GNU|Linux Smartcard logon using PAM_P11 - GOOZE downloading
GNU|Linux Smartcard logon using PAM_P11 - GOOZE downloading
GNU|Linux Smartcard logon using PAM_P11 - GOOZE downloading
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
<strong>GNU|Linux</strong> <strong>Smartcard</strong> <strong>logon</strong> <strong>using</strong> <strong>PAM</strong>_<strong>P11</strong><br />
Published on Gooze (http://www.gooze.eu)<br />
Home > <strong>GNU|Linux</strong> <strong>Smartcard</strong> <strong>logon</strong> <strong>using</strong> <strong>PAM</strong>_<strong>P11</strong><br />
<strong>GNU|Linux</strong> <strong>Smartcard</strong> <strong>logon</strong> <strong>using</strong> <strong>PAM</strong>_<strong>P11</strong><br />
This guide describes how to <strong>logon</strong> a GNU/Linux host <strong>using</strong> <strong>PAM</strong>_<strong>P11</strong>.<br />
Audience<br />
This tutorial is suited for users who would like to secure their own access to a few workstations <strong>using</strong> smartcards and RSA<br />
keys in OpenSSH format.<br />
This tutorial does not cover connecting remotely <strong>using</strong> ssh client with smart cards, which is covered in another tutorial.<br />
Prerequisites<br />
As a prerequisite, you should read our smart card quickstarter guide [1], in order to learn how to install and configure smartcards.<br />
Hereafter, we consider that you installed a smart card reader and configured a smart card either with a self-signed certificate or<br />
a free X.509 certificate like offered by CAcert.org community. Make sure to backup your certificates and keys as explained<br />
previously, because you will not be able to extract private keys from your smart card.<br />
<strong>PAM</strong> and <strong>PAM</strong>-<strong>P11</strong><br />
GNU/Linux uses <strong>PAM</strong> (Pluggable Authentication Modules) to authenticate <strong>using</strong> a variety of methods.<br />
<strong>PAM</strong> is installed on every workstation. <strong>PAM</strong> documentation can be read in details: The Linux-<strong>PAM</strong> System Administrators' Guide<br />
[2].<br />
<strong>PAM</strong>_<strong>P11</strong> is an OpenSC [3] project designed for authentication <strong>using</strong> smartcards and cryptographic keys. You can visit OpenSC<br />
Pam-<strong>P11</strong> page for information: http://www.opensc-project.org/pam_p11/ [4]<br />
Installation <strong>using</strong> binary packages<br />
Under Debian based / Ubuntu, install libpam-p11 package:<br />
$ apt-get install libpam-p11<br />
Alternatively, use a graphical installed like Synaptic:<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 1 / 5
<strong>GNU|Linux</strong> <strong>Smartcard</strong> <strong>logon</strong> <strong>using</strong> <strong>PAM</strong>_<strong>P11</strong><br />
Installation from sources<br />
Visit pam_p11 project: http://www.opensc-project.org/pam_p11/ [4]<br />
Download and untar:<br />
$ tar -xvf pam_p11/pam_p11-0.1.5.tar.gz<br />
$ cd pam_p11*<br />
$ ./configure --prefix=/usr --libdir=/lib/<br />
$ make<br />
$ make install<br />
Configuring Pam_<strong>P11</strong><br />
<strong>PAM</strong> configuration files are stored in the /etc/pam.d/ directory.<br />
Let us have a look at the common-session configuration file:<br />
$ cat /etc/pamd.d/common-auth<br />
This displays:<br />
$ # here are the per-package modules (the "Primary" block)<br />
auth [success=1 default=ignore] pam_unix.so nullok_secure<br />
# here's the fallback if no module succeeds<br />
auth requisite pam_deny.so<br />
# prime the stack with a positive return value if there isn't one already;<br />
# this avoids us returning an error just because nothing sets a success code<br />
# since the modules above will each just jump around<br />
auth required pam_permit.so<br />
# end of pam-auth-update config<br />
As of pam 1.0.1-6, this file is managed by pam-auth-update by default.<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 2 / 5
<strong>GNU|Linux</strong> <strong>Smartcard</strong> <strong>logon</strong> <strong>using</strong> <strong>PAM</strong>_<strong>P11</strong><br />
To take advantage of this, it is recommended that you configure any local modules either before or after the default block, and<br />
