Page 1 of 4 123 ... LastLast
Results 1 to 10 of 38

Thread: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

  1. #1
    Join Date
    Nov 2005
    Location
    Sendai, Japan
    Beans
    11,296
    Distro
    Kubuntu

    HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    Because your machine hosts extremely sensitive data (or, more probably, just for the geek factor) passwords sometimes just don't cut it. Thanks to the OpenSC project, Linux users can also use Smart cards in lieu of passwords to authenticate against various services, which, in addition to being immune to dictionary or brute force attacks, just looks way cooler. This guide will describe the steps needed to use Smart cards for various authentication and encryption purposes; most importantly logins (both console and graphical), e-mail signing and encryption, SSH remote logins, TrueCrypt file encryption, and more if I feel like it. ;) I'd like to thank UF user Berduchwal for starting work (and getting me interested to it) in this thread.

    This guide is licensed under the WTFPL: you can do whatever you want with it. (The normal wording would be inappropriate for this forum, use your favourite search engine if you want to know more about it.)


    Getting Started

    The first section of this guide will describe the basic steps you will need to get your smart card ready to be used in various authentication procedures. Each single application will be described in a separate post and linked at the end of this section.


    The Hardware

    First and foremost, you will obviously need the correct hardware. It can be either a smart card and a smart card reader, or an USB token that provides the same functionality as a smart card, but plugs directly into an USB port, thus eliminating the need for an additional reader. The OpenSC project's Wiki has a list of supported smart cards and USB tokens, as well as a small list of compatible readers.

    The hardware I will use for this guide is an Feitian EnterSafe smart card and SCR301 USB smart card reader. Gooze sells them as a bundle for 31,90 EUR plus shipping (ships only to the EU for legal reasons).


    The Software

    All the necessary software is in the Ubuntu repositories. The packages you need are opensc, pcsc-tools, and libccid. More packages might be needed for specific applications (e.g. PAM authentication), those will be covered in the relevant sections of this guide.

    The OpenSC project strongly recommends using the PCSC driver. It is a good idea to set reader_drivers to pcsc in /etc/opensc/opensc.conf so that OpenSC won't bother trying other drivers unsuccessfully.


    First Steps

    Now that you have your smart card, reader and all the packages, let's get to business. First, make sure your reader is detected and supported. First, the usual suspect when it comes to detecting USB devices:

    Code:
    firas@tsukino ~ % lsusb                   
    Bus 004 Device 007: ID 096e:0503 Feitian Technologies, Inc. 
    Bus 004 Device 004: ID 05ac:8213 Apple, Inc. 
    Bus 004 Device 002: ID 0a5c:4500 Broadcom Corp. BCM2046B1 USB 2.0 Hub (part of BCM2046 Bluetooth)
    Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
    Bus 003 Device 003: ID 05ac:0237 Apple, Inc. 
    Bus 003 Device 002: ID 05ac:8242 Apple, Inc. 
    Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
    Bus 002 Device 004: ID 05ac:8403 Apple, Inc. 
    Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    Bus 001 Device 002: ID 05ac:8507 Apple, Inc. 
    Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
    My Feitian card reader appears. The opensc-tool command can give us more information:

    Code:
    firas@tsukino ~ % opensc-tool --list-readers      
    Readers known about:
    Nr.    Driver     Name
    0      pcsc       Feitian SCR301 00 00
    You will probably see some error messages in bold red, don't worry, they're "normal" (i.e. I get them too, and it still works). You can eliminate them by editing /etc/opensc/opensc.conf, uncommenting the error_file line, and setting it to /dev/null. Now to see whether your card is supported:

    Code:
    firas@tsukino ~ % opensc-tool --reader 0 --name
    Card not present.
    But insert the card first. ;)

    Code:
    firas@tsukino ~ % opensc-tool --reader 0 --name
    entersafe
    This is the name of your card. If you run the command with the -v (verbose) flag, it will also tell you the name of the driver your card uses:

