Re: [FC8] ssh and CAC card???

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



* Todd Denniston (Todd.Denniston@xxxxxxxxxxxxxxxxxx) wrote:
> Jeff Krebs wrote, On 12/04/2007 08:00 PM:
>> * Todd Denniston (Todd.Denniston@xxxxxxxxxxxxxxxxxx) wrote:
>>>  From what I understood, the change to openssh listed in:
>>>  rpm -q --changelog  openssh  |less
>>> as:
>>> "* Wed Jun 20 2007 Tomas Mraz <tmraz@xxxxxxxxxx> - 4.5p1-7
>>> - experimental NSS keys support
>>> - correctly setup context when empty level requested (#234951)
>>> "
>>> was supposed to allow the Common Access Card (CAC) to work with the 
>>> shipped Fedora 8 ssh.
>>>
>>> As per NSS usual, everything is undocumented, i.e., `ssh-add --help` does 
>>> not help at all, and `man ssh-add` points to `ssh-add -s reader`
>>> # ssh-add -s 0
>>> Enter passphrase for smartcard:
>>> SSH_AGENT_FAILURE
>>> Could not add card: 0
>>> # ssh-add -s 1
>>> Enter passphrase for smartcard:
>>> SSH_AGENT_FAILURE
>>> Could not add card: 1
>>>
>>> So does anyone know how to use the possible functionality, or are we 
>>> reduced to reading the source?
>>>
>>
>> There is a link:
>>
>> http://www.nabble.com/ssh-and-CAC-t2483281.html
>
> Look at the next to the last email in that thread... yep that's me.
>
>>
>> with some information.
>>
>> You have the SmartCard setup working under Linux?
>
> Yes, well _had_ in FC[1457].
> https://bugzilla.redhat.com/show_bug.cgi?id=186469#c8
>
> But Red Hat believes that known to be working (and documented) solutions are bad:
> https://bugzilla.redhat.com/show_bug.cgi?id=186469#c11
> so they tried to put their buggered up (my opinion) NSS solution in FC8 ssh 
> instead.
> (I will comment more on this when I get done doing minimal testing on 
> Alon's patches to
> http://www.openvpn.net
> http://gnupg-pkcs11.sourceforge.net/
> As we (DoD) need all of these to work, and apparently Alon has had them 
> working for over a year now, considering the date on the mail you pointed 
> to.
> At least the twists they did to pam_pkcs11 worked, even if they did not 
> update the documentation to explain how to make it work. I was fortunately 
> on another mailing list where someone had posted a quick how to get it to 
> sort of work.)
>
>
> My real problem here is that I am trying to work with what the distribution 
> has (RH's NSS), instead of dropping back and punting Alon and my patches 
> into yet another version of the distro which would mean I have to support 
> it each time a new fedora ssh patch is released.
>
>
>>
>> What reader are you using?  I've tried the ActiveCard v2.0 USB to no 
>> avail.  Actually, this is known not to work, but I had to try anyway :)
>>
>
> SCM SCR331 firmware 5.18
> there is newer firmware that makes the SCR331 perform full length CCID 
> transfers (needed for the PIV applet), and I intend to update the whole 
> batch we have after I test a few.
>
> BTW IIRC the ActiveCard v2.0 USB can be updated with the SCR firmware to 
> effectively make it act as an SCR, or so I have read, YMMV. I highly 
> suggest researching the change before doing it though, and I think at ~$20 
> a new SCRx31 or gemplus reader are easier to deal with. (So I suppose if 
> you consider the ActiveCard reader a door stop anyway, you would not loose 
> anything if you burn it out in the attempt to update the firmware).
>
>> I should have an Athena USB reader coming my way soon.  Hopefully that 
>> will allow use with FireFox.
> Assuming Athena USB reader is CCID Compliant 
> http://pcsclite.alioth.debian.org/ccid.html#CCID_compliant
> then at least the CAC, through pcscd and CoolKey can be made to work with 
> pam_pkcs11 and Mozilla products.
>
> Hope this helps you.
>
> -- 
> Todd Denniston
> Crane Division, Naval Surface Warfare Center (NSWC Crane)
> Harnessing the Power of Technology for the Warfighter
>
> -- 
> fedora-list mailing list
> fedora-list@xxxxxxxxxx
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

Thank you for the helpful response.

I just need to hit DoD sites... As long as I can use the PKI 
certificates, I should be good to go.  The Athena is CCID compliant, so 
there should be no issues.  I also built an RPM of the Athena-provided 
driver, so either way I should be covered.

My ActiveCard Reader "brick" is a really old model, and it's only mine 
to use, not to modify.  You mentioned the SCM readers for ~$20... Where?  
That's a damn good price!

Jeff Krebs


-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux