Using CERN SmartCards on Linux¶
Using CERN SmartCards on Linux PILOT
In 2012 a SmartCards pilot project has been started, see: CERN SmartCards for information on how to participate in the pilot.
This documentation outlines the setup process allowing using CERN SmartCards for authentication on Scientific Linux CERN 6 systems.
While the initial installation of required software is specific to CERN SLC6 Linux distribution it should be possible to use this setup on any modern Linux system (providing SmartCard libraries are available).
Note: This documentation describes a PILOT setup. Please test before using on production systems.
Quick Setup For detailed instructions, please skip to Installation section.
As root on your system:
- Execute:
# /usr/bin/yum --enablerepo=slc6-cernonly install cern-smartcard firefox-aetssic thunderbird-aetssic gdm-plugin-smartcard # /usr/bin/yum remove esc openct coolkey # /sbin/chkconfig --del pcscd # /sbin/chkconfig --add pcscd # /sbin/service pcscd restart
- Copy:
- krb5.conf to /etc/krb5.conf
- pam_pkcs11.conf to /etc/pam_pkcs11/pam_pkcs11.conf
- EXPERIMENTAL: Only if you want to authenticate to the system using CERN SmartCard
- Copy system-auth-ac to /etc/pam.d/system-auth-ac
- Copy smartcard-auth-ac to /etc/pam.d/smartcard-auth-ac
- Copy password-auth-ac to /etc/pam.d/password-auth-ac
- Copy fingerprint-auth-ac to /etc/pam.d/fingerprint-auth-ac
- Execute as root:
# /usr/bin/gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.mandatory \ -s /desktop/gnome/peripherals/smartcard/removal_action lock_screen \ --type string
- Reboot the system:
# /sbin/shutdown -r now
Detailed installation/configuration instructions follow.
Installation
As root on your SLC6 system run:# yum --enablerepo=slc6-cernonly install cern-smartcardto add basic smartcard / pkinit support to your system, following packages will be installed:
- CERN SmartCard support (cern-smartcard)
- SafeSign SmartCard Middleware (SafesignIdentityClient)
- CERN CA certificates (CERN-CA-certs)
- Kerberos 5 PKINIT module (krb5-pkinit-openssl)
- Generic USB CCID smart card reader driver (ccid)
# yum --enablerepo=slc6-cernonly install firefox-aetssic thunderbird-aetssic gdm-plugin-smartcardto add smartcard support to Firefox,Thunderbird and Gnome Display Manager - following packages will be installed:
- A.E.T. SafeSign Identity Client PKCS11 module installer (aetssic)
- Thunderbird A.E.T. SafeSign Identity Client extension enabler (thunderbird-aetssic)
- Firefox A.E.T. SafeSign Identity Client extension enabler (firefox-aetssic)
- GDM smartcard plugin (gdm-plugin-smartcard)
# yum remove esc openct coolkeyto remove ESC (Enterprise Security Client Smart Card Client), OpenCT (Middleware framework for smart card terminals) and CoolKey ( CoolKey PKCS #11 module) - which interfere with SafeSign middleware used for CERN SmartCards.
Make sure that pcscd (PC/SC Lite smart card daemon) is started:
# /sbin/chkconfig --del pcscd # /sbin/chkconfig --add pcscd # /sbin/service pcscd restart(the /sbin/chkconfig --del pcscd is a workaround: we have observed that on some systems pcscd is started in wrong order)
Configuration
Kerberos - pkinit - configuration
Edit /etc/krb5.conf and insert following lines in [realms]/ CERN realm section:
...
[realms]
CERN.CH = {
...
pkinit_anchors = FILE:/etc/pki/tls/certs/CERN-bundle.pem
pkinit_identities = PKCS11:libaetpkss.so
pkinit_eku_checking = kpServerAuth
pkinit_kdc_hostname = cerndc.cern.ch
pkinit_cert_match =&&<EKU>msScLogin,<KU>digitalSignature
...