    Code:
    firas@tsukino ~ % opensc-tool --reader 0 --name -v
    Connecting to card in reader Feitian SCR301 00 00...
    Using card driver entersafe.
    Card name: entersafe
    Now that we've made sure the card is supported, we can initialise it (roughly the same thing as formatting a filesystem) so we can store stuff on it:

    Code:
    firas@tsukino ~ % pkcs15-init -C --label "Firas Kraiem"
    Using reader with a card: Feitian SCR301 00 00
    New User PIN.
    Please enter User PIN: 
    Please type again to verify: 
    Unblock Code for New User PIN (Optional - press return for no PIN).
    Please enter User unblocking PIN (PUK): 
    Please type again to verify:
    The label is optional, it will appear in some authentication prompts, so you probably want to put your name there. Note that some smart cards, such as the Schlumberger CryptoFlex used on the Quick Start page on the OpenSC wiki, will ask you for a "Security Officer" PIN. This is because they support creating several users, each with his own User PIN, keys and data, that will be able to use the same smart card. My EnterSafe, on the other hand, is single-user, so I am directly asked for the User PIN. If your card is multi-users, you will have to create a user, as described on the wiki.

    A small note on the codes: the PIN (Personal Identification Number) is the code you will need to enter when you use the smart card (for example when you store a key on it, or when you want to use a key). The PUK (PIN Unlock Key) is used to reinitialise the PIN if you forget it or it gets compromised.

    We can now see the structure of the card with:

    Code:
    firas@tsukino ~ % pkcs15-tool -D
    Using reader with a card: Feitian SCR301 00 00
    PKCS#15 Card [Firas Kraiem]:
    	Version        : 1
    	Serial number  : 2812504610040810
    	Manufacturer ID: EnterSafe
    	Last update    : 20100821125517Z
    	Flags          : EID compliant
    
    PIN [User PIN]
    	Com. Flags: 0x3
    	ID        : ff
    	Flags     : [0x30], initialized, needs-padding
    	Length    : min_len:4, max_len:16, stored_len:16
    	Pad char  : 0x00
    	Reference : 1
    	Type      : ascii-numeric
    	Path      : 3f005015

    First Key

    You generate a RSA key pair on your card with the -G flag of pkcs15-init (you will be asked for your PIN several times):

    Code:
    firas@tsukino ~ % pkcs15-init -G rsa/1024 --auth-id ff --label "My Private Key" --public-key-label "My Public Key"
    Using reader with a card: Feitian SCR301 00 00
    User PIN required.
    Please enter User PIN: 
    User PIN required.
    Please enter User PIN: 
    User PIN required.
    Please enter User PIN: 
    User PIN required.
    Please enter User PIN:
    Replace 1024 with 2048 or 4096 for a longer key (if supported by your card). Replace ff with the auth-id of the user who will use the key (you can find a user's auth-id under his PIN section in the output of pkcs15-tool -D). Labels are, once again, optional.

    We can use the same command as above to see our new keys in the card's structure:

    Code:
    firas@tsukino ~ % pkcs15-tool -D 
    Using reader with a card: Feitian SCR301 00 00
    PKCS#15 Card [Firas Kraiem]:
    	Version        : 1
    	Serial number  : 2812504610040810
    	Manufacturer ID: EnterSafe
    	Last update    : 20100821130157Z
    	Flags          : EID compliant
    
    PIN [User PIN]
    	Com. Flags: 0x3
    	ID        : ff
    	Flags     : [0x30], initialized, needs-padding
    	Length    : min_len:4, max_len:16, stored_len:16
    	Pad char  : 0x00
    	Reference : 1
    	Type      : ascii-numeric
    	Path      : 3f005015
    
    Private RSA Key [My Private Key]
    	Com. Flags  : 3
    	Usage       : [0x4], sign
    	Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
    	ModLength   : 1024
    	Key ref     : 1
    	Native      : yes
    	Path        : 3f005015
    	Auth ID     : ff
    	ID          : 45
    
