| View previous topic :: View next topic |
| Author |
Message |
georgkostner
n00b
Joined: 02 May 2004
Posts: 3
|
 Posted: Wed Jun 02, 2004 7:26 am Post subject: driver for aladdins etoken |
 |
|
Hello,
can some one help to bring my aladdin etoken to work.
I'm looking for driver for the aladdins etoken.
thank you
georg |
|
| Back to top |
|
 |
d33d0
n00b
Joined: 22 Apr 2003
Posts: 24
Location: Hamburg / Germany
|
| Posted: Thu Aug 12, 2004 10:44 am Post subject: |
|
|
Did you find something meanwhile?
You may want to look at http://www.opensc.org/.
I'm trying to use an etoken for login (pam + ssh) but I'm still not finished..
cu |
|
| Back to top |
|
|
georgkostner
n00b
Joined: 02 May 2004
Posts: 3
|
| Posted: Mon Aug 16, 2004 6:54 am Post subject: |
|
|
I emerged the package opensc of Gentoo.
The package was able to discover the etoken. But my aladin etoken was created by Aladin software on Windows. It seems that the Windows software create a different format on the etoken as opensc software expect. Unfortunately for this reason I was not able to use the etoken with firefox.
I wrote to the newsgroup of opensc. They wrote me back that the opensc software follow the pck15 standart and aladins windows software doesn't follow this standard. As I understant to use the aladin etoken on Linux you must create a certified etoken with the opensc software then it should work. I have not time to try this out.
Georg |
|
| Back to top |
|
|
d33d0
n00b
Joined: 22 Apr 2003
Posts: 24
Location: Hamburg / Germany
|
| Posted: Mon Aug 16, 2004 8:05 am Post subject: |
|
|
Well I got my Aladdin eToken PRO to work. 
First you have to erase and initialize your eToken (pkcs15-init -EC).
After that you have to create a user pin (pkcs15-init -P -a 0).
Finally you may upload a certificate (as .p12-file) from thawte to your eToken or generate it by yourself.
See: http://www.opensc.org/talks/linux-kongress03/linux-kongress03.pdf
To use eToken in Mozilla and for login etc. see the opensc manual: http://www.opensc.org/files/doc/opensc.html.
To lock the screen via xscreensaver after removing eToken I use hotplug and the following script (/etc/hotplug/usb/opensc):
| Code: |
#!/bin/bash
echo -e '#!/bin/sh\n/usr/bin/xscreensaver-command -lock' > $REMOVER
chmod a+x $REMOVER
/usr/sbin/openct-control attach $DEVICE usb:$PRODUCT
|
Please note that this is not very nice, because you have to allow "root" to access your xwindow-session and I did this via "xhost +localhost" at startup..
I am open for a better solution 
PS: My eToken runs with Windows for Logon as well! Just install eTLogonClient.msi on Windows and create a Logonprofile. The opensc-profile will not be touched.
Hope this helps..
Falko |
|
| Back to top |
|
|
chiko
n00b
Joined: 22 Jan 2004
Posts: 52
Location: Achinsk, Krasnoyarsky kray, Russia
|
| Posted: Mon Oct 18, 2004 7:57 am Post subject: |
|
|
Strange problem with PAM. (maybe PAM, IMHO)
I wrote about it in this place: http://www.opensc.org/pipermail/opensc-devel/2004-October/004747.html
(No PIN prompt after login: username, and 60 seconds timeout)
After examine
http://www.opensc.org/pipermail/opensc-devel/2003-August/002301.html,
http://www.opensc.org/pipermail/opensc-devel/2003-August/002056.html and
http://www.opensc.org/pipermail/opensc-devel/2003-August/002166.html
I think, what troubles with no PIN prompt into a PAM, but can't find solution :(
My /etc/pam.d/login looks like this:
| Code: | | auth required /usr/lib/security/pam_opensc.so use_first_pass |
In /ets/shadow all passhashes was changed to '!'
