQbpQwmYaTIrUS1pioWpDHMZ9bovBM9wdC7c9zbAT6FfpNNn8vtxtD0AUmK388FmTTFSpc6ThGlgJA64txS1foOqKSRtjrl1yZhdJWAPsFmD
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC76GxHzgV7pBJoEtwcP+sXU7ZP+gEc+6cdiQjqK+M7nHvGVeJcP7jew6Gk/zvh5c3o0ioWq8tbt38XaLCDZuUVb266a7OD8C/UHZ/ByQzxTC7Fkcp3r2bGUmbCEZNCiem36lZI10hXNMGbCCBvBKJmn/K+RnZ6BgFpofvyhRoqybv2VAn38jVrq5U9ze5QtOONNApzf3CIkjtWvbZVeRtkn03NDnXK0B6rhEAkA4KeOntprx+E0DxnhTshxrSobRg733WfhSHPP6WD7cm2J+DNk7oGP4oNa6iC7nB4q+xFJ2np4K2oVZX28SDiUaw8mUfZY/f/2noQilhu0F9KEDaF
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDnRvvLDSdh9XsGm3lZVlyxagKWiB6phv4fWCaOFbRrQR7EARErym+PBkcjGV9IgAmSUdtlEYnVuj7kvLsDnhLN73Vn5IlQxtSJPMKqaSSbMUdt/rYOyrpU4b34fb7s8goRvTN9EycIQ9zXCEwlZgYmASrnMTc2XFmnt0kN/9e12XIt7HXcveJhIsCVoeww0B+vs9j9zjk5T1HLR6TWdZwjxMc/TOOywRGGrrEZnnC9Qf3XNaSzEK+O/NVhZvwX2LxsQm/RPCN4ZmsL0Xo+HJpbvAIj1MQSN0Bsz4JA5FY9oWS6nKcG3FsJSzSsJlERJbeBnDyvhpCeBBf9n1AnQaul
user2@tw:~> 

It even works with SSH (which fetches private keys from smartcard)

bor@tw:~> ssh -I opensc-pkcs11.so -l user2 localhost
Enter PIN for 'John Doe':
Last login: Sat Sep 21 11:34:24 2019 from ::1
Have a lot of fun...
user2@tw:~>

Hi arvidjaar and many thanks for your help. I am following the pam_p11 readme starting with the /etc/pam.d/sudo edit. The files referred to are in different places from the example so I would appreciate you checking that I have it right. It is entirely possible I have it wrong. This is what I have done:-

AJBR-W530:/etc/pam.d # cat sudo
#%PAM-1.0
auth sufficient /lib64/security/pam_p11.so /usr/lib64/pkcs11/opensc-pkcs11.so
auth     include        common-auth
account  include        common-account
password include        common-password
session  optional       pam_keyinit.so revoke
session  include        common-session
# session  optional       pam_xauth.so
AJBR-W530:/etc/pam.d # 


Is it OK please before I edit the rest?

There is another question while following these instruction. These instructions include several references to configuration files for example:-

PIN change and unblock

To allow changing and unblocking the PIN via pam_p11, add the following to your configuration:

password  optional    /usr/local/lib/security/pam_p11.so  /usr/local/lib/opensc-pkcs11.so

An optional second argument to pam_p11.so may be used to check for a specific format when prompting for the token’s password. On macOS this defaults to the regular expression ^:digit:]]*$ to avoid confusion with the user’s password in the login screen. pam_p11 uses POSIX-Extended Regular Expressions for matching.

I am spoilt for choice here. Which is the “the configuration file?”

It won’t work for 32 bit applications.

PAM configuration for application with which you want to change PIN. The problem is that application needs to call corresponding PAM functions to change authentication information, so adding it to arbitrary application makes no sense. I am pretty sure that passwd does it (after all this is one you are using to change your password).

Unlocking PIN with PUK would be interesting as part of login though assuming login is capable of actually making use of it. I have no way to test it as emulated card simply does not offer this functionality.

And this is entirely optional unless you want to use smart card as the only authentication possibility.