GNU|Linux Smartcard logon using PAM_P11 - GOOZE downloading

GNU|Linux Smartcard logon using PAM_P11 

Published on Gooze (http://www.gooze.eu) 

Home > GNU|Linux Smartcard logon using PAM_P11 


This guide describes how to logon a GNU/Linux host using PAM_P11. 

Audience 

This tutorial is suited for users who would like to secure their own access to a few workstations using smartcards and RSA 

keys in OpenSSH format. 

This tutorial does not cover connecting remotely using ssh client with smart cards, which is covered in another tutorial. 

Prerequisites 

As a prerequisite, you should read our smart card quickstarter guide [1], in order to learn how to install and configure smartcards. 

Hereafter, we consider that you installed a smart card reader and configured a smart card either with a self-signed certificate or 

a free X.509 certificate like offered by CAcert.org community. Make sure to backup your certificates and keys as explained 

previously, because you will not be able to extract private keys from your smart card. 

PAM and PAM-P11 

GNU/Linux uses PAM (Pluggable Authentication Modules) to authenticate using a variety of methods. 

PAM is installed on every workstation. PAM documentation can be read in details: The Linux-PAM System Administrators' Guide 

[2]. 

PAM_P11 is an OpenSC [3] project designed for authentication using smartcards and cryptographic keys. You can visit OpenSC 

Pam-P11 page for information: http://www.opensc-project.org/pam_p11/ [4] 

Installation using binary packages 

Under Debian based / Ubuntu, install libpam-p11 package: 

$ apt-get install libpam-p11 

Alternatively, use a graphical installed like Synaptic: 

Copyright GOOZE 2010-2011 http://www.gooze.eu 1 / 5


Installation from sources 

Visit pam_p11 project: http://www.opensc-project.org/pam_p11/ [4] 

Download and untar: 

$ tar -xvf pam_p11/pam_p11-0.1.5.tar.gz 

$ cd pam_p11* 

$ ./configure --prefix=/usr --libdir=/lib/ 

$ make 

$ make install 

Configuring Pam_P11 

PAM configuration files are stored in the /etc/pam.d/ directory. 

Let us have a look at the common-session configuration file: 

$ cat /etc/pamd.d/common-auth 

This displays: 

$ # here are the per-package modules (the "Primary" block) 

auth [success=1 default=ignore] pam_unix.so nullok_secure 

# here's the fallback if no module succeeds 

auth requisite pam_deny.so 

# prime the stack with a positive return value if there isn't one already; 

# this avoids us returning an error just because nothing sets a success code 

# since the modules above will each just jump around 

auth required pam_permit.so 

# end of pam-auth-update config 

As of pam 1.0.1-6, this file is managed by pam-auth-update by default. 



To take advantage of this, it is recommended that you configure any local modules either before or after the default block, and 

use pam-auth-update to manage selection of other modules. 

pam-config mechanism stores templates in /usr/share/pam-configs. 

Let us explore this directory: 

$ ls /usr/share/pam-configs 

consolekit gnome-keyring unix 

Now we simply create a template for pam_p11 login. 

Create an empty file /usr/share/pam-configs/p11 and add: 

Name: Pam_p11 

Default: yes 

Priority: 800 

Auth-Type: Primary 

Auth: sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so 

To regenerate PAM configuration files, we need to execute: 

$ pam-auth-update 

A Debian configuration dialog is displayed: 

Make sure 'Unix authentication' is enabled, otherwise there is a risk to lose the ability to connect using passwords. 

Enable 'libpam-p11' and disable 'libpam-pkcs11' to avoid a separate access system using smart cards. 

Let us have a look at the common-session configuration file: 

$ cat /etc/pam.d/common-auth 



This displays: 

$ here are the per-package modules (the "Primary" block) 

auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so 

auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass 

# here's the fallback if no module succeeds 

auth requisite pam_deny.so 

# prime the stack with a positive return value if there isn't one already; 

# this avoids us returning an error just because nothing sets a success code 

# since the modules above will each just jump around 

auth required pam_permit.so 

# and here are more per-package modules (the "Additional" block) 

# end of pam-auth-update config 

Notice the line: 

auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so 

auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass 

Installing RSA publick key 

First, query your public keys on your card : 

$ pkcs15-tool --list-public-keys 

Using reader with a card: Feitian SCR301 01 00 

Public RSA Key [Private Key] 

Com. Flags : 2 

Usage : [0x4], sign 

Access Flags: [0x0] 

ModLength : 2048 

Key ref : 0 

Native : no 

Path : 3f0050153000 

Auth ID : 

ID : c6f280080fb0ed1ebff0480a01d00a98a1b3b89a 

In the example, we have one public key with ID c6f280080fb0ed1ebff0480a01d00a98a1b3b89a. 

Now, extract and copy the RSA public key to ~/.ssh/authorized_keys to be able to authenticate: 

$pkcs15-tool --read-ssh-key c6f280080fb0ed1ebff0480a01d00a98a1b3b89a -o ~/.ssh/authorized_keys 

Using reader with a card: Feitian SCR301 01 00 

Please enter PIN [User PIN]: 

Authentication using a smartcard 

Now you should be able to authenticate using shell: 

$ su $yourname 

Password for token François Pérou (User PIN): 



Enter PIN code and you are authenticated. 

The same happens with X11 on Gnome or KDE4 startup. 

Limitations 

Impossible to display screensaver when card is removed. 

No check for X.509 revocation lists. 

Due to these limitations, you may be interested in using a full-featured PAM module called Pam-pkcs11, which is our next tutorial. 

Copyright GOOZE.EU 2011. 

Source URL: http://www.gooze.eu/howto/gnu-linux-smartcard-logon-using-pam-p11 

Links: 

[1] http://www.gooze.eu/howto/smart-card-quickstarter-guide 

[2] http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/Linux-PAM_SAG.html 

[3] http://www.opensc-project.org 

[4] http://www.opensc-project.org/pam_p11/

GNU|Linux Smartcard logon using PAM_P11 - GOOZE downloading

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?