And after <censored> timeout again booting from LiveCD, mount /dev/hdaX /mnt/gentoo, cp /mnt/gentoo/etc/pam.d/login.ORIG /mnt/gentoo/etc/pam.d/login, /mnt/gentoo/etc/shadow.BACKUP /mnt/gentoo/etc/shadow ... Boooored :(
In openct-maillist guys says what this trouble is Gentoo-specific, what can I do?
Help me please, thanks.
Good luck!
_________________
Athlon-XP 1900+
Fluxbox 0.99 |
|
| Back to top |
|
|
d33d0
n00b
Joined: 22 Apr 2003
Posts: 24
Location: Hamburg / Germany
|
| Posted: Mon Oct 18, 2004 8:18 am Post subject: |
|
|
Hi chiko.
I didn't change /etc/pam.d/login.
/etc/pam.d/system-auth is included by every pam file in gentoo (I think), so I changed it like this (changed only 3rd line):
| Code: |
#%PAM-1.0
auth sufficient /lib/security/pam_opensc.so
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so
|
Therefor opcnsc is used for every authentification via pam (like login, xdm, screensaver etc.) but login via password is even possible (well not in your case, because of the "!" in /etc/shadow).
Greetings from germany |
|
| Back to top |
|
|
chiko
n00b
Joined: 22 Jan 2004
Posts: 52
Location: Achinsk, Krasnoyarsky kray, Russia
|
| Posted: Tue Oct 19, 2004 3:23 am Post subject: |
|
|
Good day d33d0.
I follow Your words, return originally /etc/pam.d/login and added row auth sufficient /lib/security/pam_opensc.so to /etc/pam.d/system-auth. Now /etc/pam.d/system-auth full copy of Yours. From /dev/pts/2 I do:
| Code: | chiko@grayhat chiko $ su chiko
Using card reader Aladdin eToken PRO
Enter PIN1 [Chiko PIN]: |
The PIN prompt! I was satisfyed :) But after enter a correctly My PIN /bin/bash doesn't start :( chiko sit and stupidly looking on the empty string.
From /dev/pts/3 (I'm using fluxbox and aterm) I do $ ps auxf:
| Code: | <skipped>
root 1921 0.0 0.4 2156 1172 ? S 08:56 0:00 login -- chiko
chiko 2005 0.0 0.5 4580 1420 vc/1 S 08:56 0:00 \_ -bash
chiko 2013 0.0 0.4 4360 1088 vc/1 S 08:56 0:00 \_ /bin/sh /usr/X11R6/bin/startx
chiko 2024 0.0 0.2 2796 744 vc/1 S 08:56 0:00 \_ xinit /home/chiko/.xinitrc -- -deferglyphs 16
root 2025 1.7 13.2 53068 34004 ? SL 08:56 1:55 \_ /etc/X11/X :0 -deferglyphs 16
chiko 2031 0.0 1.3 8364 3380 vc/1 S 08:56 0:02 \_ fluxbox
chiko 2048 0.0 0.4 4424 1164 ? S 08:56 0:00 \_ /bin/bash /usr/bin/firefox
chiko 2055 1.6 12.6 55160 32464 ? S 08:56 1:47 | \_ /opt/firefox/firefox-bin
chiko 2064 0.0 12.6 55160 32464 ? S 08:56 0:00 | \_ /opt/firefox/firefox-bin
chiko 2065 0.0 12.6 55160 32464 ? S 08:56 0:00 | \_ /opt/firefox/firefox-bin
chiko 2069 0.0 12.6 55160 32464 ? S 08:56 0:00 | \_ /opt/firefox/firefox-bin
chiko 2056 0.0 1.3 7228 3456 ? S 08:56 0:00 \_ aterm
chiko 2057 0.0 0.5 4596 1460 pts/0 S 08:56 0:00 | \_ -bash
root 31032 0.0 0.3 4336 1020 pts/0 S 10:01 0:00 | \_ su
root 31035 0.0 0.5 4592 1424 pts/0 S 10:01 0:00 | \_ bash
