Home/ opensource/ howtos/ egate usb token

Hoto use a E-Gate usb Token within Debian

Please note, I'll collect only some interesting informations here, they are based on Michael Bramers talk on the Chemnitzer Linux Day in 2008, on Bod's people.debian.org website and finally on this site.

Preparing the card for authentification

At first you'll have to install the necessary things to prepare the Token:

apt-get install opensc openct

Due to a bug in opensc (which should at least Recommend openct, but doesn't do it, see this bug), you'll have to install openct on your own.

The first step is to purge everything which might be on the card:

$ pkcs15-init -E

Now, the card is completely empty. In order to make it useable again now you'll have to issue this:

$ pkcs15-init --create-pkcs15 ( -T)
$ pkcs15-init --store-pin --auth-id 01 --label "Your Name" (-T)
$ pkcs15-init --generate-key rsa/2048 --auth-id 01 (-T)

These three steps initialise the card, then create a new authentification id and then a new key for this id. Please note that you can also use rsa/1024 or lower, my choice was a 2048 bit key. The optional -T use the default transport key for this card. It's your decision if you would like to use another one as the default. Furthermore you'll have to decide if you would like to have a SO (Security Officer) Pin or not. If you don't want one, simply press enter when pkcs15-init is asking for one.

In the next step you'll have to create a openssl certificate and store it on the card:

 $ openssl 
     OpenSSL> engine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \
                     -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD \
                     -pre MODULE_PATH:opensc-pkcs11.so
     OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out ~/req.pem -text -x509

After this certificate is generated you'll have to store it on the token:

 $ pkcs15-init --store-certificate ~/req.pem --auth-id 01 --id 45 --format pem

Now the card is usable for authentification.

Configuration of your system

There are several possibilities howto authentificate on the system. I'll choose here the possibility via libpam-p11 and the file ~/.ssh/authorized_keys.

In order to use this method you'll need to install this pam module:

 $ apt-get install libpam-p11

After this, please have a look on the /etc/pam.d/common-auth file and add this before the pam_unix.so line.

  auth sufficient  pam_p11_openssh.so /usr/lib/opensc-pkcs11.so

In the next step you'll have to download the public key from the token and store it in ~/.ssh/authorized_keys:

pkcs15-tool --read-ssh-key 45 -o ~/.ssh/authorized_keys

this should be enough to make the authentification with your usb token working:

 $ su - $yourname

su should now ask you for the pin of your Card.

Lock kscreensaver when removing the token

It's possible to lock the screen when removing the card. This is triggered by udev. In order to archive this, please have a look on this file: /etc/pam/pam.d/z60_openct.rules and add/modify the following lines:

SUBSYSTEM!="usb", GOTO="openct_usb_rules_end"
ACTION=="add", GOTO="myrules"
ENV{MODALIAS}=="usb:v0973p0001*", RUN+="/lib/udev/lock-screen.sh"
LABEL="myrules"

ACTION!="add", GOTO="openct_usb_rules_end"

This should trigger a script called lock-screen.sh in /lib/udev. A quick and dirty hack to lock the screen would be for example something like tihs (just example code):

#!/bin/sh
RUN=`ps aux | grep winnie | grep kdeinit`;
if [ ! -z "$RUN" ]; then
    export DISLAY=":0"
    su winnie -c "export DISPLAY=:0; dcop kdesktop KScreensaverIface lock"
fi

Using ssh with the usb cryptotoken

It's possible to use the cryptotoken for authentification as a private key. In order to use this feature you'll have to rebuild openssh from source, since this change will pull in some bigger libs (which are anyway used by opensc and openct) the debian maintainer doesn't want to introduce this feature to the official packages. You'll find attached to this page the patch (called openssh-4.7p1.patch). If you apply this patch you'll get a patched ssh version + a new binary called libssh-dev which is needed in order to build a patched version of the libpam-p11 module.

In order to use this new introduced feature install the openssh-client package. After this you'll should put the public key into ~/.ssh/the authorized_keys file on the remote system using this command:

pkcs15-tool --read-ssh-key 45 > /tmp/public-key
scp /tmp/public-key $user@$host:~/.ssh/authorized_keys

In the next step you'll have to register the secret key in the agent using ssh-add:

ssh-add -s 0

Now you should be able to login to this system using:

ssh -I 0 $user@$host

Please see the manpage of ssh and ssh-add for the meaning of these options.

Common problems + fixes/workarounds

Problem with libpam-p11 and E-Gate cards

Michael Grisu Bramer detected during his preparation for his talk a error with these cards and the libpam-p11 module. In order to fix this a rebuild of this module was necessary with this patch:

--- pam-p11-0.1.3.orig/src/pam_p11.c
+++ pam-p11-0.1.3/src/pam_p11.c
@@ -39,7 +39,7 @@
 #define LOGNAME   "pam_p11"    /* name for log-file entries */

 #define RANDOM_SOURCE "/dev/urandom"
-#define RANDOM_SIZE 128
+#define RANDOM_SIZE 36
 #define MAX_SIGSIZE 256

 extern int match_user(X509 * x509, const char *login);

Please note: If you use the two patches, which are attached to this page, you'll don't have to patch this in manually.. this patch is included in the patch for pam-p11-0.1.3. If someone has a explanation what is wrong with RANDOME_SIZE 128 please let me know. (Or even better, if there are errors in this howto and this patch isn't necessary with the E-Gate).

Problem with displaying ugly warnings during login with the PIN

There was a error with opensc raising warnings during the access to the token. These warnings looks like these:

[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Security status not satisfied
[opensc-pkcs11] card-flex.c:1055:cryptoflex_compute_signature: Card returned error: Security status not satisfied
[opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Security status not satisfied
[opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: sc_compute_signature() failed: Security status not satisfied

Although this ugly red warnings the login using the PIN was working. In order to fix the noise please search in /etc/opensc/opensc.conf for this line:

lock_login = false;

and replace it with this one:

lock_login = true;

This has the disadvantage that only one application can access the card at the same time. If someone knows a better workaround please let me know.

ssh-key not longer working after replugged-in the token

This is a known problem. I've created a small patch for the libpam-p11 pam module which will delete and reload the ssh key during login. In order to use this you'll have to install the created libssh-dev package and apply the patch attached to this page (pam-p11-0.1.3.patch). Enjoy it!

Attachments

Last edited Mi 05 Mär 2008 13:20:37 CET