}
make sure that following lines (if present) are commented out in the file:
... ;default_tkt_enctypes = arcfour-hmac-md5 aes256-cts aes128-cts des3-cbc-sha1 des-cbc-md5 des-cbc-crc ;allow_weak_crypto = true ... [appdefaults] ;pkinit_pool = DIR:/etc/pki/tls/certs/ ;pkinit_anchors = DIR:/etc/pki/tls/certs/
(Use this krb5.conf file to replace system /etc/krb5.conf).
Pluggable Authentication Modules (PAM) configuration
pam_pkcs11
Edit /etc/pam_pkcs11/pam_pkcs11.conf to contain information about safesign pkcs11 module:
...
pam_pkcs11 {
...
use_pkcs11_module = safesignic;
...
pkcs11_module safesignic {
module = libaetpkss.so;
desription = "SafeSign IC";
slot_num = 0;
nss_dir = /etc/pki/nssdb;
crl_dir = /etc/pki/tls/crls;
crl_policy = ca,crl_auto;
}
...
use_mappers = cn;
...
(Use this pam_pkcs11.conf file to replace system /etc/pam_pkcs11/pam_pkcs11.conf).
system/password/smartcard/fingerprint -auth-ac EXPERIMENTAL
Please edit/change system/password/smartcard/fingerprint -auth-ac files ONLY if you intend to login to your system (via text or graphical console) using SmartCard as primary authentication method, and password as fallback method. For all other SmartCard related usages this change is not needed.
- Copy system-auth-ac to /etc/pam.d/system-auth-ac
- Copy smartcard-auth-ac to /etc/pam.d/smartcard-auth-ac
- Copy password-auth-ac to /etc/pam.d/password-auth-ac
- Copy fingerprint-auth-ac to /etc/pam.d/fingerprint-auth-ac
# /usr/bin/gconftool-2 --direct --config-source=xml:readwrite:/etc/gconf/gconf.xml.mandatory \
-s /desktop/gnome/peripherals/smartcard/removal_action lock_screen \
--type string
To finalize this configuration change please reboot your system.
Note: current system configuration tools as lcm and system-config-authentication (authconfig) will overwrite /etc/pam.d/*-auth-ac files if used - removing all smartcard related information.
Usage
Obtaining kerberos ticket / AFS token
|
In order to obtain Kerberos ticket / AFS token execute: kinit , enter SmartCard PIN when prompted. |
Token Management Utility
|
SafeSign Token Management Utility allows to: Change SmartCard PIN, View stored certificates, reinitialize (erase) SmartCard. From Menu choose: Applications -> System Tools -> SafeSign Identity Client Token Manager (or type tokenmanager on command line). |
Firefox
Certificate(s) stored on CERN SmartCard allow authentication to CERN Single Sign On protected services.
|
Select Sign in using your Certificate, then select the certificate for authentication. Note the line Stored in - it should list your security device name (Firstname/Nickname Lastname) NOT Software Security Device (which is built-in Firefox certificate store). |
|
After clicking OK type in your SmartCard PIN. (Note: the text in window is little bit misleading, it says Please enter the master password for the Firstname/Nickname Lastname but in reality it asks for the SmartCard PIN) |
|
Firefox Device Manager accessible from the menu: Edit -> Preferences -> Advanced -> Security Devices contains information about the SmartCard module. (Note: It is not possible to Change Password (PIN) for the card using Device Manager, please use Token Management Utility described above to do it)
Note: Do NOT choose Enable FIPS option: it will make smart card certificate authentication non-functional. |
Thunderbird
At present (July 2012) CERN e-mail infrastructure does not support SmartCard / Certificate authentication. SmartCard certificates can only be used for message signing/encryption.
|
To configure SmartCard certificates for signing/encryption choose from the menu: Edit -> Account Settings -> Security. Next Select certificate for Digital Signing and for Encryption. Note the line Stored in - it should list your security device name (Firstname/Nickname Lastname) NOT Software Security Device (which is built-in Thunderbird certificate store). |
|
To sign/encrypt a message choose S/MIME from the Composer menu. After selecting Send you will be prompted for the SmartCard PIN. (Note: the text in window is little bit misleading, it says Please enter the master password for the Firstname/Nickname Lastname but in reality it asks for the SmartCard PIN) |
|
To verify signature/decrypt a received message choose the 'Red Spot' Envelope icon. |
|
Thunderbird Device Manager accessible from the menu: Edit -> Preferences -> Security Devices contains information about the SmartCard module. (Note: It is not possible to Change Password (PIN) for the card using Device Manager, please use Token Management Utility described above to do it)
Note: Do NOT choose Enable FIPS option: it will make smart card certificate authentication non-functional. |
Windows Terminal Services
CERN SmartCard can be used to authenticate to CERN Windows Terminal Services (only configured servers).
