Smartcard Based Authentication: Difference between revisions

From
Jump to navigation Jump to search
No edit summary
Line 94: Line 94:
use_first_pass = true;
use_first_pass = true;
ca_dir = /etc/openssl
ca_dir = /etc/openssl

=Skripte=
==makeca.sh==
#!/bin/sh
rm -rf /etc/openssl
echo "Erzeuge Verzeichnisse..."
mkdir /etc/openssl
cd /etc/openssl
mkdir certs crl private pkcs12
chmod 700 private/
chmod 700 pkcs12/
echo "Erzeuge CAkey..."
openssl genrsa -aes256 -out private/cakey.pem 2048
echo "Erzeuge CAcert..."
openssl req -new -x509 -days 3650 -key private/cakey.pem -out cacert.pem -set_serial 1 \
-subj '/C=DE/ST=Berlin/L=Berlin/O=Humboldt-Universitaet zu Berlin/OU=Informatik/OU=ca-test/CN=ca'
touch index.txt
echo 01 > serial
make_hash_link.sh /etc/openssl/

==makeclient.sh==
#!/bin/sh

if [ "x"$1 == "x" ]; then
echo "Bitte einen Clientparameter angeben."
else
cd /etc/openssl
echo "Erzeuge Client-Key und CSR..."
openssl req -new -newkey rsa:1024 -out certs/${1}csr.pem -nodes -keyout private/${1}key.pem -days 365 \
-subj '/C=DE/ST=Berlin/L=Berlin/O=Humboldt-Universitaet zu Berlin/OU=Informatik/OU=ca-test/CN='${1}
echo "Erzeuge Client-Cert..."
openssl x509 -req -in certs/${1}csr.pem -out certs/${1}cert.pem -CA cacert.pem -CAkey private/cakey.pem -CAserial /etc/openssl/serial
rm certs/${1}csr.pem
echo "PKCS#12-File erzeugen..."
openssl pkcs12 -export -chain -out pkcs12/${1}.pkcs12 -in certs/${1}cert.pem -inkey private/${1}key.pem -CAfile cacert.pem \
-passout pass:
fi

==writecard.sh==
#!/bin/sh

if [ "x"$1 == "x" ] || [ "x"$2 == "x" ]; then
echo "usage: ./writecard.sh <username> <pin>"
echo
else
cd /etc/openssl

echo "Karte loeschen und neu anlegen..."
pkcs15-init -E -C -p pkcs15+onepin --pin ${2} --puk 4321 -T

echo "Daten auf Karte uebertragen..."
pkcs15-init -S pkcs12/${1}.pkcs12 -f PKCS12 -a 1 --pin ${2} -T
fi

Revision as of 15:14, 8 September 2005

Einleitung

Was wird gebraucht - Hardware?

Was wird gebraucht - Software?

Installation

SuSE

  1. SuSE 9.3 Standard-Installation mit: KDE, C/C++ Devel, Kernel sources, Erfahrener Benutzer
  2. Onlineupdate
  3. Reboot (wg. Kernelupdate)

apt4suse

cd
wget http://linux01.gwdg.de/~scorot/install-apt4suse.rpm
rpm -Uvh install-apt4suse.rpm
install-apt4suse

stow

Da wir keine aktuellen RPMs von OpenSC und pam_PKCS11 für SuSE gefunden haben und es uns auch nicht gelungen ist welche zu erzeugen, benutzten wir im folgenden Stow:

GNU Stow is a program for managing the installation of software packages, keeping them separate (/usr/local/stow/emacs vs. /usr/local/stow/perl, for example) while making them appear to be installed in the same place (/usr/local).[1]

apt-get install stow
mkdir /usr/local/stow

omnikey

  • Download: http://www.omnikey.com/ - Support - Downloads
  • Installation mit Parameter -nopcsc, da die Prüfung, ob PCSC schon enthalten ist, bei beta6 fehlschlägt
cd
tar xfz cm2020_installer_v2_4_0_src.tar.gz
cd cm2020_installer_v2_4_0_src
install -nopcsc

opensc

cd
wget http://www.opensc.org/files/opensc-0.9.6.tar.gz
tar xfz opensc-0.9.6.tar.gz
cd opensc-0.9.6
./configure --prefix=/usr/local/stow/opensc-0.9.6
make
make install
cp etc/opensc.conf /etc/opensc.conf
cd /usr/local/stow/
stow opensc-0.9.6
mkdir /usr/local/stow/opensc-0.9.6/etc
ln -s --backup /etc/opensc.conf /usr/local/stow/opensc-0.9.6/etc/opensc.conf

