[FC8] ssh and CAC card???

Todd Denniston Todd.Denniston at ssa.crane.navy.mil
Wed Dec 5 15:45:31 UTC 2007


Jeff Krebs wrote, On 12/04/2007 08:00 PM:
> * Todd Denniston (Todd.Denniston at ssa.crane.navy.mil) wrote:
>>  From what I understood, the change to openssh listed in:
>>  rpm -q --changelog  openssh  |less
>> as:
>> "* Wed Jun 20 2007 Tomas Mraz <tmraz at redhat.com> - 4.5p1-7
>> - experimental NSS keys support
>> - correctly setup context when empty level requested (#234951)
>> "
>> was supposed to allow the Common Access Card (CAC) to work with the shipped 
>> Fedora 8 ssh.
>>
>> As per NSS usual, everything is undocumented, i.e., `ssh-add --help` does 
>> not help at all, and `man ssh-add` points to `ssh-add -s reader`
>> # ssh-add -s 0
>> Enter passphrase for smartcard:
>> SSH_AGENT_FAILURE
>> Could not add card: 0
>> # ssh-add -s 1
>> Enter passphrase for smartcard:
>> SSH_AGENT_FAILURE
>> Could not add card: 1
>>
>> So does anyone know how to use the possible functionality, or are we 
>> reduced to reading the source?
>>
> 
> There is a link:
> 
> http://www.nabble.com/ssh-and-CAC-t2483281.html

Look at the next to the last email in that thread... yep that's me.

> 
> with some information.
> 
> You have the SmartCard setup working under Linux?

Yes, well _had_ in FC[1457].
https://bugzilla.redhat.com/show_bug.cgi?id=186469#c8

But Red Hat believes that known to be working (and documented) solutions are bad:
https://bugzilla.redhat.com/show_bug.cgi?id=186469#c11
so they tried to put their buggered up (my opinion) NSS solution in FC8 ssh 
instead.
(I will comment more on this when I get done doing minimal testing on Alon's 
patches to
http://www.openvpn.net
http://gnupg-pkcs11.sourceforge.net/
As we (DoD) need all of these to work, and apparently Alon has had them 
working for over a year now, considering the date on the mail you pointed to.
At least the twists they did to pam_pkcs11 worked, even if they did not update 
the documentation to explain how to make it work. I was fortunately on another 
mailing list where someone had posted a quick how to get it to sort of work.)


My real problem here is that I am trying to work with what the distribution 
has (RH's NSS), instead of dropping back and punting Alon and my patches into 
yet another version of the distro which would mean I have to support it each 
time a new fedora ssh patch is released.


> 
> What reader are you using?  I've tried the ActiveCard v2.0 USB to no 
> avail.  Actually, this is known not to work, but I had to try anyway :)
> 

SCM SCR331 firmware 5.18
there is newer firmware that makes the SCR331 perform full length CCID 
transfers (needed for the PIV applet), and I intend to update the whole batch 
we have after I test a few.

BTW IIRC the ActiveCard v2.0 USB can be updated with the SCR firmware to 
effectively make it act as an SCR, or so I have read, YMMV. I highly suggest 
researching the change before doing it though, and I think at ~$20 a new 
SCRx31 or gemplus reader are easier to deal with. (So I suppose if you 
consider the ActiveCard reader a door stop anyway, you would not loose 
anything if you burn it out in the attempt to update the firmware).

> I should have an Athena USB reader coming my way soon.  Hopefully that 
> will allow use with FireFox.
Assuming Athena USB reader is CCID Compliant 
http://pcsclite.alioth.debian.org/ccid.html#CCID_compliant
then at least the CAC, through pcscd and CoolKey can be made to work with 
pam_pkcs11 and Mozilla products.

Hope this helps you.

-- 
Todd Denniston
Crane Division, Naval Surface Warfare Center (NSWC Crane)
Harnessing the Power of Technology for the Warfighter




More information about the fedora-list mailing list