• View
• Discuss
• History
• Print

PAM-pkcs11

System Log-On using a SmartCard

If you use PAM, you have the ability to change how a linux system authenticates each user. We can use a SmartCard as a login token by using pam_pkcs11. Depending on your environment, it may work wonderfully, or alternatively can be viewed as a bit of a hack...

You need:

• a SmartCard, initialised with a X509 certificate on it.
• a working installation of OpenSC.

Setting up pam_pkcs11 SmartCard Authentication

• Ensure you have a SmartCard suitable for this task

• Read the pam-pkcs11 user manual.
• Download, compile & install. (The following instructions assume default file locations, and v.0.6.0 or higher)
• Configure, as indicated below... (This created a very simple token-based login)

• Edit the map_* files as appropriate. These are the files that change a token into a recognised system username.
• Test > pklogin_finder debug > pkcs11_inspect debug

Once you have this stage sorted, then you can continue and get system-authentication configured.

Event Handler

Before configuring PAM, I am going to set up the Event Handler included with pam_pkcs11. Part of can't help thinking that this would probably be better configured via HAL and/or DBUS, but as I am not particularly knowlegable, I'll make do with the tools to hand.

  > pkcs11_eventmgr debug nodaemon

should recognise card insert & disconnect events. If you remembered to ammend the commands, you might even get a sound with each event. We now have a couple of methods to influence a running system.

Configuring PAM.

The magic line to include in each /etc/pam.d/* file that you wish to influence the login behaviour of, is:

  auth       sufficient   pam_pkcs11.so

generally pretty much at the top.

Console Login

• /etc/pam.d/login : Makes the standard console login prompt ask for a smartcard. With the exception of the comments noted below, works well for a single-user base.

Login unxer X11

• XScreenSaver v.5.07 : Ugh! Either I have set it up incorrectly, or it is an abomination! Don't even bother!

  normal    = click (to confirm username) followed by password, then enter or click. \\
  smartcard = click (confirm user), click (card inserted, confirm user), click (welcome to card, confirm user), enter PIN, enter or click. \\
  Cannot use pkcs11-eventmgr, other than to kill it (which is probably the kindest option).

• XDM : in progress
• GDM : in progress
• KDM : in progress
• Other : Unknown - drop me a line, and I'll try it...

Usage

pam_pkcs11 performs Login Autodetect. In other words, when the get_user() function returns either a NULL or an empty string, pam_pkcs11 will, rather than matching a Smartcard certificate with a named user, will instead find the Username with the matching certificate credentials. Unfortunately, while this is rather slick (as it potentially obviates the need to supply redundant user input), it is also where things begin to look a little hacked, since there are few smartcard-aware login-utilities. Therefore, we either:

• continue as normal, and enter our username before supplying the Smartcard details; or
• enter the username " " (a single space) if logging on from a console; or
• Do not enter any username and click Enter if using GDM; or (preferably)
• Patch the login utilities to become Smartcard-aware!

All this is a great pity, and appears at first glance to defeat some of the claimed advantages of PAM.

Only now, we appear to have a situation where each time a new authentication scheme is developed, we need to patch all the other applications that handle the login process!

Increasing Security.

The above set-up, although functional, is not particularly wonderful for a multi-user environment. For a single sign-on, with one token only, it's not so bad - what we have done is to replace the Username/Password combo with a Smartcard/PIN mechanism, where it is pretty hard to duplicate the Smartcard. However, for multiuser environments, there are a few more things we can do ... (I will illustrate using the NHS Smartcard as an example - so don't follow the steps below unless this is what you have! Adapt accordingly.)

Checking the validity of the Certificate

The above configuration really does little checking at all - it simply checks that there is an x509 certificate on the card, and uses this to map to a username. In order of increasing paranoia, we can do some additional checking:

• signature
  Check that the public key unlocks the private key.
• ca
  Check that the issued certificate is still valid from the issuer.
• crl_offline, crl_online, crl_auto
  Check that the certificate has not been revoked. Note: If pam_pkcs11 cannot obtain the CRL, it will automatically fail authentication.

To perform certificate checking, you will need to copy the Issuer Certificates into the cacerts folder (as root)

> cd /etc/X509/cacerts/
> cp ~/NHS-Root-CA.der .
> cp ~/NHS-Level-1A.der .
> chmod a+r *
> make_hash_link.sh

Issues

The setup and configuration is not yet perfect. The 'hacked-together' appearance mentioned above is not slick. Additionally:

• Accessing the Smartcard is painfully slow. You will need to insert card, then enter username, then enter PIN. Attempting to enter username, then inserting smartcard to validate will result in a timeout (it takes approximately 4.5 seconds to initialise the card reading interface).
• After entering your username, you are prompted to "Please insert your smart card or enter your username." (console login)
• pam-pkcs11 prevents multi-user logins whilst a smartcard is present in the reader.
• How do I turn off pam-pkcs11 for certain users?
• What happens if the SmartCard contains more than 1 certificate?