chiko 2502 0.2 7.8 95076 20196 ? S 08:59 0:14 \_ evolution
chiko 2752 0.0 7.8 95076 20196 ? S 09:00 0:00 | \_ evolution
chiko 2753 0.0 7.8 95076 20196 ? S 09:00 0:00 | \_ evolution
chiko 2777 0.0 7.8 95076 20196 ? S 09:00 0:00 | \_ evolution
chiko 4950 0.0 7.8 95076 20196 ? S 09:00 0:00 | \_ evolution
chiko 4951 0.0 7.8 95076 20196 ? S 09:00 0:00 | \_ evolution
chiko 4952 0.0 7.8 95076 20196 ? S 09:00 0:00 | \_ evolution
chiko 4953 0.0 7.8 95076 20196 ? S 09:00 0:00 | \_ evolution
chiko 24980 0.0 7.8 95076 20196 ? S 09:10 0:00 | \_ evolution
chiko 17659 0.0 0.6 5460 1672 ? S 09:18 0:00 \_ aterm -e /usr/bin/irssi
chiko 17660 0.0 1.8 10236 4732 pts/1 S 09:18 0:00 | \_ /usr/bin/irssi
chiko 31039 0.0 0.7 5692 1924 ? S 10:03 0:00 \_ aterm
chiko 31040 0.0 0.5 4600 1472 pts/2 S 10:03 0:00 | \_ -bash
root 31189 0.0 0.7 6124 1908 pts/2 S 10:48 0:00 | \_ su chiko
chiko 31176 0.0 0.6 5552 1772 ? S 10:45 0:00 \_ aterm
chiko 31177 0.0 0.5 4592 1432 pts/3 S 10:45 0:00 \_ -bash
chiko 31190 0.0 0.3 2676 784 pts/3 R 10:48 0:00 \_ ps auxf
<skipped>
|
Note: pid's 31032 and 31035 was created before /etc/pam.d/system-auth change (don't want to reboot, booting from LiveCD... etc.,). Very interesting a freeze after pid 31189 - /bin/bash doesn't started after su, PIN was prompted.
If I enter a wrong PIN:
| Code: |
chiko@grayhat chiko $ su chiko
Using card reader Aladdin eToken PRO
Enter PIN1 [Chiko PIN]:
sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect
sc_pkcs15_verify_pin: PIN code or key incorrect
|
and silence again :( Ctrl+C - My helper :)
Versions:
| Code: |
$ qpkg -I -v | grep pam
mail-filter/Mail-SpamAssassin-2.63 *
sys-apps/pam-login-3.14 *
sys-libs/pam-0.77 *
sys-libs/pam_mysql-0.5 *
sys-libs/pam_mount-0.9.9-r1 *
sys-libs/pam_usb-0.3.0 *
$ qpkg -I -v | grep open
<skipped>
dev-libs/opensc-0.9.2 *
dev-libs/openssl-0.9.7d-r1 *
dev-libs/openct-0.6.1 * |
| Code: | chiko@grayhat chiko $ ls -l ~/.eid
total 4
-rw-r--r-- 1 chiko users 1322 2004-10-19 10:19 authorized_certificates
chiko@grayhat chiko $ pkcs15-tool -c
X.509 Certificate [Certificate]
Flags : 2
Authority: no
Path : 3F0050153049
ID : 45
chiko@grayhat chiko $ pkcs15-tool -k
Private RSA Key [Private Key]
Com. Flags : 3
Usage : [0x22], decrypt, unwrap
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 16
Native : yes
Path : 3F005015
Auth ID : 01
ID : 45
Private RSA Key [Private Key]
Com. Flags : 3
Usage : [0x20C], sign, signRecover, nonRepudiation
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 17
Native : yes
Path : 3F005015
Auth ID : 01
ID : 45
chiko@grayhat chiko $ pkcs15-tool --list-public-keys
Public RSA Key [Public Key]
Com. Flags : 2
Usage : [0x4], sign
Access Flags: [0x0]
ModLength : 1024
Key ref : 0
Native : no
Path : 3F0050153048
Auth ID :
ID : 45 |
Certs and keys are present.