|
Execute: rdesktop -r scard cerntsnew.cern.ch to use smartcard authentication (Note: cernts.cern.ch does NOT allow smartcard authentication)
Smartcard authentication requires a patched version of rdesktop available in Scientific Linux CERN 6 repositories, to install run as root: # yum install rdesktop |
|
Execute: xfreerdp -u login --no-nla --plugin rdpdr --data scard:scard -- cerntsnew.cern.ch to use smartcard authentication (Note: cernts.cern.ch does NOT allow smartcard authentication)
Smartcard authentication requires a patched version of FreeRDP available in Scientific Linux CERN 6 repositories, to install run as root: # yum install xfreerdp |
Smart card authentication is also accessible to Windows applications running in rdesktop/xfreerdp sessions started as in examples above.
LibreOffice (OpenOffice)
To sign an LibreOffice document, select Digital Signatures from File menu.
|
Select Sign Document and enter your smartcard PIN when prompted. (Note: the text in window is little bit misleading, it says Enter password to open file: Firstname/Nickname Lastname but in reality it asks for the SmartCard PIN) |
|
Next you may be prompted for another password (depending on your Firefox setup: LibreOffice uses Firefox certificate DB): Enter your Firefox Master Password. (Note: the text in window is little bit misleading, it says Enter password to open file: NSS Certificate DB but in reality it asks for Firefox Master Password) |
|
Select one of your certificates and click OK to sign the document. |
Known problems
Pcscd
On some systems pcscd (PC/SC Smart Card Daemon) demon is started in wrong order and dies upon startup (should be started after haldaemon but sometimes is started before). Please check:# service pcscd statusand if the result is:
pcscd dead but subsys locked ...check the following:
# ls -1 /etc/rc3.d/S*{pcscd,haldaemon}
/etc/rc3.d/S26haldaemon
/etc/rc3.d/S27pcscd
If the order is reversed (for example S25pcscd and S26haldaemon) please execute following:
# /sbin/chkconfig --del pcscd # /sbin/chkconfig --add pcscdthen check the order again, and restart pcscd:
# /sbin/service pcscd restart
Kinit
kinit hangs 'forever' when called without username by different user than the certificate on the smartcard is for:# whoami && kinit jarek Jarek Polok PIN: kinit: Client name mismatch while getting initial credentials ^CThe certificate matches username 'jpolok' but current username is 'jarek' (press Ctrl-C to break). As a workaround use:
# whoami && kinit jpolok jarek Jarek Polok PIN: #
Gnome Screensaver (while using SmartCard for logins 1/3)
While unlocking the screen Kerberos ticket and AFS token are not always properly refreshed: on unlock these should be extended by 24 hours but it does not always happen: as a workaround use kinit -R to refresh tickets/token.Gnome Screensaver (while using SmartCard for logins 2/3)
If a SmartCard has been used for graphical system login, only this SmartCard can be used to unlock the user session.In some cases after PIN entry on Gnome Screensaver unlock dialog, this dialog 'hangs' for 3 minutes, then restarts.
As a workaround:
- remove SmartCard from reader, wait 3 minutes until new prompt appears, reinsert the card and try again.
- or:
- remove SmartCard, switch to text console (Ctrl-Alt-F2) , login using password, then execute
killall -9 gnome-screensaver-dialog
, logout, switch back to graphic console (Ctrl-Alt-F1 or Ctrl-Alt-F7) and try again.
Gnome Screensaver (while using SmartCard for logins 3/3)
Gnome Screensaver sometimes fails to observe card insert/removal events (card removal should lock the screen/ card insert should wake up monitor(s) from sleep and show authentication dialog):Use Ctrl-Alt-Del to lock the screen if this happens.
