Menu
▾
▴
[Opensc-devel] Notes on OpenSC PAM integration
|
From: Kaya S. <kay...@op...> - 2021-01-18 19:00:28
|
Hi, upon advice I bought a Feitian A22 Java card. I managed to get it to work with PAM integration and wanted to share my notes on the procedure as a lot of the information was scattered around or using a previous version of OpenSSL; eventually I used about 20 or more? different sites to figure out the below. Maybe it could be put onto a Wiki somewhere? It is working on Arch Linux and a Lenovo P15 notebook with SmartCard Reader option installed. INSTALL ------- INSTALL IsoApplet TO CARD AND GENERATE PUBLIC KEY: java -jar /usr/share/java/globalplatformpro/gp.jar -info java -jar /usr/share/java/globalplatformpro/gp.jar -list cd IsoApplet/ java -jar /usr/share/java/globalplatformpro/gp.jar -install IsoApplet.cap java -jar /usr/share/java/globalplatformpro/gp.jar -list pcsc_scan pkcs15-init --generate-key "rsa/2048" --auth-id "FF" --label "myKey" --id "1" --key-usage digitalSignature,keyAgreement,keyEncipherment pkcs15-tool --dump pkcs15-tool --read-public-key "01" --output "publicKey.pem" pkcs11-tool -O pkcs11-tool -M OpenSSL /etc/ssl/openssl.cnf -> ADD TO TOP: # Note that you can include other files from the main configuration # file using the .include directive. #.include filename openssl_conf = openssl_init # This definition stops the following lines choking if HOME isn't # defined. HOME = . ADD TO BOTTOM: [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines-1.1/libpkcs11.so MODULE_PATH = opensc-pkcs11.so init = 0 CHECK ENGINE AVAILABILITY: openssl engine pkcs11 -t (pkcs11) pkcs11 engine [ available ] GENERATE PRIVATE KEY: p11tool --provider /usr/lib/opensc-pkcs11.so --login --generate-rsa --bits 2048 --label $USER p11tool --provider /usr/lib/opensc-pkcs11.so --list-privkeys --login GENERATE CERTIFICATE: req -engine pkcs11 -new -key "pkcs11:object=myKey;type=private;pin-value=0000" -keyform engine -out req.pem -text -x509 -subj "/CN=$USER" STORE CERTIFICATE TO CARD AND COPY TO /etc/pam_pkcs11/cacerts: pkcs15-init --store-certificate cert.pem --id 1 --cert-label "$USER" cp /path/to/cert.pem /etc/pam_pkcs11/cacerts/ pkcs11_make_hash_link VERIFY INFORMATION ON CARD: pkcs15-tool --list-keys pkcs15-tool -D pkcs11_listcerts pkcs15-tool -c pkcs11-tool --list-token-slots pkcs11-tool --test --login --token-label "JavaCard isoApplet (User PIN)" PAM_PKCS11 /etc/pam_pkcs11/pam_pkcs11.conf -> cp /usr/share/doc/pam_pkcs11/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf MODIFY: cert_policy = none; use_mappers = pwent PAM MODULES: /etc/pam.d/system-local-login -> auth sufficient /usr/lib/security/pam_pkcs11.so /etc/pam.d/sudo -> auth sufficient /usr/lib/security/pam_pkcs11.so TEST: sudo -i I also plan into looking at what more the card can be used for such as email with pk12 , ssh , vpn and many more. Eventually I think I want to get PAM to function in a way that it requires a FaceID or fingerprint in addition to the card. Currently everything works fine individually but the trick will be to combine things - fprintd and Howdy. Best Regards, Kaya |