Any ideas? On Your PC all is working?
Thanks for hint with /etc/pam.d/system-auth - You save My time :)
Greetings from Russia ;)
_________________
Athlon-XP 1900+
Fluxbox 0.99 |
|
| Back to top |
|
|
d33d0
n00b
Joined: 22 Apr 2003
Posts: 24
Location: Hamburg / Germany
|
| Posted: Tue Oct 19, 2004 7:53 am Post subject: |
|
|
Hmm...
Well it works on all my computer straight away.. Installing opensc, integrating into pam and copying .eid into users-home => Works!
The only thing you might check is if /var/log/messages has an entry like
| Quote: |
su(pam_opensc)[19093]: Authentication successful for root at pts/1.
|
If not, pam_opensc didn't finished. This may be a certificate issue. I had Problems with my self created certificates an now I'm using a free thawte email-certificate
May be opensc is trying to validate your certificate but with no succes (looong timeout?). Just guessing... :-/
Hope this helps! |
|
| Back to top |
|
|
chiko
n00b
Joined: 22 Jan 2004
Posts: 52
Location: Achinsk, Krasnoyarsky kray, Russia
|
| Posted: Tue Oct 19, 2004 8:45 am Post subject: |
|
|
Very strange... With self-created certificate no one word in /var/log/*!!!
| Code: | | # grep -ir pam_opensc /var/log |
returns nothing!
chiko run to www.thawte.com...
| Quote: | | I had Problems with my self created certificates |
What problems? Can You tell me about them?
_________________
Athlon-XP 1900+
Fluxbox 0.99 |
|
| Back to top |
|
|
d33d0
n00b
Joined: 22 Apr 2003
Posts: 24
Location: Hamburg / Germany
|
| Posted: Tue Oct 19, 2004 9:03 am Post subject: |
|
|
No, sorry. It didn't work so I went to thawte.
That worked, so I never tried any other certification process. |
|
| Back to top |
|
|
chiko
n00b
Joined: 22 Jan 2004
Posts: 52
Location: Achinsk, Krasnoyarsky kray, Russia
|
| Posted: Wed Oct 20, 2004 4:26 am Post subject: |
|
|
Hi d33d0.
Well. Cert from thawte received and correctly woked with mozilla-firefox. Also thawte certificate was backuped into ~/mycert.p12 file. I'm doing again :
| Code: | pkcs15-init -E
pkcs15-init --create-pkcs15 --profile pkcs15
pkcs15-init --auth-id 1 --store-pin --pin "mypin" --puk "mypuk" --label "Chiko PIN"
pkcs15-init -S ~/mycert.p12 --format pkcs12 -a 1 --split-key
rm -rf ~/.eid
mkdir ~/.eid
pkcs15-tool -r 45 -o ~/.eid/authorized_certificates |
Next : adding a row into /etc/pam.d/system-auth. Listing of My pam-files:
| Code: | # pwd
/etc/pam.d
# cat login
#%PAM-1.0
auth required /lib/security/pam_securetty.so
auth required /lib/security/pam_stack.so service=system-auth
auth required /lib/security/pam_nologin.so
account required /lib/security/pam_stack.so service=system-auth
password required /lib/security/pam_stack.so service=system-auth
session required /lib/security/pam_stack.so service=system-auth
session optional /lib/security/pam_console.so |
| Code: | # cat system-auth
#%PAM-1.0
auth sufficient /lib/security/pam_opensc.so
auth required /lib/security/pam_env.so
auth sufficient /lib/security/pam_unix.so likeauth nullok
auth required /lib/security/pam_deny.so
account required /lib/security/pam_unix.so
password required /lib/security/pam_cracklib.so retry=3
password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so |
But after a PIN prompt and PIN entering from keyboard + press [ENTER] freeze again, yesterday scenario.
