Name | Modified | Size | Downloads / Week |
---|---|---|---|
Login-1.320.tar.bz2 | 2020-06-07 | 82.1 kB | |
README.md | 2020-02-18 | 3.5 kB | |
Login-1.319.tar.bz2 | 2019-05-18 | 82.1 kB | |
Login-0.318.tar.bz2 | 2018-09-18 | 36.1 kB | |
Login-0.316.tar.bz2 | 2018-02-15 | 25.2 kB | |
Login-0.310.tar.bz2 | 2016-10-04 | 24.9 kB | |
Login-0.300.tar.bz2 | 2016-06-17 | 24.7 kB | |
Totals: 7 Items | 278.6 kB | 2 |
LoginApp provides X display management. User authentication is performed with either a username/password or via a SmartCard based authentication mechanism that operates alongside OpenSSH configured to use an authorized_keys file. The latter method allows a user who can logon remotely via OpenSSH with a SmartCard to also employ the same configuration for local authentication.
Prerequisites
- mGSTEP 1.93 or later (requires GCC with Objective-C or LLVM clang)
SmartCard support adds the following minimum requirements (if enabled):
- OpenSC 0.19
- OpenSSH 7.6
- OpenSSL 1.0.2
- ccid 1.4.19
- pcsc-lite 1.18.24
Hardware requirements for SmartCard support:
- Cryptographic SmartCard supported by the OpenSC PKCS#11 module
- SmartCard reader supported by pcsc-lite
Known Issues
- User mapping from a SmartCard's certificates is not yet implemented.
- UI error handling is minimal and does not allow pin unlock ...etc.
- PKCS#11 modules from commercial SmartCard middleware are untested.
Build
X server path and launch parameters can be tuned by editing the header file Login.h prior to building LoginApp.
** 1) Set mGSTEP environment (mGSTEP shared libs should be installed) **
$ export MGSTEP_ROOT=/<mgstep-install-path-or-built-source-tree>
** 2) Build and configure LoginApp **
$ make
** 3) Test command line launch of LoginApp and the X server: **
$ sudo -E ./Login.app/Login
** With SmartCard support enabled: **
Install OpenSSL, OpenSSH, ccid, pcsc-lite and OpenSC before performing build step #2.
** 4) Launch the pcsc-lite daemon in debug mode: **
$ sudo /usr/local/sbin/pcscd --foreground -d
** 5) Insert an issued/personalized SmarCard into your SC reader and list its public keys in the OpenSSH authorized_keys file format: **
$ ssh-keygen -D /usr/local/lib/opensc-pkcs11.so -e
** 6) Copy a key from the list in step #5 to the OpenSSH user's authorized_keys file or a system wide alternative.** This is usually the first public key for which the SC has a private key.
** 7) Test launch as in step #3 but enter the SmartCard's pin instead of the user's password. ** LoginApp will indicate it is in SmartCard mode when its panel logo changes to a SC contacts image. Switch back to User/Password mode by removing the SmartCard.
Install
LoginApp is typically run by the system's init with an /etc/inittab entry similar to the following example:
** x:5:respawn:/usr/bin/Login.app/Login -mgstep "/usr/mGSTEP" >& /dev/console**
Theory
SmartCard support relies on the established OpenSSH authorized_keys file authentication mechanism. LoginApp runs locally so private key storage is restricted to a cryptographic SmartCard. The logon sequence is then:
- SmartCard is inserted and its public keys / certificates are extracted.
- User initiates logon sequence by entering a username and the SmartCard pin.
- OpenSSH authorized_keys file is searched for a match of the public keys.
- If a matched public key is found that key is signed with OpenSSL.
- OpenSSL redirects signing to the SmartCard which uses its private key.
- OpenSSL verifies the resulting signature with the public key.
Any failure during the aforementioned steps terminates the logon sequence.
Building on OpenBSD 6.3 requires gcc 4.9, then build with:
$ CC=/usr/local/bin/egcc make