Smartcard Based Authentication: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
(→SuSE) |
||
| Line 27: | Line 27: | ||
==SuSE== |
==SuSE== |
||
#SuSE 9.3 Standard- |
#SuSE 9.3 Standard-System mit KDE, C/C++ Compiler (komplett), kernel-sources, Erfahrener Benutzer (komplett) |
||
#Onlineupdate |
#Onlineupdate |
||
#Reboot (wg. Kernelupdate) |
#Reboot (wg. Kernelupdate) |
||
Revision as of 10:33, 9 September 2005
Lizenz
Copyright (c) Esther Fuhrmann, Carsten Krüger, Henryk Plötz
Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or any later version published by the Free Software Foundation;
with no Invariant Sections, no Front-Cover Texts, and no Back-Cover Texts.
A copy of the license is included in the section entitled "GNU Free Documentation License".
Einleitung
Was wird gebraucht - Hardware?
- Cardreader (z.B. Omnikey Cardman 2020 USB, http://www.omnikey.com/)
- Smartcard (z.B. Schlumberger Cryptoflex 32k e-gate, http://www.axalto.com/)
Was wird gebraucht - Software?
- SuSE 9.3 Professional
http://www.novell.com/products/linuxprofessional/downloads/ftp/germ_mirrors.html - Treiber (Kernelmodul) für den SmartCard Reader
http://www.omnikey.com/ - Support - Downloads - OpenCT 0.6.2-4 (schon enthalten)
- OpenSC 0.9.6 (das bei SuSE 9.3 enthaltene OpenSC 0.9.4-4 ist kaputt)
http://www.opensc.org/download.php - pam_PKCS11
http://www.opensc.org/pam_pkcs11/- pam-devel (schon enthalten)
- openldap2-devel (schon enthalten)
- PCSC-Lite 1.2.9 Beta 6 (schon enthalten)
- openssl 0.9.7e-3 (schon enthalten)
- Apt for SuSE (nicht notwendig, aber sehr praktisch)
http://linux01.gwdg.de/apt4rpm/ - stow (nicht notwendig, aber sehr praktisch)
http://www.gnu.org/software/stow/stow.html
Installation
SuSE
- SuSE 9.3 Standard-System mit KDE, C/C++ Compiler (komplett), kernel-sources, Erfahrener Benutzer (komplett)
- Onlineupdate
- Reboot (wg. Kernelupdate)
apt4suse
cd wget http://linux01.gwdg.de/~scorot/install-apt4suse.rpm rpm -Uvh install-apt4suse.rpm install-apt4suse
stow
Da wir keine aktuellen RPMs von OpenSC und pam_PKCS11 für SuSE gefunden haben und es uns auch nicht gelungen ist welche zu erzeugen, benutzten wir im folgenden Stow:
GNU Stow is a program for managing the installation of software packages, keeping them separate (/usr/local/stow/emacs vs. /usr/local/stow/perl, for example) while making them appear to be installed in the same place (/usr/local).[1]
apt-get install stow mkdir /usr/local/stow
omnikey
- Download: http://www.omnikey.com/ - Support - Downloads
- Installation mit Parameter -nopcsc, da die Prüfung, ob PCSC schon enthalten ist, bei beta6 fehlschlägt
cd tar xfz cm2020_installer_v2_4_0_src.tar.gz cd cm2020_installer_v2_4_0_src install -nopcsc
opensc
cd wget http://www.opensc.org/files/opensc-0.9.6.tar.gz tar xfz opensc-0.9.6.tar.gz cd opensc-0.9.6 ./configure --prefix=/usr/local/stow/opensc-0.9.6 make make install cp etc/opensc.conf /etc/opensc.conf cd /usr/local/stow/ stow opensc-0.9.6 mkdir /usr/local/stow/opensc-0.9.6/etc ln -s --backup /etc/opensc.conf /usr/local/stow/opensc-0.9.6/etc/opensc.conf
Pfad in /etc/opensc.conf wie folgt anpassen:
profile_dir = /usr/local/share/opensc
openssl
mkdir /etc/openssl /etc/openssl/certs /etc/openssl/crl /etc/openssl/private /etc/openssl/pkcs12 chmod 700 /etc/openssl/private/ chmod 700 /etc/openssl/pkcs12/
die Datei /etc/ssl/openssl.cnf anpassen
[ CA_default ] dir = /etc/openssl
[ req ] req_extensions = v3_req [ v3_req ] basicConstraints = critical,CA:FALSE
pam_PKCS11
apt-get install pam-devel openldap2-devel cd wget http://www.dit.upm.es/~jantonio/pam-pkcs11/downloads/pkcs11_login-0.5.1.tar.gz tar xfz pkcs11_login-0.5.1.tar.gz ./configure --prefix=/usr/local/stow/pkcs11_login-0.5.1 make make install mkdir /etc/pkcs11 cp etc/pam_pkcs11.conf.example /etc/pkcs11/pam_pkcs11.conf cd /usr/local/stow/ stow pkcs11_login-0.5.1
pam_pkcs11.conf editieren und alle Pfade anpassen: /usr/ -> /usr/local/
use_first_pass = true; ca_dir = /etc/openssl
Skripte
makeca.sh
#!/bin/sh rm -rf /etc/openssl echo "Erzeuge Verzeichnisse..." mkdir /etc/openssl cd /etc/openssl mkdir certs crl private pkcs12 chmod 700 private/ chmod 700 pkcs12/ echo "Erzeuge CAkey..." openssl genrsa -aes256 -out private/cakey.pem 2048 echo "Erzeuge CAcert..." openssl req -new -x509 -days 3650 -key private/cakey.pem -out cacert.pem -set_serial 1 \ -subj '/C=DE/ST=Berlin/L=Berlin/O=Humboldt-Universitaet zu Berlin/OU=Informatik/OU=ca-test/CN=ca' touch index.txt echo 01 > serial make_hash_link.sh /etc/openssl/
makeclient.sh
#!/bin/sh
if [ "x"$1 == "x" ]; then
echo "Bitte einen Clientparameter angeben."
else
cd /etc/openssl
echo "Erzeuge Client-Key und CSR..."
openssl req -new -newkey rsa:1024 -out certs/${1}csr.pem -nodes -keyout private/${1}key.pem -days 365 -subj '/C=DE/ST=Berlin/L=Berlin/O=Humboldt-Universitaet zu Berlin/OU=Informatik/OU=ca-test/CN='${1}
echo "Erzeuge Client-Cert..."
openssl x509 -req -in certs/${1}csr.pem -out certs/${1}cert.pem -CA cacert.pem -CAkey private/cakey.pem -CAserial /etc/openssl/serial
rm certs/${1}csr.pem
echo "PKCS#12-File erzeugen..."
openssl pkcs12 -export -chain -out pkcs12/${1}.pkcs12 -in certs/${1}cert.pem -inkey private/${1}key.pem -CAfile cacert.pem -passout pass:
fi
writecard.sh
#!/bin/sh
if [ "x"$1 == "x" ] || [ "x"$2 == "x" ]; then
echo "usage: ./writecard.sh <username> <pin>"
echo
else
cd /etc/openssl
echo "Karte loeschen und neu anlegen..."
pkcs15-init -E -C -p pkcs15+onepin --pin ${2} --puk 4321 -T
echo "Daten auf Karte uebertragen..."
pkcs15-init -S pkcs12/${1}.pkcs12 -f PKCS12 -a 1 --pin ${2} -T
fi