Smartcard Based Authentication

From
Revision as of 15:18, 8 September 2005 by Efuhrman (talk | contribs)
Jump to navigation Jump to search

Einleitung

Was wird gebraucht - Hardware?

Was wird gebraucht - Software?

Installation

SuSE

  1. SuSE 9.3 Standard-Installation mit: KDE, C/C++ Devel, Kernel sources, Erfahrener Benutzer
  2. Onlineupdate
  3. Reboot (wg. Kernelupdate)

apt4suse

cd
wget http://linux01.gwdg.de/~scorot/install-apt4suse.rpm
rpm -Uvh install-apt4suse.rpm
install-apt4suse

stow

Da wir keine aktuellen RPMs von OpenSC und pam_PKCS11 für SuSE gefunden haben und es uns auch nicht gelungen ist welche zu erzeugen, benutzten wir im folgenden Stow:

GNU Stow is a program for managing the installation of software packages, keeping them separate (/usr/local/stow/emacs vs. /usr/local/stow/perl, for example) while making them appear to be installed in the same place (/usr/local).[1]

apt-get install stow
mkdir /usr/local/stow

omnikey

  • Download: http://www.omnikey.com/ - Support - Downloads
  • Installation mit Parameter -nopcsc, da die Prüfung, ob PCSC schon enthalten ist, bei beta6 fehlschlägt
cd
tar xfz cm2020_installer_v2_4_0_src.tar.gz
cd cm2020_installer_v2_4_0_src
install -nopcsc

opensc

cd
wget http://www.opensc.org/files/opensc-0.9.6.tar.gz
tar xfz opensc-0.9.6.tar.gz
cd opensc-0.9.6
./configure --prefix=/usr/local/stow/opensc-0.9.6
make
make install
cp etc/opensc.conf /etc/opensc.conf
cd /usr/local/stow/
stow opensc-0.9.6
mkdir /usr/local/stow/opensc-0.9.6/etc
ln -s --backup /etc/opensc.conf /usr/local/stow/opensc-0.9.6/etc/opensc.conf

Pfad in /etc/opensc.conf wie folgt anpassen:

profile_dir = /usr/local/share/opensc

openssl

mkdir /etc/openssl /etc/openssl/certs /etc/openssl/crl /etc/openssl/private /etc/openssl/pkcs12
chmod 700 /etc/openssl/private/
chmod 700 /etc/openssl/pkcs12/

die Datei /etc/ssl/openssl.cnf anpassen

[ CA_default ]
dir = /etc/openssl
[ req ]
req_extensions = v3_req

[ v3_req ]
basicConstraints = critical,CA:FALSE

pam_PKCS11

apt-get install pam-devel openldap2-devel 
cd
wget http://www.dit.upm.es/~jantonio/pam-pkcs11/downloads/pkcs11_login-0.5.1.tar.gz
tar xfz pkcs11_login-0.5.1.tar.gz
./configure --prefix=/usr/local/stow/pkcs11_login-0.5.1
make
make install
mkdir /etc/pkcs11
cp etc/pam_pkcs11.conf.example /etc/pkcs11/pam_pkcs11.conf
cd /usr/local/stow/
stow pkcs11_login-0.5.1

pam_pkcs11.conf editieren und alle Pfade anpassen: /usr/ -> /usr/local/

use_first_pass = true;
ca_dir = /etc/openssl

Skripte

makeca.sh

#!/bin/sh
rm -rf /etc/openssl
echo "Erzeuge Verzeichnisse..."
mkdir /etc/openssl
cd /etc/openssl
mkdir certs crl private pkcs12 
chmod 700 private/
chmod 700 pkcs12/
echo "Erzeuge CAkey..."
openssl genrsa -aes256 -out private/cakey.pem 2048
echo "Erzeuge CAcert..."
openssl req -new -x509 -days 3650 -key private/cakey.pem -out cacert.pem -set_serial 1 \
  -subj '/C=DE/ST=Berlin/L=Berlin/O=Humboldt-Universitaet zu Berlin/OU=Informatik/OU=ca-test/CN=ca'
touch index.txt 
echo 01 > serial
make_hash_link.sh /etc/openssl/

makeclient.sh

#!/bin/sh
if [ "x"$1 == "x" ]; then
 echo "Bitte einen Clientparameter angeben."
else
 cd /etc/openssl
 echo "Erzeuge Client-Key und CSR..."
 openssl req -new -newkey rsa:1024 -out certs/${1}csr.pem -nodes -keyout private/${1}key.pem -days 365 -subj '/C=DE/ST=Berlin/L=Berlin/O=Humboldt-Universitaet zu Berlin/OU=Informatik/OU=ca-test/CN='${1}
 echo "Erzeuge Client-Cert..."
 openssl x509 -req -in certs/${1}csr.pem -out certs/${1}cert.pem -CA cacert.pem -CAkey private/cakey.pem -CAserial /etc/openssl/serial
 rm certs/${1}csr.pem
 echo "PKCS#12-File erzeugen..."
 openssl pkcs12 -export -chain -out pkcs12/${1}.pkcs12 -in certs/${1}cert.pem -inkey private/${1}key.pem -CAfile cacert.pem -passout pass:
fi

writecard.sh

#!/bin/sh
if [ "x"$1 == "x" ] || [ "x"$2 == "x" ]; then
 echo "usage: ./writecard.sh <username> <pin>"
 echo
else
 cd /etc/openssl	
 echo "Karte loeschen und neu anlegen..."
 pkcs15-init -E -C -p pkcs15+onepin --pin ${2} --puk 4321 -T
 echo "Daten auf Karte uebertragen..."
 pkcs15-init -S pkcs12/${1}.pkcs12 -f PKCS12 -a 1 --pin ${2} -T
fi