    Public RSA Key [My Public Key]
    	Com. Flags  : 2
    	Usage       : [0x4], sign
    	Access Flags: [0x0]
    	ModLength   : 1024
    	Key ref     : 0
    	Native      : no
    	Path        : 3f0050153045
    	Auth ID     : 
    	ID          : 45
    Or we can use --list-keys to see only the keys:

    Code:
    firas@tsukino ~ % pkcs15-tool --list-keys
    Using reader with a card: Feitian SCR301 00 00
    Private RSA Key [My Private Key]
    	Com. Flags  : 3
    	Usage       : [0x4], sign
    	Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
    	ModLength   : 1024
    	Key ref     : 1
    	Native      : yes
    	Path        : 3f005015
    	Auth ID     : ff
    	ID          : 45
    
    firas@tsukino ~ % pkcs15-tool --list-public-keys
    Using reader with a card: Feitian SCR301 00 00
    Public RSA Key [My Public Key]
    	Com. Flags  : 2
    	Usage       : [0x4], sign
    	Access Flags: [0x0]
    	ModLength   : 1024
    	Key ref     : 0
    	Native      : no
    	Path        : 3f0050153045
    	Auth ID     : 
    	ID          : 45
    If you need to send the public key to other people, you can retrieve it with:

    Code:
    firas@tsukino ~ % pkcs15-tool --read-public-key 45
    Using reader with a card: Feitian SCR301 00 00
    -----BEGIN PUBLIC KEY-----
    MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQClRLcuudoW62NzWO7s/HSMqhjR
    edFkxqxKdTuNksi+oCG5QDmZtzOuAX5eCtXLKiAyt8cSNQWUhOlS9jK/5vpwMyee
    +qWQuh2jA0wfi6eoNIWGz5ZdjDn/b2BwvsOZUtpNKOtMwnceLWtbJCcg5nTd3DyV
    X+qfJsGatuLB0CgHQwIDAQAB
    -----END PUBLIC KEY-----
    Of course, replace 45 with the ID of the key you want to read (you can get it, once again, in the output of pkcs15-tool -D).

    Note that there is normally no way to extract the private key from the card. If you need a backup, you must generate the key on your computer, store it on your card (see below) and back it up in a safe location (which could be on another card).

    Our RSA key is now ready to be used. I will cover each application in a separate message, so stay tuned. ;)


    Applications

    PAM Authentication: for logins (both console and graphical), sudo and more.
    OpenSSH Authentication
    TrueCrypt


    Other Stuff

    This section will document other procedures that are not specific to a single application.


    Using a pre-existing key

    In some circumstances, you might want to use a pre-existing key instead of generating one directly on your card. This can be useful, for example, if you need a backup of your key, or if you need to distribute the key to several users.

    Starting with a freshly initialised card:

    Code:
    firas@tsukino ~ % pkcs15-tool -D                                                
    Using reader with a card: Feitian SCR301 00 00
    PKCS#15 Card [My Smart Card]:
    	Version        : 1
    	Serial number  : 2812504610040810
    	Manufacturer ID: EnterSafe
    	Last update    : 20100822165926Z
    	Flags          : EID compliant
    
    PIN [User PIN]
    	Com. Flags: 0x3
    	ID        : ff
    	Flags     : [0x30], initialized, needs-padding
    	Length    : min_len:4, max_len:16, stored_len:16
    	Pad char  : 0x00
    	Reference : 1
    	Type      : ascii-numeric
    	Path      : 3f005015
    Generate the new key on your computer (of course skip this step if you want to use a key you already have):

    Code:
    firas@tsukino ~ % openssl genrsa -des3 -out mykey.key 1024
    Generating RSA private key, 1024 bit long modulus
    ...........++++++
    ...++++++
    e is 65537 (0x10001)
    Enter pass phrase for mykey.key:
    Verifying - Enter pass phrase for mykey.key:
    And store the key on your card with the -S flag of pkcs15-init:

    Code:
    firas@tsukino ~ % pkcs15-init -S mykey.key --auth-id ff --label "My Private Key" --public-key-label "My Public Key"
    Using reader with a card: Feitian SCR301 00 00
    Please enter passphrase to unlock secret key: 
    User PIN required.
    Please enter User PIN: 
    User PIN required.
    Please enter User PIN: 
    User PIN required.
    Please enter User PIN: 
    User PIN required.
    Please enter User PIN:
    We can see the key in the output of pkcs15-tool -D:

    Code:
    firas@tsukino ~ % pkcs15-tool -D
    Using reader with a card: Feitian SCR301 00 00
    PKCS#15 Card [My Smart Card]:
    	Version        : 1
    	Serial number  : 2812504610040810
    	Manufacturer ID: EnterSafe
    	Last update    : 20100822170433Z
    	Flags          : EID compliant
    
    PIN [User PIN]
    	Com. Flags: 0x3
    	ID        : ff
    	Flags     : [0x30], initialized, needs-padding
    	Length    : min_len:4, max_len:16, stored_len:16
    	Pad char  : 0x00
    	Reference : 1
    	Type      : ascii-numeric
    	Path      : 3f005015
    
    Private RSA Key [My Private Key]
    	Com. Flags  : 3
    	Usage       : [0x4], sign
    	Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
    	ModLength   : 1024
    	Key ref     : 1
    	Native      : yes
    	Path        : 3f005015
    	Auth ID     : ff
    	ID          : 45
    
    Public RSA Key [My Public Key]
    	Com. Flags  : 2
    	Usage       : [0x4], sign
    	Access Flags: [0x0]
    	ModLength   : 1024
    	Key ref     : 0
    	Native      : no
    	Path        : 3f0050153045
    	Auth ID     : 
    	ID          : 45

    Reinitialise your card

    If you want to reinitialise your card and start again, just use the same initialisation command as above, but add the -E flag:

    Code:
    firas@tsukino ~ % pkcs15-init -E -C --label "Firas Kraiem"
    Using reader with a card: Feitian SCR301 00 00
    New User PIN.
    Please enter User PIN: 
    Please type again to verify: 
    Unblock Code for New User PIN (Optional - press return for no PIN).
    Please enter User unblocking PIN (PUK): 
    Please type again to verify:
    Needless to say, the keys stored on the card will be lost (if you didn't back them up).


    OpenSSL

    You can use the private key stored on your card with OpenSSL wherever you can use an on-disk key. Among other things, you can sign files, decrypt files encrypted with your public key, or generate X.509 certificates for your key. Since this is not an OpenSSL guide, I will not describe those operations in detail, you can refer to the OpenSSL page in the Ubuntu Server Guide if you are not familiar with them, the syntax is the same (except for the necessary command flags to tell OpenSSL to use your smart card, see below).

    First, install the package libengine-pkcs11-openssl. Then fire up the OpenSSL prompt and initialise the smart card engine with this long command (copy-and-paste is your friend):

    Code:
    firas@tsukino ~ % openssl
    OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:opensc-pkcs11.so
    (dynamic) Dynamic engine loading support
    [Success]: SO_PATH:/usr/lib/engines/engine_pkcs11.so
    [Success]: ID:pkcs11
    [Success]: LIST_ADD:1
    [Success]: LOAD
    [Success]: MODULE_PATH:opensc-pkcs11.so
    Loaded: (pkcs11) pkcs11 engine
    OpenSSL>
    TODO: Is there a way to automate that?

    You can now run the desired OpenSSL commands. To use the key stored on your smart card, you must add -keyform engine -engine pkcs11 to your command, and use id_XX as the value for the -key flag (where XX is the ID of your key). For example, here's how to generate a self-signed X.509 certificate (which will be useful also for PAM authentication, among other things):

    Code:
    OpenSSL> req -new -x509 -days 365 -keyform engine -engine pkcs11 -key id_45 -out mysmartcard.cert.pem
    [...]
    OpenSSL> quit
    You probably want to store the certificate on the card, this is done with the -X flag of pkcs15-init:

