Fellownship Smart Card COMPLETE (GnuPG, SSH, Login) How To - Omnikey CardMan 4040 - Ubuntu Edgy
How to use FSFE Card with OMNIKEY CardMan 4040 reader for GnuPG, ssh and login on Ubuntu Edgy.
I put togheter info from varius how to:
- http://www.schiessle.org/howto/poldi.shtml Copyright (C) Bjoern Schiessle
- http://lists.gnupg.org/pipermail/gnupg-users/2006-February/027934.html (to find the device name, /dev/cmx0 , dmesg | grep 4040 gives me no info about it )
- https://www.fsfe.org/fellows/greve/freedom_bits/authenticating_ssh_logins_with_the_fellowship_crypto_card Georg Greve <greve@fsfe.org>
- https://www.fsfe.org/en/card/howto/card_reader_howto_udev Alexander Finkenberger <af@fsfe.org>,Karsten Gerloff <gerloff@fsfe.org>,Fernanda Weiden <nanda@fsfe.org>,Georg Greve <greve@fsfe.org>
Thanks you!!!
I'm using Ubuntu Edgy so if you also use Edgy you can "copy and paste" commands in the terminal. For Debian Etch and other Debian based distro this how to shuold work with some minor differeces.
udev rules
create the file 45-gnupg-ccid.rules
$ sudo vim /etc/udev/rules.d/45-gnupg-ccid.rules
with this content:
ACTION!="add", GOTO="gnupg-ccid_rules_end"
# USB SmartCard Readers
## SCM readers (SCR335, SPR532, & Co)
ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="04e6", SYSFS{idProduct}=="e001", GROUP="scard", MODE="0660"
ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="04e6", SYSFS{idProduct}=="e003", GROUP="scard", MODE="0660"
ACTION=="add", SUBSYSTEM=="usb_device", SYSFS{idVendor}=="04e6", SYSFS{idProduct}=="5115", GROUP="scard", MODE="0660"
# PCMCIA SmartCard Readers
## Omnikey CardMan 4040
SUBSYSTEM=="cardman_4040", GROUP="scard", MODE="0660"
LABEL="gnupg-ccid_rules_end"
(if you have a "better" version of this file contact me)
create a new group
$ sudo addgroup scard
add your user to that group
$ sudo addgroup YourUserName scard
GnuPG subkey how to
https://www.fsfe.org/en/card/howto/subkey_howto
Authenticating SSH logins
To install gnupg2 on Ubuntu Edgy I use a combination of prevu (to install the build-dep packages of gnupg2) and than apt-get source -b gnupg2
Install pcscd, libpam-poldi and CardMan 4040 driver
$ sudo apt-get install pcscd libpam-poldi
Download the last version of the PCSC driver from Omnikey (http://omnikey.aaitg.com/index.php?id=downloads)
At this time the file is: ifdok_cm4040_lnx-2.0.0.tar.gz
$ tar xvfz ifdok_cm4040_lnx-2.0.0.tar.gz
$ cd ifdok_cm4040_lnx-2.0.0
Install the new kernel module and the shared library with:
$ sudo ./install
Remove the old module (the new one shuld be in /lib/modules/2.6.17-11-generic/kernel/drivers/pcmcia/cm4040_cs.ko):
$ sudo rm /lib/modules/2.6.17-11-generic/kernel/drivers/char/pcmcia/cm4040_cs.ko
create the config file for the reader
$ sudo vim /etc/reader.conf.d/ifdok_cm4040_lnx_2.0.0
with this content:
FRIENDLYNAME "Omnikey Cardman 4040 Socket 0" DEVICENAME /dev/cmx0 LIBPATH /usr/lib/pcsc/ifdok_cm4040_lnx-2.0.0.so CHANNELID 0
It's important that you use tabs between the options and the values.
$ sudo update-reader.conf
check that lines was added to /etc/reader.conf
$ cat /etc/reader.conf
restart pcscd
$ sudo /etc/init.d/pcscd restart
Configure Poldi
At this point poldi should be able to detect your cardreader you can test it with
$ poldi-ctrl -d
Poldi has a pretty good documentation so i will keep my explanations rather short.
-
Root has to register the new card for poldi:
$ sudo poldi-ctrl --register-card --account <your-user-account> --serialno <serialno of your card>
You can also execute this command without '--account <your-user-account>' but than the user want be able to install or update his card's keys.
The serialno can be found by executing$ gpg --card-status
and looking for "Application ID". - Now we have to establish a mapping between the user and the smartcard he owns:
$ sudo poldi-ctrl --associate --account <your-user-account> --serialno <serialno of your card>
- Now you have to write your public key into the appropriate key file (you have to do this within your user account)
$ poldi-ctrl --set-key
- That's it, now you can test it with
$ poldi-ctrl --test
Configure Pam
Now you have to tell pam, that you want to use poldi.
Therefore you have to edit the files in /etc/pam.d. If you want to use your smartcard with gdm than...
-
make a backup of /etc/pam.d/gdm:
$ sudo mv /etc/pam.d/gdm /etc/pam.d/gdm.default
-
create a new /etc/pam.d/gdm which contains only one of these lines:
auth required pam_poldi.so quiet
Or if you want to login unattended, use
auth required pam_poldi.so try-pin=123456 quiet</pre>
Or if you want to fallback to regular unix passwords, useauth sufficient pam_poldi.so try-pin=123456 quiet auth required pam_unix.so nullok_secure</pre>
Now you should be able to use your GnuPG smartcard to log in your GNU/Linux system.
Pay Attention! If you remove the pcmcia reader the system freeze. If someone know why contac me!
TODO
- Use the card for gnome lock screen
- Use the card for gnome-keyring
- Using seahorse instead of the gnupg-agent breaks the ssh login or not?
- freeze problem on removing the reader
- integrate and update the "Authenticating SSH logins" how to
New Version for Feisty
tyrael
Domenica, 27 Maggio 2007