Smart cards, mostly solved
 

So, it *seems* to be working, pretty much. I needed to install
opensc, openct pcsc-lite, pcsc-lite-openct, and ctapi-common will be
installed as a dependency.

I *removed* coolkey and esc, which depended on it. 100% of the time, they
misidentifed the new/current US federal ID PIV-II cards as coolkey cards,
and popped up this "phone home" window, then a "manage smartcards" window.

Without them, I also don't see an icon in the taskbar... but using ssh-add
(actually, my manager built openssh, opensc and openct from current
source, 5.4? 5.5?, and renamed stuff to piv-....), so I do piv-ssh-add -s
opensc-pkcs11.so, and it adds the card. Before you do that... configure
/etc/pam_pkcs11/pam_pkcs11.conf so that
# Filename of the PKCS #11 module. The default value is "default"
use_pkcs11_module = opensc;
and you may have to decide on a mapper. Then restart pcscd, and you should
be good to go.

At any rate, no wrong/confusing windows, and logins work. I do note that
if I try to use my regular password, I need to pull my card out of the
reader.

On a related note, from WinDoze, there's a version of putty that works
<http://www.risacher.org/putty-cac/putty-cac-experimental/windows/?C=N;O=D>.
Once installed, when you bring up the putty window, click on expand ssh,
then click on pkcs. The one thing needed is the right dll, which, if
you're running a 64 bit system, and using, say, ActivIdentity, c:Program
Files (x86)ActivIdentityActivClientacpkcs211.dll

MAKE SURE you get the right .dll; if you're running 32 bit, it will be the
other one.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Smart cards, mostly solved
 

> -----Original Message-----
> From: centos-bounces@centos.org
> [mailto:centos-bounces@centos.org] On Behalf Of m.roth@5-cent.us
> Sent: Wednesday, December 15, 2010 13:55
> To: CentOS mailing list
> Subject: [CentOS] Smart cards, mostly solved
>
> So, it *seems* to be working, pretty much. I needed to
> install opensc, openct pcsc-lite, pcsc-lite-openct, and
> ctapi-common will be installed as a dependency.

Awesome.

>
> I *removed* coolkey and esc, which depended on it. 100% of
> the time, they misidentifed the new/current US federal ID
> PIV-II cards as coolkey cards, and popped up this "phone
> home" window, then a "manage smartcards" window.
>
> Without them, I also don't see an icon in the taskbar... but
> using ssh-add (actually, my manager built openssh, opensc and
> openct from current source, 5.4? 5.5?, and renamed stuff to
> piv-....), so I do piv-ssh-add -s opensc-pkcs11.so, and it
> adds the card. Before you do that... configure
> /etc/pam_pkcs11/pam_pkcs11.conf so that # Filename of the
> PKCS #11 module. The default value is "default"
> use_pkcs11_module = opensc;
> and you may have to decide on a mapper. Then restart pcscd,
> and you should be good to go.
>
> At any rate, no wrong/confusing windows, and logins work. I
> do note that if I try to use my regular password, I need to
> pull my card out of the reader.
>

I am going to try to duplicate this. With my CAC I got in October (should be a
PIV II).

> On a related note, from WinDoze, there's a version of putty
> that works
> <http://www.risacher.org/putty-cac/putty-cac-experimental/wind
ows/?C=N;O=D>.
> Once installed, when you bring up the putty window, click on
> expand ssh, then click on pkcs. The one thing needed is the
> right dll, which, if you're running a 64 bit system, and
> using, say, ActivIdentity, c:Program Files
> (x86)ActivIdentityActivClientacpkcs211.dll
>
> MAKE SURE you get the right .dll; if you're running 32 bit,
> it will be the other one.
>

Going to try this right now.

> mark
>
> _______________________________________________
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>




--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
- -
- Jason Pyeron PD Inc. http://www.pdinc.us -
- Principal Consultant 10 West 24th Street #100 -
- +1 (443) 269-1555 x333 Baltimore, Maryland 21218 -
- -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.




_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Wed Dec 15 20:30:01 2010
Return-path: <advisory-board-bounces@lists.fedoraproject.org>
Envelope-to: tom@linux-archive.org
Delivery-date: Wed, 15 Dec 2010 20:10:29 +0200
Received: from bastion02.fedoraproject.org ([209.132.181.3]:35676 helo=bastion.fedoraproject.org)
by s2.java-tips.org with esmtp (Exim 4.69)
(envelope-from <advisory-board-bounces@lists.fedoraproject.org>)
id 1PSvo5-0003xf-No
for tom@linux-archive.org; Wed, 15 Dec 2010 20:10:29 +0200
Received: from lists.fedoraproject.org (collab1.vpn.fedoraproject.org [192.168.1.21])
by bastion02.phx2.fedoraproject.org (Postfix) with ESMTP id 7342C110901;
Wed, 15 Dec 2010 19:12:36 +0000 (UTC)
Received: from collab1.fedoraproject.org (localhost.localdomain [127.0.0.1])
by lists.fedoraproject.org (Postfix) with ESMTP id 26F5232679A;
Wed, 15 Dec 2010 19:12:36 +0000 (UTC)
X-Original-To: advisory-board@lists.fedoraproject.org
Delivered-To: advisory-board@lists.fedoraproject.org
Received: from smtp-mm1.fedoraproject.org (smtp-mm1.fedoraproject.org
[80.239.156.217])
by lists.fedoraproject.org (Postfix) with ESMTP id 25CE8326798
for <advisory-board@lists.fedoraproject.org>;
Wed, 15 Dec 2010 19:12:35 +0000 (UTC)
Received: from mail-ey0-f179.google.com (mail-ey0-f179.google.com
[209.85.215.179])
by smtp-mm1.fedoraproject.org (Postfix) with ESMTP id 9A98A87E87
for <advisory-board@lists.fedoraproject.org>;
Wed, 15 Dec 2010 19:12:34 +0000 (UTC)
Received: by eyg24 with SMTP id 24so1378814eyg.24
for <advisory-board@lists.fedoraproject.org>;
Wed, 15 Dec 2010 11:12:34 -0800 (PST)
Received: by 10.213.26.20 with SMTP id b20mr699126ebc.84.1292440353272;
Wed, 15 Dec 2010 11:12:33 -0800 (PST)
Received: from valhalla.rhi.hi.is (valhalla.rhi.hi.is [130.208.69.191])
by mx.google.com with ESMTPS id u1sm1184522eeh.16.2010.12.15.11.12.31
(version=SSLv3 cipher=RC4-MD5); Wed, 15 Dec 2010 11:12:32 -0800 (PST)
Message-ID: <4D09131F.9070008@gmail.com>
Date: Wed, 15 Dec 2010 19:12:31 +0000
From: =?UTF-8?B?IkrDs2hhbm4gQi4gR3XDsG11bmRzc29uIg==?=
<johannbg@gmail.com>
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US;
rv:1.9.2.13) Gecko/20101209 Fedora/3.1.7-0.35.b3pre.fc14
Thunderbird/3.1.7
MIME-Version: 1.0
To: advisory-board@lists.fedoraproject.org
Subject: Re: GNOME as the default desktop (was Re: Fedora Board Meeting Minutes
- 2010-12-06)
References: <4CFD46FC.6070101@redhat.com> <4CFD584B.8070605@gmail.com> <AANLkTi=Li5dHZDNhDfC-R+WHCEuXgiY+HEnHbBwF==tX@mail.gmail.com> <1292431900.18889.58.camel@denkermatic.localdomain > <4D08FE4F.5030603@redhat.com>
<4D09030F.7050809@gmail.com> <1292436994.28024.28.camel@Brigid>
In-Reply-To: <1292436994.28024.28.camel@Brigid>
X-BeenThere: advisory-board@lists.fedoraproject.org
X-Mailman-Version: 2.1.9
Precedence: list
Reply-To: Fedora community advisory board
<advisory-board@lists.fedoraproject.org>
List-Id: Fedora community advisory board
<advisory-board.lists.fedoraproject.org>
List-Unsubscribe: <https://admin.fedoraproject.org/mailman/listinfo/advisory-board>,
<mailto:advisory-board-request@lists.fedoraproject.org?subject=unsubscrib e>
List-Archive: <http://lists.fedoraproject.org/pipermail/advisory-board>
List-Post: <mailto:advisory-board@lists.fedoraproject.org>
List-Help: <mailto:advisory-board-request@lists.fedoraproject.org?subject=help>
List-Subscribe: <https://admin.fedoraproject.org/mailman/listinfo/advisory-board>,
<mailto:advisory-board-request@lists.fedoraproject.org?subject=subscribe>
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: base64
Sender: advisory-board-bounces@lists.fedoraproject.org
Errors-To: advisory-board-bounces@lists.fedoraproject.org

