The Fellowship / Fellows / schiessle / blog / Login with GnuPG smartcard

Login with GnuPG smartcard

« 
Previous entry
|
blog
|
Next entry
 »

schiessle

|

Monday 07 August 2006

|

Thanks to Stefan Grote who gets in touch with me as he had read my "cry for help" at the GnuPG mailinglist i have managed it to get libpam-poldi run with my Omnikey Cardman4040.
Libpam-poldi allows you to use your Fellowship crypto card to log in your GNU/Linux system.

Here a small guide how to set it up:

  1. Make sure that you have installed pcscd.
  2. Download the cardman4040 driver from omnikey.com (direct download link).
  3. Extract the file 
    tar xzf ifdok_cm4040_lnx-1.1.0.tar.gz
  4. Copy the ifdok_cm4040_lnx-1.1.0.so file to /usr/lib
  5. Edit your /etc/reader.conf and insert this lines: 
    FRIENDLYNAME    "Omnikey Cardman 4040 Socket 0"
    DEVICENAME      <devicename for your cardreader>
    LIBPATH         /usr/lib/ifdok_cm4040_lnx-1.1.0.so
    CHANNELID       0
    It's important that you use tabs between the options and the values. You can find the devicename with 'dmesg | grep 4040'
  6. Restart pcscd: /etc/init.d/pcscd restart
  7. Now 'poldi-ctrl -d' should detect your cardreader.

Now you only have to configure poldi. Poldi has a pretty good documentation so i will keep my explanations rather short.

  1. Root has to register the new card for poldi: 
    poldi-ctrl --register-card --account <your-user-account> --serialno <serialno of your card>
    You can also execute this command without '--account <your-user-account>' but than the user will not be able to install or update his card's keys.
    The serialno can be found by executing 'gpg --card-status' and looking for "Application ID".
  2. Now we have to establish a mapping between the user and the smartcard he owns: 
    poldi-ctrl --associate --account <your-user-account> --serialno <serialno of your card>
  3. Now you have to write your public key into the appropriate key file (you have to do this within your user account) 
     poldi-ctrl --set-key
  4. That's it, now you can test it with 'poldi-ctrl --test'
  5. Now you have to tell pam, that you want to use poldi.
    Therefore you have to edit the files in /etc/pam.d. If, for example, you want to login to kdm with your card, edit the file /etc/pam.d/kdm. Replace the line '@include common-auth' with 
    auth    required   pam_poldi.so
    If you want to login unattended, use 
    auth    required   pam_poldi.so try-pin=123456 quiet
    And if you want to fallback to regular unix passwords, use 
    auth    sufficient pam_poldi.so try-pin=123456 quiet
    auth    required   pam_unix.so nullok_secure

Now you should be able to use your GnuPG smartcard to log in your GNU/Linux system.

You can find a more detailed howto on my personal homepage which will still be available if this blog entry is already forgotten.

Creative Commons License

This work is licensed under a Creative Commons Attribution-ShareAlike 2.5 License.

Comments

A great tutorial

sp

Tuesday 08 August 2006

I have been looking for a way to also do basic login things with the Smartcard before and now I saw your tutorial.
It took me a mere 5 minutes to get everything up and running (the Smartcard itself was configured before).

Just one note: If your cardreader is plugged in and no card is inserted it seems like gdm (in my case) is waiting for you to insert a card. You can go around waiting for that by simply unplugging the reader.
With no reader plugged in it immediatly falls back to simple password authentication (using the third option).

Log in or join the Fellowship to post comments.



Right menu

Fellow Events

<< October 2008 >>
Mon Tue Wed Thu Fri Sat Sun
  1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31 
Selected Day Today


FSFE Card


DRM.info
© FSFE