    Code:
    firas@tsukino ~ % pkcs15-init -X mysmartcard.cert.pem --auth-id ff --id 45 --format pem
    Using reader with a card: Feitian SCR301 00 00
    User PIN required.
    Please enter User PIN: 
    User PIN required.
    Please enter User PIN:
    As usual, replace ff with the auth-id of the user, and 45 with the ID of the key.
    Last edited by Bachstelze; October 26th, 2011 at 12:56 AM.
    「明後日の夕方には帰ってるからね。」


  2. #2
    Join Date
    Nov 2005
    Location
    Sendai, Japan
    Beans
    11,296
    Distro
    Kubuntu

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    PAM Authentication


    PAM (Pluggable Authentication Modules) is an authentication framework that uses modules to authenticate users using a wide variety of methods. A PKCS#11 PAM module exists, which allows using smart cards to authenticate against any service that uses PAM. The most obvious usage of PAM is system logins, either console or graphical, but a lof of other services, for example sudo, use it (you can have a look in /etc/pam.d to see all currently installed services that use PAM).

    The PKCS#11 PAM module can be found in the libpam-pkcs11 package in the repositories.

    Several methods can be used to "map" a smart card to a user, I will not describe them all here. The only method I will cover is pwent, which will check the CN (Common Name) field of the X.509 certificate associated with a key, and grant access only if it matches either the login name or the real name of the user. Other mapping methods are documented here.


    Initial Configuration

    The package does not do any initial configuration for you, so you will have to do it yourself. First, create the configuration directory. The module expects it to be at /etc/pam_pkcs11, so it's a good idea to put it there:

    Code:
    sudo mkdir /etc/pam_pkcs11
    Copy the default config file in the dir:

    Code:
    zcat /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.example.gz | sudo tee /etc/pam_pkcs11/pam_pkcs11.conf
    Create some additional directories. cacerts will store the certificates of trusted CAs: a certificate will only be accepted if it has been signed by one of those CAs. crls will store the Certificate Revocation Lists sent by the CAs, to let the PAM module know which certificates are no longer valid (revoked).

    Code:
    sudo mkdir /etc/pam_pkcs11/cacerts /etc/pam_pkcs11/crls
    Since we will use the pwent mapper, edit the use_mappers line in /etc/pam_pkcs11/pam_pkcs11.conf to list only pwent.

    If you have not done so already, generate an X.509 certificate for the key stored on your smart card and store it on the card as well, as described at the bottom of post #1. Remember that the Common Name (CN) field will be used to match the certificate to your account, so make sure to put either your login or your real name in that field (or at least, your real name as stored on the system, if you don't know it, it's on your line in /etc/passwd, you can safely edit the file if you want to change it).

    Finally, copy the certificate of the CA that signed your own certificate (if your certificate is self-signed, that's the certificate itself) into /etc/pam_pkcs11/cacerts and rehash the list of CA certificates with:

    Code:
    cd /etc/pam_pkcs11/cacerts
    sudo pkcs11_make_hash_link

    First Test: sudo

    We will first test PAM authentication with sudo. It is a good idea to test with sudo first because you will not have to log out and try to log back in in order to test your configuration.

    Edit /etc/pam.d/sudo. It will look like this:

    Code:
    #%PAM-1.0
    
    @include common-auth
    @include common-account
    
    session required pam_permit.so
    session required pam_limits.so
    Modify it like this:

    Code:
    #%PAM-1.0
    
    auth sufficient pam_pkcs11.so
    
    @include common-auth
    @include common-account
    
    session required pam_permit.so
    session required pam_limits.so
    Test:

    Code:
    firas@tsukino ~ % sudo -i
    Please insert your Smart card or enter your username.
    Found the Smart card.
    Welcome Firas Kraiem (User PIN)!
    Smart card PIN: 
    tsukino ~ #
    All right! Edit /etc/pam.d/sudo back to its original state, we will configure PAM to use your smart card for all login authentication mechanisms.