T24gMTIvMTUvMjAxMCAwNjoxNiBQTSwgTcOhaXLDrW4gRHVmZn kgd3JvdGU6Cj4gSXQncyBlbnRp
cmVseSBwb3NzaWJsZSB3ZSBjb3VsZCBjb21lIHVwIHdpdGggYS BkZXNpZ24gc29sdXRpb24gZm9y
Cj4gc3BsYXNoZXMgdGhhdCBhY2NvbW1vZGF0ZSBib3RoIHdhbG xwYXBlcnMuCgpJdCdzIGFsc28g
ZW50aXJlbHkgcG9zc2libGUgdG8gcmVqZWN0IEdub21lIHByb3 Bvc2FsIGFuZCBvZmZlciB0aGVt
IHdoYXQgCmV2ZXIgdGhlIERlc2lnbiB0ZWFtIGNvbWVzIHVwIH dpdGgsIHRvIHVzZSBpbnN0ZWFk
IDspCgpPbmUgdGhpbmcgaXMgZm9yIGNlcnRhaW4gaWYgd2hhdC B3YXMgY29tbWVudGVkIG9uIE5p
Y3UgYmxvZyBpcyB0cnVlLgoKVGhlcmUgYXJlIHN0cmlraW5nIH NpbWlsYXJpdHkgYmV0d2VlbiB1
cHN0cmVhbSBLREUgd2FsbHBhcGVyIGFuZCAKdXBzdHJlYW0gR2 5vbWUgc28gZmluZGluZyBhIG11
dHVhbCBhcnR3b3JrIGJldHdlZW4gdGhvc2UgdHdvIHNob3VsZC Bub3QgCnJlbWFpbiBhIHByb2Js
ZW0uCgpLREUgb24gdGhlIGxlZnQgdnMgR25vbWUgb24gdGhlIH JpZ2h0Li4KCmh0dHA6Ly9pLmlt
Z3VyLmNvbS9IYkNuaC5qcGcKClRob3UgcGVyc29uYWxseSBJJ2 0gZG9udCBsaWtlIG5laXRoZXIg
b2YgdGhlbS4KCiggaGF2aW5nIHNvbWV0aGluZyB0aGF0IHJlbW luZHMgbWUgb2Ygd2luZG93IGN1
cnRhaW5zIGZvciBiYWNrZ3JvdW5kIG5haC4uICkKCkpCRwpfX1 9fX19fX19fX19fX19fX19fX19f
X19fX19fX19fX19fX19fX19fX19fX19fXwphZHZpc29yeS1ib2 FyZCBtYWlsaW5nIGxpc3QKYWR2
aXNvcnktYm9hcmRAbGlzdHMuZmVkb3JhcHJvamVjdC5vcmcKaH R0cHM6Ly9hZG1pbi5mZWRvcmFw
cm9qZWN0Lm9yZy9tYWlsbWFuL2xpc3RpbmZvL2Fkdmlzb3J5LW JvYXJk

Smart cards, mostly solved
 

Jason Pyeron wrote:
>> [mailto:centos-bounces@centos.org] On Behalf Of m.roth@5-cent.us
>>
>> So, it *seems* to be working, pretty much. I needed to
>> install opensc, openct pcsc-lite, pcsc-lite-openct, and
>> ctapi-common will be installed as a dependency.
>
> Awesome.

Glad to help. Don't see any reason for anyone else to tear out their hair,
when there's a solution. Esp. given that this is a) all open source, and
b) I work for a federal contractor, this is defined as public domain info.
>
>>
>> I *removed* coolkey and esc, which depended on it. 100% of
>> the time, they misidentifed the new/current US federal ID
>> PIV-II cards as coolkey cards, and popped up this "phone
>> home" window, then a "manage smartcards" window.
>>
>> Without them, I also don't see an icon in the taskbar... but
>> using ssh-add (actually, my manager built openssh, opensc and
>> openct from current source, 5.4? 5.5?, and renamed stuff to
>> piv-....), so I do piv-ssh-add -s opensc-pkcs11.so, and it
>> adds the card. Before you do that... configure
>> /etc/pam_pkcs11/pam_pkcs11.conf so that # Filename of the
>> PKCS #11 module. The default value is "default"
>> use_pkcs11_module = opensc;
>> and you may have to decide on a mapper. Then restart pcscd,
>> and you should be good to go.
>>
>> At any rate, no wrong/confusing windows, and logins work. I
>> do note that if I try to use my regular password, I need to
>> pull my card out of the reader.
>>
>
> I am going to try to duplicate this. With my CAC I got in October (should
> be a PIV II).

Try this, once you've got the reader plugged in, and pcscd running:

To list all the public certificates on a PIV card do

pkcs15-tool --list-public-keys

At this point, there are websites out there with more info on cert
extraction and installation. Note that your security org should have a CA
cert that you'll need to install.

>
>> On a related note, from WinDoze, there's a version of putty
>> that works
>> <http://www.risacher.org/putty-cac/putty-cac-experimental/wind
> ows/?C=N;O=D>.
>> Once installed, when you bring up the putty window, click on
>> expand ssh, then click on pkcs. The one thing needed is the
>> right dll, which, if you're running a 64 bit system, and
>> using, say, ActivIdentity, c:Program Files
>> (x86)ActivIdentityActivClientacpkcs211.dll
>>
>> MAKE SURE you get the right .dll; if you're running 32 bit,
>> it will be the other one.
>>
> Going to try this right now.
>
Good luck.

mark

_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos