Smartcard-Netlogin HOWTO

           
        

Mario Strasser

           mast@gmx.net
        

Martin Sägesser

           m.sagi@bluemail.ch
        

Revision History
Revision 0.12001-10-08Revised by: strasmar, saegemar
Document created (2001-10-08)

This document describes how to use a rsa smartcard instead of a password to log into your Linux network. Apart from the necessary changes on your PAM and NSS system, the installation and configuration of a smartcard reader and the M.U.S.C.L.E. PC/SC middleware are also explained. The PAM module and the administration tools were designed for the Schlumberger Cyberflex smartcard but should also work with other ISO-7816 compatible smartcards.


Table of Contents
Introduction
Overview
Required Software
Installation of the Smartcard Reader
Installation of the Smartcard Netlogin Package
User Migration
Changing the Login Behavior
Patching OpenSSH 2.9.9p2
Auxiliary Configurations
Example configurations

Introduction

This HOWTO is part of the smartcard-netlogin package which was developed in the context of a diploma work at the University of Applied Sciences Winterthur in Switzerland.

As secure as the shadow password system technically is, it often fails on the laziness of the users which aren't willing to use secure and complex passwords. Therefore the main goal of this project was the enhancement of the Linux login security, using rsa smartcards for login.

A Certification Authority (CA) is responsible for creating useraccounts, including the user's certificate and key pair, and storing them on a smartcard. During the login procedure it is first proofed whether the certificate is valid or not and if the stored private key correspondents to its public key. This is checked using a challenge-response authentication. Since the Certificate Revocation List (CRL) is stored on a LDAP-Server the smartcard netlogin package is fit for network wide logins.

The PAM module, administration tools and installation scripts were designed for the Schlumberger Cyberflex smartcards but should also work with other ISO-7816 compatible smartcards. They make it easy to maintain our network login system and reduce the additional administration overhead to a minimum.

Copyright Information

This document is copyrighted (c) 2001 by Mario Strasser and Martin Sägesser and is distributed under the terms of the Linux Documentation Project (LDP) license, stated below.

Unless otherwise stated, Linux HOWTO documents are copyrighted by their respective authors. Linux HOWTO documents may be reproduced and distributed in whole or in part, in any medium physical or electronic, as long as this copyright notice is retained on all copies. Commercial redistribution is allowed and encouraged; however, the author would like to be notified of any such distributions.

All translations, derivative works, or aggregate works incorporating any Linux HOWTO documents must be covered under this copyright notice. That is, you may not produce a derivative work from a HOWTO and impose additional restrictions on its distribution. Exceptions to these rules may be granted under certain conditions; please contact the Linux HOWTO coordinator at the address given below.

In short, we wish to promote dissemination of this information through as many channels as possible. However, we do wish to retain copyright on the HOWTO documents, and would like to be notified of any plans to redistribute the HOWTOs.

If you have any questions, please contact

Disclaimer

No liability for the contents of this documents can be accepted. Use the concepts, examples and other content at your own risk. As this is a new edition of this document, there may be errors and inaccuracies, that may of course be damaging to your system. Proceed with caution, and although this is highly unlikely, the author(s) do not take any responsibility for that.

All copyrights are held by their respective owners, unless specifically noted otherwise. Use of a term in this document should not be regarded as affecting the validity of any trademark or service mark.

Naming of particular products or brands should not be seen as endorsements.

You are strongly recommended to take a backup of your system before major installation and backups at regular intervals.

New Versions

This is the initial release.

Credits

Thanks to the following people and institutions for their support and collaboration:

  • Dr. Andreas Steffen

  • The University of Applied Sciences Winterthur, Switzerland

Feedback

Feedback is most certainly welcome for this document. Without your submissions and input, this document wouldn't exist. Please send your additions, comments and criticisms to one of the following email addresses : , .