    Global Login Configuration

    If you looked closely at /etc/pam.d/sudo, you saw that it includes common-auth. Actually, all login services (gdm, login, samba...) include this file, so we can just add our pam_pkcs11 module to it, and it will get used for all login purposes.

    NOTE: Ubuntu uses your password for a lot of things (too many things, if you ask me). In particular, you will have a problem if you use the "encrypted home directory" feature, because the system needs your password to decrypt your home directory: since you will not enter your password when using your smart card to authenticate, the system will not be able to automatically decrypt your home directory when you login. The most visible result of this is that X logins will fail. A workaround is to first switch to a virtual console, login and mount your home directory manually with ecryptfs-mount-private. You will then be able to switch back to gdm and login to your X session. A fix would be to somehow store your password on the smart card and use it to decrypt your home directory. Probably possible, but will require some work... The same goes for your "keyring".

    Edit /etc/pam.d/common-auth. It will look like this:

    Code:
    #
    # /etc/pam.d/common-auth - authentication settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authentication modules that define
    # the central authentication scheme for use on the system
    # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
    # traditional Unix authentication mechanisms.
    #
    # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
    # To take advantage of this, it is recommended that you configure any
    # local modules either before or after the default block, and use
    # pam-auth-update to manage selection of other modules.  See
    # pam-auth-update(8) for details.
    
    # here are the per-package modules (the "Primary" block)
    auth    [success=2 default=ignore]  pam_unix.so nullok_secure
    auth    [success=1 default=ignore]  pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
    # here's the fallback if no module succeeds
    auth    requisite           pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    auth    required            pam_permit.so
    # and here are more per-package modules (the "Additional" block)
    auth    optional    pam_ecryptfs.so unwrap
    # end of pam-auth-update config
    Modify it like this:

    Code:
    #
    # /etc/pam.d/common-auth - authentication settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authentication modules that define
    # the central authentication scheme for use on the system
    # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
    # traditional Unix authentication mechanisms.
    #
    # As of pam 1.0.1-6, this file is managed by pam-auth-update by default.
    # To take advantage of this, it is recommended that you configure any
    # local modules either before or after the default block, and use
    # pam-auth-update to manage selection of other modules.  See
    # pam-auth-update(8) for details.
    
    auth    [success=3 default=ignore]  pam_pkcs11.so
    
    # here are the per-package modules (the "Primary" block)
    auth    [success=2 default=ignore]  pam_unix.so nullok_secure
    auth    [success=1 default=ignore]  pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass
    # here's the fallback if no module succeeds
    auth    requisite           pam_deny.so
    # prime the stack with a positive return value if there isn't one already;
    # this avoids us returning an error just because nothing sets a success code
    # since the modules above will each just jump around
    auth    required            pam_permit.so
    # and here are more per-package modules (the "Additional" block)
    auth    optional    pam_ecryptfs.so unwrap
    # end of pam-auth-update config
    With this configuration, smart card authentication will be tried first, and if it fails, PAM will fall back to normal password authentication. You can also disable password authentication for your account (the same way Ubuntu "disables" the root account) with:

    Code:
    sudo passwd -l `whoami`
    And smart card authentication will be required (you will still be prompted for a password if it fails, but the password will always fail).

    Note that graphical applications that need your password (e.g. gksudo) will display the same prompt for password and smart card authentication. If you use smart card authentication, enter your smart card PIN, not your password.


    Other Services?

    I don't really use any other service that uses PAM so I can't really test it, but other individual services should be configurable in the same way as sudo above. Feel free to report any success or failure in this thread.
    Last edited by Bachstelze; September 2nd, 2010 at 10:45 PM.
    「明後日の夕方には帰ってるからね。」


  3. #3
    Join Date
    Nov 2005
    Location
    Sendai, Japan
    Beans
    11,296
    Distro
    Kubuntu

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    OpenSSH Authentication

    You can use the private key stored on your smart card to authenticate on a remote OpenSSH server using key-based authentication. If you are not familiar with OpenSSH key-based authentication, the Ubuntu Server Guide has a page about it.