use pam-auth-update to manage selection of other modules.<br />
pam-config mechanism stores templates in /usr/share/pam-configs.<br />
Let us explore this directory:<br />
$ ls /usr/share/pam-configs<br />
consolekit gnome-keyring unix<br />
Now we simply create a template for pam_p11 login.<br />
Create an empty file /usr/share/pam-configs/p11 and add:<br />
Name: Pam_p11<br />
Default: yes<br />
Priority: 800<br />
Auth-Type: Primary<br />
Auth: sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so<br />
To regenerate <strong>PAM</strong> configuration files, we need to execute:<br />
$ pam-auth-update<br />
A Debian configuration dialog is displayed:<br />
Make sure 'Unix authentication' is enabled, otherwise there is a risk to lose the ability to connect <strong>using</strong> passwords.<br />
Enable 'libpam-p11' and disable 'libpam-pkcs11' to avoid a separate access system <strong>using</strong> smart cards.<br />
Let us have a look at the common-session configuration file:<br />
$ cat /etc/pam.d/common-auth<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 3 / 5
<strong>GNU|Linux</strong> <strong>Smartcard</strong> <strong>logon</strong> <strong>using</strong> <strong>PAM</strong>_<strong>P11</strong><br />
This displays:<br />
$ here are the per-package modules (the "Primary" block)<br />
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so<br />
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass<br />
# here's the fallback if no module succeeds<br />
auth requisite pam_deny.so<br />
# prime the stack with a positive return value if there isn't one already;<br />
# this avoids us returning an error just because nothing sets a success code<br />
# since the modules above will each just jump around<br />
auth required pam_permit.so<br />
# and here are more per-package modules (the "Additional" block)<br />
# end of pam-auth-update config<br />
Notice the line:<br />
auth sufficient pam_p11_openssh.so /usr/lib/opensc-pkcs11.so<br />
auth [success=1 default=ignore] pam_unix.so nullok_secure try_first_pass<br />
Installing RSA publick key<br />
First, query your public keys on your card :<br />
$ pkcs15-tool --list-public-keys<br />
Using reader with a card: Feitian SCR301 01 00<br />
Public RSA Key [Private Key]<br />
Com. Flags : 2<br />
Usage : [0x4], sign<br />
Access Flags: [0x0]<br />
ModLength : 2048<br />
Key ref : 0<br />
Native : no<br />
Path : 3f0050153000<br />
Auth ID :<br />
ID : c6f280080fb0ed1ebff0480a01d00a98a1b3b89a<br />
In the example, we have one public key with ID c6f280080fb0ed1ebff0480a01d00a98a1b3b89a.<br />
Now, extract and copy the RSA public key to ~/.ssh/authorized_keys to be able to authenticate:<br />
$pkcs15-tool --read-ssh-key c6f280080fb0ed1ebff0480a01d00a98a1b3b89a -o ~/.ssh/authorized_keys<br />
Using reader with a card: Feitian SCR301 01 00<br />
Please enter PIN [User PIN]:<br />
Authentication <strong>using</strong> a smartcard<br />
Now you should be able to authenticate <strong>using</strong> shell:<br />
$ su $yourname<br />
Password for token François Pérou (User PIN):<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 4 / 5
<strong>GNU|Linux</strong> <strong>Smartcard</strong> <strong>logon</strong> <strong>using</strong> <strong>PAM</strong>_<strong>P11</strong><br />
Enter PIN code and you are authenticated.<br />
The same happens with X11 on Gnome or KDE4 startup.<br />
Limitations<br />
Impossible to display screensaver when card is removed.<br />
No check for X.509 revocation lists.<br />
Due to these limitations, you may be interested in <strong>using</strong> a full-featured <strong>PAM</strong> module called Pam-pkcs11, which is our next tutorial.<br />
Copyright <strong>GOOZE</strong>.EU 2011.<br />
Source URL: http://www.gooze.eu/howto/gnu-linux-smartcard-<strong>logon</strong>-<strong>using</strong>-pam-p11<br />
Links:<br />
[1] http://www.gooze.eu/howto/smart-card-quickstarter-guide<br />
[2] http://www.kernel.org/pub/linux/libs/pam/Linux-<strong>PAM</strong>-html/Linux-<strong>PAM</strong>_SAG.html<br />
[3] http://www.opensc-project.org<br />
[4] http://www.opensc-project.org/pam_p11/<br />
Copyright <strong>GOOZE</strong> 2010-2011 http://www.gooze.eu 5 / 5