[ale] Smart cards

Michael H. Warfield mhw at WittsEnd.com
Thu Oct 6 18:52:43 EDT 2011


On Thu, 2011-10-06 at 16:11 -0400, Michael Trausch wrote: 
> Just to clarify, I am not specifically looking for an OpenPGP smartcard...
> anything that'll do for auth is fine.

Hmmm...

I haven't quite done what you are looking to do but you might check into
the Aladdin eToken cards / tokens.  They have Windows software which I
believe MIGHT do what you want to do but you'd have to buy that
separately.  You'll need their pkcs11 driver to make the token work with
NSS, ssh, pgp/gpg, and pam but it can be done.  I've used these with ssh
(ssh-agent on Fedora has NSS integration and NSS handles the pkcs11 side
of the house when used with ssh-agent).  I've seen some code which, I
think, logs you in when you insert a smart card and locks your screen
when you pull it out but have had no experience with it.  The pam_usb
module does something similar but just uses a plain ole usb memory card
on which some sort of key is simply stored for that.

All that said...  There are 2 types of Aladdin eToken cards.

There are the 72K (yes, I said "K" - you don't need much space for keys)
Java tokens (smart cards in a USB format).  These use their Java cardlet
to actually implement the crypto stuff in Java.  They reserve some of
the space for updates to the Java cardlet so you really only have about
64K available on the card for keys (which can store a couple dozen
private keys - you don't store public keys or whole certs on them).
Those will run you in the $30-$40 range from CDW (cdw.com).  I've got a
couple of those and don't really care for them.  People claim the Aladin
middleware (which uses a proprietary protocol to talk to the cardlet) is
buggy and klunky.

There are also 32K and 64K CardOS cards which are slightly more
expensive (about $45 each for the 64K units I just bought a month ago or
so).  They still require an Aladdin pkcs11 driver but you can locate
that on the net for download.  I've used the 32K tokens in the past with
ssh.  Just starting to play with my new 64K ones now.  Last ALE meeting
on ssh, I had a keyring full of these things.  They can be formatted for
use directly with OpenCT but the format is not compatible with the
Aladdin format, which you would need for any Windows Software.  There
are guides on the net on setting them up and getting them working with
Linux.

I've also heard that they CAN BE formatted for OpenPGP but I've never
done it and don't know anyone who has, but you say that's not important
to you.

Regards,
Mike

> On Oct 6, 2011 3:57 PM, "David Tomaschik" <david at systemoverlord.com> wrote:
> > On Thu, Oct 6, 2011 at 3:28 PM, Michael B. Trausch <mike at trausch.us>
> wrote:
> >> Hello,
> >>
> >> I'm doing some looking at an idea, but I am having a hard time finding
> >> information.  I want to toy with the idea of creating a sign-on system
> >> using smart cards; something where you don't even need a username.  I
> >> know that this is possible for Web applications with relative ease,
> >> but I would like to cook up something that'd be useful for distributed
> >> administrative management.  For example, I could use a smart card to
> >> authenticate to my home network when I'm away from home, and my laptop
> >> (or whatever computer I am at) would only be allowed to access certain
> >> resources on my home network when a valid and non-revoked card
> >> (certificate) is used.
> >>
> >> I've read quite a bit about _how_ to get the software to do such
> >> things, but the important question is the one that I don't have an
> >> answer to.  I want cards that can be setup with keys and used from
> >> both Linux and Windows systems without a great deal of effort.  Is
> >> that actually possible?  Shouldn't I be able to have a card and a USB
> >> reader, for example, and be able to use my smart card to access a Web
> >> site, or SSH connection, or whatever, without having to worry about
> >> "it won't work with system X because there isn't a library for it" or
> >> whatever?
> >>
> >> Or are the only options for such a thing truly to order from out of
> >> the country?
> >>
> >>    --- Mike
> >
> >
> > Mike,
> >
> > I can't address absolutely everything in your post, but I'll address
> > what I can. The scope of your problem is bigger than the scope of my
> > knowledge, but hopefully I can get you started.
> >
> > So, first off, there are MANY sources for smartcards. However, the
> > only source for smartcards that have software that complies with the
> > OpenPGP/GPG spec is Kernel Concepts in Germany. (I know you didn't
> > ask specifically about OpenPGP, but I'll get to that below.) The
> > readers are fairly standard and are commonly sold in the states for
> > use with the US Military CAC cards.
> >
> > For the OpenPGP/GPG smartcards, you can use gpg-agent as a drop-in
> > replacement for SSH agent and use an authentication-capable key from
> > the smartcard for SSH authentication. You can also use libpam-poldi
> > to enable local PAM authentication using the smartcard.
> >
> > As far as using it for problems outside the realm of PAM and SSH,
> > well, I haven't tried those. I haven't even found a way to do webapp
> > authentication via GPG smartcard. (I know you can do it with X.509,
> > but I'd rather use one key & one card for everything.)
> >
> > Let me know what you find -- I'd be interested to know.
> >
> > --
> > David Tomaschik, RHCE, LPIC-1
> > System Administrator/Open Source Advocate
> > OpenPGP: 0x5DEA789B
> > http://systemoverlord.com
> > david at systemoverlord.com
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo

-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
Url : http://mail.ale.org/pipermail/ale/attachments/20111006/cc2044ac/attachment.bin 


More information about the Ale mailing list