    PKCS#11 support was added in OpenSSH 5.4. Maverick works fine (it has OpenSSH 5.5), but Lucid only has OpenSSH 5.3, so if you are using Lucid, you will need to install at least OpenSSH 5.4. Note that smart card support is only needed on the client; the server can be running any version of OpenSSH.

    The first thing is to get your public key in SSH format, you get it with the --read-ssh-key flag of pkcs15-tool:

    Code:
    firas@tsukino ~ % pkcs15-tool --read-ssh-key 45
    Using reader with a card: Feitian SCR301 00 00
    1024 65537 116055431367766515871214384037749817043573194021104735948712734191299536751118486318441621788122833567021065145378319790342737488231697603237477940918138523371729036365495709912942009088721246775459940528092248876288819267234423917543765877278987095909905664147689601191223161580183068940665102413370315245379
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQClRLcuudoW62NzWO7s/HSMqhjRedFkxqxKdTuNksi+oCG5QDmZtzOuAX5eCtXLKiAyt8cSNQWUhOlS9jK/5vpwMyee+qWQuh2jA0wfi6eoNIWGz5ZdjDn/b2BwvsOZUtpNKOtMwnceLWtbJCcg5nTd3DyVX+qfJsGatuLB0CgHQw==
    Only the last line of output interests us, copy it to your ~/.ssh/authorized_keys on the server, just like you would any other key.

    Try connecting to the server. You need to pass the -I flag to ssh to let it know where the PKCS#11 library is located:

    Code:
    firas@tsukino ~ % ssh -I /usr/lib/opensc-pkcs11.so itsuki.fkraiem.org
    Enter PIN for 'Firas Kraiem (User PIN)': 
    Linux itsuki 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux
    Ubuntu 10.04.1 LTS
    
    Welcome to Ubuntu!
     * Documentation:  https://help.ubuntu.com/
    
    0 packages can be updated.
    0 updates are security updates.
    
    No mail.
    Last login: Sat Aug 21 18:44:30 2010 from ichigo.fkraiem.org
    In order to not have to pass the -I flag every time, you can add this line to your ~/.ssh/config (or to /etc/ssh/ssh_config to apply it to all users):

    Code:
    PKCS11Provider /usr/lib/opensc-pkcs11.so
    Last edited by Bachstelze; June 25th, 2011 at 03:36 AM.
    「明後日の夕方には帰ってるからね。」


  4. #4
    Join Date
    Nov 2005
    Location
    Sendai, Japan
    Beans
    11,296
    Distro
    Kubuntu

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    TrueCrypt

    Configuring TrueCrypt to use your smart card as a key is pretty straightforward. The first thing to do is tell TrueCrypt where the PKCS#11 provider library is located: you do that in Settings > Security Tokens, the library is at /usr/lib/opensc/opensc-pkcs11.so. For increased security, you will probably also want to check the box below it to force TrueCrypt to log out of your card after your encrypted volume has been mounted.

    If you are already familiar with using keyfiles in TrueCrypt, using a smart card works the same way, except the file will be stored on your card, not on the disk.


    On a new volume

    Create your new volume as usual, until you reach the "password" step. Check the "Use keyfiles" box, and click the "Keyfiles" button. You probably want to generate a random keyfile to store on your card, so click the "Generate Random Keyfile" button, and store the generated keyfile somewhere on your disk. Then click "Add Token Files"; a window will appear, with all the keyfiles stored on your smart card. So far, there is none, so click "Import Keyfile to Token", and select the keyfile you just created. Click OK in the window that appears (unless you want to store the file under a different name on your card), select the keyfile and click OK again, and again. At this point, you probably want to delete the keyfile from your drive (you can use the shred command to do it securely).

    You may also enter a password for your volume. If you do, both the keyfile (here, it means the smart card) and the password will be required to mount the volume.

    You may also use several keyfiles. In that case all keyfiles (and the password if there is one) will be required to mount the volume. You may want to do this, for example, to have multi-factor authentication, with one keyfile stored in a hidden location on the drive, and one on your smart card: or if the volume contains secrets shared between several users (with each user having one of the keyfiles on his own card, all users must be present to decrypt the volume).