Pfad in /etc/opensc.conf wie folgt anpassen:

profile_dir = /usr/local/share/opensc

openssl

mkdir /etc/openssl /etc/openssl/certs /etc/openssl/crl /etc/openssl/private /etc/openssl/pkcs12
chmod 700 /etc/openssl/private/
chmod 700 /etc/openssl/pkcs12/

die Datei /etc/ssl/openssl.cnf anpassen

[ CA_default ]
dir = /etc/openssl
[ req ]
req_extensions = v3_req

[ v3_req ]
basicConstraints = critical,CA:FALSE

pam_PKCS11

apt-get install pam-devel openldap2-devel 
cd
wget http://www.dit.upm.es/~jantonio/pam-pkcs11/downloads/pkcs11_login-0.5.1.tar.gz
tar xfz pkcs11_login-0.5.1.tar.gz
./configure --prefix=/usr/local/stow/pkcs11_login-0.5.1
make
make install
mkdir /etc/pkcs11
cp etc/pam_pkcs11.conf.example /etc/pkcs11/pam_pkcs11.conf
cd /usr/local/stow/
stow pkcs11_login-0.5.1

pam_pkcs11.conf editieren und alle Pfade anpassen: /usr/ -> /usr/local/

use_first_pass = true;
ca_dir = /etc/openssl

Skripte

makeca.sh

#!/bin/sh
rm -rf /etc/openssl
echo "Erzeuge Verzeichnisse..."
mkdir /etc/openssl
cd /etc/openssl
mkdir certs crl private pkcs12 
chmod 700 private/
chmod 700 pkcs12/
echo "Erzeuge CAkey..."
openssl genrsa -aes256 -out private/cakey.pem 2048
echo "Erzeuge CAcert..."
openssl req -new -x509 -days 3650 -key private/cakey.pem -out cacert.pem -set_serial 1 \
  -subj '/C=DE/ST=Berlin/L=Berlin/O=Humboldt-Universitaet zu Berlin/OU=Informatik/OU=ca-test/CN=ca'
touch index.txt 
echo 01 > serial
make_hash_link.sh /etc/openssl/

makeclient.sh

  1. !/bin/sh

if [ "x"$1 == "x" ]; then echo "Bitte einen Clientparameter angeben." else cd /etc/openssl echo "Erzeuge Client-Key und CSR..." openssl req -new -newkey rsa:1024 -out certs/${1}csr.pem -nodes -keyout private/${1}key.pem -days 365 \ -subj '/C=DE/ST=Berlin/L=Berlin/O=Humboldt-Universitaet zu Berlin/OU=Informatik/OU=ca-test/CN='${1} echo "Erzeuge Client-Cert..." openssl x509 -req -in certs/${1}csr.pem -out certs/${1}cert.pem -CA cacert.pem -CAkey private/cakey.pem -CAserial /etc/openssl/serial rm certs/${1}csr.pem echo "PKCS#12-File erzeugen..." openssl pkcs12 -export -chain -out pkcs12/${1}.pkcs12 -in certs/${1}cert.pem -inkey private/${1}key.pem -CAfile cacert.pem \ -passout pass: fi

writecard.sh

  1. !/bin/sh

if [ "x"$1 == "x" ] || [ "x"$2 == "x" ]; then echo "usage: ./writecard.sh <username> <pin>" echo else cd /etc/openssl

echo "Karte loeschen und neu anlegen..." pkcs15-init -E -C -p pkcs15+onepin --pin ${2} --puk 4321 -T

echo "Daten auf Karte uebertragen..." pkcs15-init -S pkcs12/${1}.pkcs12 -f PKCS12 -a 1 --pin ${2} -T fi