Next : | Quote: | | Therefor opcnsc is used for every authentification via pam (like login, xdm, screensaver etc.) but login via password is even possible (well not in your case, because of the "!" in /etc/shadow) |
This step give error, I removed from USB My eToken and try to $ su chiko:
| Code: | chiko@grayhat chiko $ su chiko
Debug: connect() failed: Connection refused
Debug: connect() failed: No such file or directory
Debug: connect() failed: No such file or directory
Debug: connect() failed: No such file or directory
Debug: connect() failed: No such file or directory
No smart card present
Password:
|
Freeze again after enter a password! /etc/shadow contains all passhashes (no '!' in the passhashes places, backups rulez :) ). What tell me on another console ps auxf :
| Code: | <skipped>
chiko 2123 0.0 0.6 5552 1780 ? S 11:22 0:00 \_ aterm
chiko 2124 0.0 0.5 4584 1420 pts/0 S 11:22 0:00 | \_ -bash
root 2131 0.0 0.3 4336 1020 pts/0 S 11:22 0:00 | \_ su
root 2134 0.0 0.5 4588 1420 pts/0 S 11:22 0:00 | \_ bash
root 2211 0.0 0.3 2668 776 pts/0 R 11:49 0:00 | \_ ps auxf
chiko 2180 0.0 0.6 5460 1660 ? S 11:47 0:00 \_ aterm
chiko 2181 0.0 0.5 4592 1436 pts/1 S 11:47 0:00 \_ -bash
root 2209 0.0 0.6 6108 1584 pts/1 S 11:48 0:00 \_ su chiko
root 1923 0.0 0.2 1380 580 vc/2 S 11:18 0:00 /sbin/agetty 38400 tty2 linux
<skipped> |
pid 2209... I'm not understand where a problem :( Ctrl+C ... In the /var/log/* no one word about pam_opensc.
I'm again remove or comment in /etc/pam.d/system-auth a row, contains pam_opensc.so - then classical login/su (w/o eToken) works nice.
If eToken with thawte cert works correctly with My browser, then problem in pam-settings, isn't it? How I emerged opensc? USE='pam X -ldap' emerge /usr/portage/dev-libs/opensc/opensc-0.9.2.ebuild.
| Code: | # cat /etc/ld.so.conf | grep sec
/lib/security |
Thinking, it's a pam. Can You show me Yours pam-configs? Or I need to ask about PAM another topics? Peppers from OpenSC-devel mailing list says what it's a gentoo-spec. problem.
_________________
Athlon-XP 1900+
Fluxbox 0.99 |
|
| Back to top |
|
|
d33d0
n00b
Joined: 22 Apr 2003
Posts: 24
Location: Hamburg / Germany
|
| Posted: Wed Oct 20, 2004 7:54 am Post subject: |
|
|
Sorry, for the late answer. I watch this topic, but just began to work Localtime is now 09:30h.
My /etc/opensc.conf
| Code: |
# Set debug level
debug = 0;
#
# Enable hot plugging
hotplug = yes;
#
# Path to ifdhandler
ifdhandler = /usr/sbin/ifdhandler;
# Configure static, non-hotplug aware readers here
#
# For a list of drivers try command 'ifdhandler -i', please
# notice that not all drivers have serial device capability.
#reader towitoko {
# driver = towitoko;
# device = serial:/dev/ttyS0;
#};
#
# Hotplug IDs
driver egate {
ids = {
usb:0973/0001,
};
};
driver etoken {
ids = {
usb:0529/050c,
usb:0529/0514,
};
};
driver eutron {
ids = {
usb:073d/0005,
};
};
driver ikey2k {
ids = {
usb:04b9/1202,
};
};
driver ikey3k {
ids = {
usb:04b9/1300,
};
};
#driver cardman {
# ids = {
# usb:076b/0596,
# };
#};
|
The only thing in my pam config changed was the added line...
How about the permissions of your usb-device and .eid dir + files?
I emerged opensc with ldap. Maybe some subfunction used? I don't know...
Re-emerge opensc & pam? |
|
| Back to top |
|
|
|
Kernel & Hardware