    The remaining step (volume formatting) is done as usual.


    On an existing volume

    If your volume already uses keyfiles and they are small enough to fit on your card, you can just transfer the files to your smart card as described above. If the keyfiles are too large, you will have to remove them from your volume with Volume > Remove all keyfiles from volume (after your volume is mounted), and generate a new set of keyfiles to store on your card. (Note that removing keyfiles from your volume can take a couple minutes.)

    If your volume doesn't use keyfiles (or you have removed them because they were too large to fit on your card), you will have to generate new keyfiles for it. Mount your volume and click Volume > Add/Remove Keyfiles. Enter the password for your volume in the "Password" box, check the "Use keyfiles" box under "New", and click the "Keyfiles" button next to it. Generate the keyfile(s) and store them on your card as described in the previous section, and click OK (this can also take a while). Both the keyfile(s) and the password will now be required to mount the voume (if you want to remove the password and use only the keys, you can do so by clicking Volumes > Change Volume Passwords.


    Mounting a volume

    This is also pretty straightforward. After you have selected the volume and clicked mount, enter the volume password (if there is one), check the "Use keyfiles" box, and click the "Keyfiles" button. Add all the keyfiles (with "Add keyfile" for an on-disk keyfile, and "Add token files" for a keyfile on your smartcard) and click OK.
    Last edited by Bachstelze; June 25th, 2011 at 03:36 AM.
    「明後日の夕方には帰ってるからね。」


  5. #5
    Join Date
    Nov 2006
    Location
    UK
    Beans
    391
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    Been away - hence delay. Very pleasing. Thanks Bachstelze

  6. #6
    Join Date
    Nov 2005
    Location
    Sendai, Japan
    Beans
    11,296
    Distro
    Kubuntu

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    Sadly, I'm struggling to get it working with GnuPG. Basically, GnuPG doesn't have built-in PKCS#11 support (and probably never will), so getting it to work is a bit of a hack... It supports OpenPGP smart cards out of the box, but they are way less flexible (1024-bit keys FTL).
    Last edited by Bachstelze; September 2nd, 2010 at 10:54 PM.
    「明後日の夕方には帰ってるからね。」


  7. #7
    Join Date
    Nov 2006
    Location
    UK
    Beans
    391
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    Hi,

    Still messing around with this when i get a chance. Have you had any joy using it with email clients? Specifically thinking Thunderbird and the 'Master password for software security device'?

    Thanks

  8. #8
    Join Date
    Nov 2005
    Location
    Sendai, Japan
    Beans
    11,296
    Distro
    Kubuntu

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    Quote Originally Posted by yeleek View Post
    Hi,

    Still messing around with this when i get a chance. Have you had any joy using it with email clients? Specifically thinking Thunderbird and the 'Master password for software security device'?

    Thanks
    Still no joy with GnuPG. Storing S/MIME certificates for Firefox and Thunderbird on a card is easy, though. Not sure what you mean about the Master password, AFAIK it is not possible to use a card instead of a password for this.
    「明後日の夕方には帰ってるからね。」


  9. #9
    Join Date
    Sep 2006
    Location
    Southwestern US
    Beans
    108
    Distro
    Ubuntu 10.10 Maverick Meerkat

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    Quote Originally Posted by Bachstelze View Post
    GnuPG doesn't have built-in PKCS#11 support (and probably never will), so getting it to work is a bit of a hack... It supports OpenPGP smart cards out of the box, but they are way less flexible (1024-bit keys FTL).
    The newer OpenPGP v2.0 smart cards support 2048 bit RSA keys.

  10. #10
    Join Date
    Sep 2010
    Beans
    27
    Distro
    Ubuntu 10.04 Lucid Lynx

    Re: HOWTO: Smart Card authentication for logins, e-mail, TrueCrypt and more!

    looks fun... i got my self a winter project now

Page 1 of 4 123 ... LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •