Etoken Pro 72K + Linux + openSSH

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Etoken Pro 72K + Linux + openSSH

Mike Davidson-2
Hello, I am looking for some advice.

I am considering using an Aladdin eToken Pro 72K USB or an eToken Pro 72K smart card + reader on Linux with openssh.
Has anyone had good success with this setup?
If successful, were you able to load pregenerated 1024 or 2048bit keys onto the card and use them?
I would prefer to use just opensc with no custom middleware/etc involved.

Thanks

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Etoken Pro 72K + Linux + openSSH

Mr Dash Four

> I am considering using an Aladdin eToken Pro 72K USB or an eToken Pro
> 72K smart card + reader on Linux with openssh.
> Has anyone had good success with this setup?
If it is of any help, I use Aladdin Pro 64k and am able to perform *any*
operation with it, though the store format is PKCS15 and not the PKCS11
offered 'as standard' by Aladdin. I do *not* use their propriety
software, because ... well, because it absolutely sucks!

If you look for a thread on this very mailing list called Aladdin eToken
PRO 64k (thread I started back in October, I think) you will find how to
integrate it into your system. I am using Aladdin PRO 64k smartcard to
1) login to all of my machines (via console, gdm and remotely with SSH
session); 2) to decrypt/open LUKS-encrypted disk partitions (including
root) via a custom module I have designed myself (though this is still
in deep alpha and I am still developing/improving things); 3)
sign/encrypt/decrypt emails with Mozilla Thunderbird; 4) Login to
(internal) web sites using the built-in Mozilla PKCS authentication
module and 5) sign off software code for releases, which is currently
developed here internally;

All this without any of the propriety (and rather crappy) software
'offered' by Aladdin - everything is based on OpenCT/OpenSC and
PCSC-Lite. My advice to you, based on past experiences, is to steer
clear from Aladdin - using OpenCT/OpenSC would be enough for most cases,
PCSC-Lite only comes to play when you want the GUI (gdm) login and
Mozilla Authentication modules (for Firefox and Thunderbird).

> If successful, were you able to load pregenerated 1024 or 2048bit keys
> onto the card and use them?
I am able to load 2048bit (private) keys on to the card (keys generated
with openssh), chained together with the corresponding (public key)
certificate, signed-off by (internally built) CA in one go via .p12
file. I can also import/export/use private (as well as public - i.e. no
login required) 'data' keys, which are used with my LUKS-encrypted disk
partitions.

> I would prefer to use just opensc with no custom middleware/etc involved.
That is possible with Aladdin PRO 64k, so I do not see a reason why it
won't be for the 72k version of the card.

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Etoken Pro 72K + Linux + openSSH

Andre Zepezauer
On Tue, 2010-12-21 at 16:14 +0000, Mr Dash Four wrote:

> > I am considering using an Aladdin eToken Pro 72K USB or an eToken Pro
> > 72K smart card + reader on Linux with openssh.
> > Has anyone had good success with this setup?
> If it is of any help, I use Aladdin Pro 64k and am able to perform *any*
> operation with it, though the store format is PKCS15 and not the PKCS11
> offered 'as standard' by Aladdin. I do *not* use their propriety
> software, because ... well, because it absolutely sucks!
>
> If you look for a thread on this very mailing list called Aladdin eToken
> PRO 64k (thread I started back in October, I think) you will find how to
> integrate it into your system. I am using Aladdin PRO 64k smartcard to
> 1) login to all of my machines (via console, gdm and remotely with SSH
> session); 2) to decrypt/open LUKS-encrypted disk partitions (including
> root) via a custom module I have designed myself (though this is still
> in deep alpha and I am still developing/improving things); 3)
> sign/encrypt/decrypt emails with Mozilla Thunderbird; 4) Login to
> (internal) web sites using the built-in Mozilla PKCS authentication
> module and 5) sign off software code for releases, which is currently
> developed here internally;
>
> All this without any of the propriety (and rather crappy) software
> 'offered' by Aladdin - everything is based on OpenCT/OpenSC and
> PCSC-Lite. My advice to you, based on past experiences, is to steer
> clear from Aladdin - using OpenCT/OpenSC would be enough for most cases,
> PCSC-Lite only comes to play when you want the GUI (gdm) login and
> Mozilla Authentication modules (for Firefox and Thunderbird).
>
> > If successful, were you able to load pregenerated 1024 or 2048bit keys
> > onto the card and use them?
> I am able to load 2048bit (private) keys on to the card (keys generated
> with openssh), chained together with the corresponding (public key)
> certificate, signed-off by (internally built) CA in one go via .p12
> file. I can also import/export/use private (as well as public - i.e. no
> login required) 'data' keys, which are used with my LUKS-encrypted disk
> partitions.
>
> > I would prefer to use just opensc with no custom middleware/etc involved.
> That is possible with Aladdin PRO 64k, so I do not see a reason why it
> won't be for the 72k version of the card.

Support of both of these devices is definitely different, because 64k is
essentially CardOS whereas 72k contains a very strange Java-Applet.

@MDF:
Please could you post the output of "cardos-tool -i". It is of personal
interest only. Maybe try it with different tokens, because Aladdin
provides different versions of CardOS. Thanks.

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Etoken Pro 72K + Linux + openSSH

Mr Dash Four

>> That is possible with Aladdin PRO 64k, so I do not see a reason why it
>> won't be for the 72k version of the card.
>>    
>
> Support of both of these devices is definitely different, because 64k is
> essentially CardOS whereas 72k contains a very strange Java-Applet.
>  
Ah, well, I tried. As for the 'strange' applet - why am I not surprised
- it is Aladdin after all...

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Etoken Pro 72K + Linux + openSSH

laurent (Bugzilla)-2
In reply to this post by Mike Davidson-2
Hello,

It's working for me with eToken 72k and x509 auth for openssh.
(OpenSSH 5.3)
I use this patch :
 - PKCS#11 Support
(http://sites.google.com/site/alonbarlev/openssh-pkcs11)
 - X.509 Cert      (http://roumenpetrov.info/openssh/)
 - LDAP Public Key (http://code.google.com/p/openssh-lpk/)
 - pkcs11_ssh_config (To configure pkcs11 provider in config file)

If you want make test, I created a package for ubuntu :
# sudo add-apt-repository ppa:laurent-ksperis/openssh-pki
# sudo apt-get update
# sudo apt-get install openssh-pki-client openssh-pki-server

for use :
Do not forget to add the certificate authority and a valid crl on server
and client.
Add in the authorized_keys for the user "x509v3-sign-rsa subject= <DN>"
#ssh -# /usr/lib/libeTPkcs11.so  user@server
or "pkcs11 /usr/lib/libeTPkcs11.so" in ssh_config.


Laurent


Le mardi 21 décembre 2010 à 13:08 +0000, Mike Davidson a écrit :

> Hello, I am looking for some advice.
>
> I am considering using an Aladdin eToken Pro 72K USB or an eToken Pro
> 72K smart card + reader on Linux with openssh.
> Has anyone had good success with this setup?
> If successful, were you able to load pregenerated 1024 or 2048bit keys
> onto the card and use them?
> I would prefer to use just opensc with no custom middleware/etc
> involved.
>
> Thanks
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user