Krb5-Auth-Dialog
krb5-auth-dialog (small keys icon on top bar) can be configured to use SmartCard authentication: unfortunately current release is quite buggy: while clicking Cancel on credentials renewal prompt it sends an empty PIN code to middleware libaries: after few attempts this will result in blocking your smartcard PIN ! DO NOT USE IT until fixed in future release.Pidgin
OpenSSH
SLC6 openssh is compiled without smartcard support, so CERN SmartCard cannot be used:ssh -I /usr/lib/opensc-pkcs11.so jpolok@lxplus.cern.ch no support for smartcards.
pkcs11-tool
pkcs11-tool (partially) fails testing the card/certificates:
# /usr/bin/pkcs11-tool --module libaetpkss.so -t --login
Using slot 0 with a present token (0xcd01)
Logging in to "Jarek Polok".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (jpolok 423567 Jarek Polok's CERN Trusted Certification Authority ID)
ERR: C_SignUpdate failed: CKR_MECHANISM_INVALID (0x70)
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)
...
Decryption (RSA)
testing key 0 (jpolok 423567 Jarek Polok's CERN Trusted Certification Authority ID)
RSA-PKCS: OK
RSA-X-509: OK
...
Aborting.
# /usr/bin/pkcs11-tool --module libaetpkss.so -s --login
Using slot 0 with a present token (0xcd01)
Logging in to "Jarek Polok".
Please enter User PIN:
Using signature algorithm RSA-X9-31-KEY-PAIR-GEN
whatever whenever.
error: PKCS11 function C_SignInit failed: rv = CKR_KEY_TYPE_INCONSISTENT (0x63)
Aborting.
Troubleshooting
Before reporting a problem, please verify the following on your system:- That pcscd daemon is running:
# /sbin/service pcscd status pcscd (pid XXXXX) is running...
- SafeSign module installation in NSS database:
# /usr/bin/modutil -list -dbdir /etc/pki/nssdb Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module ... 2. SafeSign IC PKCS#11 Module library name: libaetpkss.so slots: 5 slots attached status: loaded slot: SCM SCR 3311 (21121110201685) 00 00 token: Jarek Polok ... - System trusted certificates:
# /usr/bin/certutil -L -d /etc/pki/nssdb Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI CERN Root CA CT,C,C CERN Trusted Certification Authority CT,C,C - SmartCard/reader:
# /usr/bin/tokenman
(or select 'SafeSign Identity Client Token Manager' from menu 'Applications' , submenu 'System Tools') - PKCS#11 module state in firefox/thunderbird (select 'Edit' - 'Preferences' - 'Advanced' - 'Encryption' - 'Security Devices') - you should see 'A.E.T. SafeSign IC PKCS#11 Module' loaded.)
- pam_pkcs11 mapper (if SmartCard used for logins):
# /usr/bin/pkcs11_inspect PIN for token: Printing data for mapper cn: jpolok 423567 Jarek Polok
- Kerberos ticket/AFS token:
# kinit Jarek Polok PIN: # klist Ticket cache: FILE:/tmp/krb5cc_14213 Default principal: jpolok@CERN.CH Valid starting Expires Service principal 07/20/12 10:20:09 07/21/12 11:20:09 krbtgt/CERN.CH@CERN.CH renew until 07/25/12 10:20:09 07/20/12 10:20:13 07/21/12 11:20:09 afs/cern.ch@CERN.CH renew until 07/25/12 10:20:09 # tokens Tokens held by the Cache Manager: User's (AFS ID 14213) tokens for afs@cern.ch [Expires Jul 21 11:20] --End of list-- - token state with pkcs11-tool:
# /usr/bin/pkcs11-tool --module libaetpkss.so -L Available slots: Slot 0 (0xcd01): SCM SCR 3311 (21121110201685) 00 00 token label: Jarek Polok token manuf: A.E.T. Europe B.V. token model: 19C40506010D00C0 token flags: rng, login required, PIN initialized, token initialized serial num : 70794D153B1A207A Slot 1 (0xcd02): UNAVAILABLE 1 (empty)