FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora User

 
 
LinkBack Thread Tools
 
Old 12-04-2007, 08:52 PM
Todd Denniston
 
Default ssh and CAC card???

From what I understood, the change to openssh listed in:
rpm -q --changelog openssh |less
as:
"* Wed Jun 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-7
- experimental NSS keys support
- correctly setup context when empty level requested (#234951)
"
was supposed to allow the Common Access Card (CAC) to work with the shipped
Fedora 8 ssh.


As per NSS usual, everything is undocumented, i.e., `ssh-add --help` does not
help at all, and `man ssh-add` points to `ssh-add -s reader`

# ssh-add -s 0
Enter passphrase for smartcard:
SSH_AGENT_FAILURE
Could not add card: 0
# ssh-add -s 1
Enter passphrase for smartcard:
SSH_AGENT_FAILURE
Could not add card: 1

So does anyone know how to use the possible functionality, or are we reduced
to reading the source?


--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-05-2007, 12:00 AM
Jeff Krebs
 
Default ssh and CAC card???

* Todd Denniston (Todd.Denniston@ssa.crane.navy.mil) wrote:
> From what I understood, the change to openssh listed in:
> rpm -q --changelog openssh |less
> as:
> "* Wed Jun 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-7
> - experimental NSS keys support
> - correctly setup context when empty level requested (#234951)
> "
> was supposed to allow the Common Access Card (CAC) to work with the shipped
> Fedora 8 ssh.
>
> As per NSS usual, everything is undocumented, i.e., `ssh-add --help` does
> not help at all, and `man ssh-add` points to `ssh-add -s reader`
> # ssh-add -s 0
> Enter passphrase for smartcard:
> SSH_AGENT_FAILURE
> Could not add card: 0
> # ssh-add -s 1
> Enter passphrase for smartcard:
> SSH_AGENT_FAILURE
> Could not add card: 1
>
> So does anyone know how to use the possible functionality, or are we
> reduced to reading the source?
>
> --
> Todd Denniston
> Crane Division, Naval Surface Warfare Center (NSWC Crane)
> Harnessing the Power of Technology for the Warfighter
>
> --
> fedora-list mailing list
> fedora-list@redhat.com
> To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list

There is a link:

http://www.nabble.com/ssh-and-CAC-t2483281.html

with some information.

You have the SmartCard setup working under Linux?

What reader are you using? I've tried the ActiveCard v2.0 USB to no
avail. Actually, this is known not to work, but I had to try anyway

I should have an Athena USB reader coming my way soon. Hopefully that
will allow use with FireFox.


Jeff Krebs

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-05-2007, 02:45 PM
Todd Denniston
 
Default ssh and CAC card???

Jeff Krebs wrote, On 12/04/2007 08:00 PM:

* Todd Denniston (Todd.Denniston@ssa.crane.navy.mil) wrote:

From what I understood, the change to openssh listed in:
rpm -q --changelog openssh |less
as:
"* Wed Jun 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-7
- experimental NSS keys support
- correctly setup context when empty level requested (#234951)
"
was supposed to allow the Common Access Card (CAC) to work with the shipped
Fedora 8 ssh.


As per NSS usual, everything is undocumented, i.e., `ssh-add --help` does
not help at all, and `man ssh-add` points to `ssh-add -s reader`

# ssh-add -s 0
Enter passphrase for smartcard:
SSH_AGENT_FAILURE
Could not add card: 0
# ssh-add -s 1
Enter passphrase for smartcard:
SSH_AGENT_FAILURE
Could not add card: 1

So does anyone know how to use the possible functionality, or are we
reduced to reading the source?




There is a link:

http://www.nabble.com/ssh-and-CAC-t2483281.html


Look at the next to the last email in that thread... yep that's me.



with some information.

You have the SmartCard setup working under Linux?


Yes, well _had_ in FC[1457].
https://bugzilla.redhat.com/show_bug.cgi?id=186469#c8

But Red Hat believes that known to be working (and documented) solutions are bad:
https://bugzilla.redhat.com/show_bug.cgi?id=186469#c11
so they tried to put their buggered up (my opinion) NSS solution in FC8 ssh
instead.
(I will comment more on this when I get done doing minimal testing on Alon's
patches to

http://www.openvpn.net
http://gnupg-pkcs11.sourceforge.net/
As we (DoD) need all of these to work, and apparently Alon has had them
working for over a year now, considering the date on the mail you pointed to.
At least the twists they did to pam_pkcs11 worked, even if they did not update
the documentation to explain how to make it work. I was fortunately on another
mailing list where someone had posted a quick how to get it to sort of work.)



My real problem here is that I am trying to work with what the distribution
has (RH's NSS), instead of dropping back and punting Alon and my patches into
yet another version of the distro which would mean I have to support it each
time a new fedora ssh patch is released.





What reader are you using? I've tried the ActiveCard v2.0 USB to no
avail. Actually, this is known not to work, but I had to try anyway




SCM SCR331 firmware 5.18
there is newer firmware that makes the SCR331 perform full length CCID
transfers (needed for the PIV applet), and I intend to update the whole batch
we have after I test a few.


BTW IIRC the ActiveCard v2.0 USB can be updated with the SCR firmware to
effectively make it act as an SCR, or so I have read, YMMV. I highly suggest
researching the change before doing it though, and I think at ~$20 a new
SCRx31 or gemplus reader are easier to deal with. (So I suppose if you
consider the ActiveCard reader a door stop anyway, you would not loose
anything if you burn it out in the attempt to update the firmware).


I should have an Athena USB reader coming my way soon. Hopefully that
will allow use with FireFox.
Assuming Athena USB reader is CCID Compliant
http://pcsclite.alioth.debian.org/ccid.html#CCID_compliant
then at least the CAC, through pcscd and CoolKey can be made to work with
pam_pkcs11 and Mozilla products.


Hope this helps you.

--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-05-2007, 04:58 PM
Todd Denniston
 
Default ssh and CAC card???

Jeff Krebs wrote, On 12/05/2007 11:35 AM:


My ActiveCard Reader "brick" is a really old model, and it's only mine
to use, not to modify. You mentioned the SCM readers for ~$20... Where?
That's a damn good price!


Jeff Krebs



http://www.google.com/search?hl=en&q=scr.331&btnG=Google+Search
and in the adds Google provides
http://www.scbsolutions.com/express/product_info.php?cPath=25&products_id=49
$23.75
http://www.envoydata.com/security_products/scm/scr331.htm?gclid=CJqNzfnZkZACFSaDIgodG3Ey6Q
$35.00

then in the links...
http://www.nextag.com/scr331-smart-card-reader/search-html
$20-$62
and the list goes on.


and where I normally shop for these kinds of things (looks cdw they don't
stock scm products)

http://www.cdw.com/shop/search/results.aspx?key=gemplus&platform=All&sr=1&Find+it .x=0&Find+it.y=0
$25-$50


I figured they would be down more than this, IIRC we got some last year for
$25 each.


--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 
Old 12-05-2007, 06:57 PM
Todd Denniston
 
Default ssh and CAC card???

Todd Denniston wrote, On 12/04/2007 04:52 PM:

From what I understood, the change to openssh listed in:
rpm -q --changelog openssh |less
as:
"* Wed Jun 20 2007 Tomas Mraz <tmraz@redhat.com> - 4.5p1-7
- experimental NSS keys support
- correctly setup context when empty level requested (#234951)
"
was supposed to allow the Common Access Card (CAC) to work with the
shipped Fedora 8 ssh.


As per NSS usual, everything is undocumented, i.e., `ssh-add --help`
does not help at all, and `man ssh-add` points to `ssh-add -s reader`

# ssh-add -s 0
Enter passphrase for smartcard:
SSH_AGENT_FAILURE
Could not add card: 0
# ssh-add -s 1
Enter passphrase for smartcard:
SSH_AGENT_FAILURE
Could not add card: 1

So does anyone know how to use the possible functionality, or are we
reduced to reading the source?




After a bit of RTFS, I found README.nss which is installed to
/usr/share/doc/openssh-4.7p1/ in FC8.


Trying to use the info in that document gets me:
# ssh -o 'UseNSS yes' otherhost
Failed to initialize NSS library
Permission denied (publickey,keyboard-interactive).
# ssh-add -n
Failed to initialize NSS library
# ssh-keygen -n
Failed to initialize NSS library
cannot find public key in NSS

no idea what
'NSS Token My PKCS11 Token'
'My PKCS11 Token'
or 'My Key ID' are supposed to be set to (how do I match that up with "use the
cac card" or "my common name is"?).



drop back and punt[1] has been called.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=186469#c8
--
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter

--
fedora-list mailing list
fedora-list@redhat.com
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
 

Thread Tools




All times are GMT. The time now is 02:21 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org