File:  [NetBSD Developer Wiki] / wikisrc / tutorials / howto_bootstrap_the_ePass2003_smartcard.mdwn
Revision 1.6: download - view: text, annotated - select for diffs
Tue Oct 6 10:01:13 2015 UTC (4 years, 11 months ago) by uwe
Branches: MAIN
CVS tags: HEAD
Fix fancy quotes to ascii double quotes in shell command examples.

    1: First you need to Install security/ccid + security/opensc from pkgsrc.
    2: 
    3: Once installed, start the pcscd daemon
    4: 
    5: <code> # /etc/rc.d/pcscd onestart</code>
    6: 
    7: Verify that OpenSC finds your ePass2003 smartcard
    8: 
    9: <pre><code>$ opensc-tool -n
   10: Using reader with a card: Feitian ePass2003 00 00
   11: epass2003
   12: </code></pre>
   13: 
   14: Start by erasing the card
   15: 
   16: <code> $ pkcs15-init --erase-card </code>
   17: 
   18: Bootstrap the ePass2003
   19: 
   20: <pre><code>$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label "pettai@NetBSD.org"
   21: Using reader with a card: Feitian ePass2003 00 00
   22: New User PIN.
   23: Please enter User PIN:
   24: Please type again to verify:
   25: Unblock Code for New User PIN (Optional - press return for no PIN).
   26: Please enter User unblocking PIN (PUK):
   27: Please type again to verify:
   28: </code></pre>
   29: 
   30: Generate a new RSA key on the card
   31: 
   32: <pre><code>$ pkcs15-init --generate-key rsa/2048 --key-usage sign,decrypt --auth-id 01 --label "pettai@NetBSD.org"
   33: Using reader with a card: Feitian ePass2003 00 00
   34: User PIN [User PIN] required.
   35: Please enter User PIN [User PIN]:
   36: </code></pre>
   37: 
   38: Check the ID of the generated key 
   39: 
   40: <pre><code>$ pkcs15-tool --dump
   41: Using reader with a card: Feitian ePass2003 00 00
   42: PKCS#15 Card [pettai@NetBSD.org]:
   43:         Version        : 0
   44:         Serial number  : 0926531503081201
   45:         Manufacturer ID: EnterSafe
   46:         Last update    : 20151002154352Z
   47:         Flags          : EID compliant
   48: 
   49: PIN [User PIN]
   50:         Object Flags   : [0x3], private, modifiable
   51:         ID             : 01
   52:         Flags          : [0x32], local, initialized, needs-padding
   53:         Length         : min_len:4, max_len:16, stored_len:16
   54:         Pad char       : 0x00
   55:         Reference      : 1 (0x01)
   56:         Type           : ascii-numeric
   57:         Path           : 3f005015
   58: 
   59: Private RSA Key [pettai@NetBSD.org]
   60:         Object Flags   : [0x3], private, modifiable
   61:         Usage          : [0x2E], decrypt, sign, signRecover, unwrap
   62:         Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
   63:         ModLength      : 2048
   64:         Key ref        : 0 (0x0)
   65:         Native         : yes
   66:         Path           : 3f0050152900
   67:         Auth ID        : 01
   68:         ID             : 45d70cc6cdd46ce9914edcf6a81cb4fa60bf21ec
   69:         MD:guid        : {ceefd809-2b85-adf5-c5a6-1205790bc09e}
   70:           :cmap flags  : 0x0
   71:           :sign        : 0
   72:           :key-exchange: 0
   73: 
   74: Public RSA Key [pettai@NetBSD.org]
   75:         Object Flags   : [0x2], modifiable
   76:         Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
   77:         Access Flags   : [0x0]
   78:         ModLength      : 2048
   79:         Key ref        : 0 (0x0)
   80:         Native         : no
   81:         Path           : 3f0050153000
   82:         ID             : 45d70cc6cdd46ce9914edcf6a81cb4fa60bf21ec
   83: </code></pre>
   84: 
   85: Export the public key (and copy it to your <code> .ssh/authorized_keys </code> file on your remote host)
   86: 
   87: <pre><code>$ pkcs15-tool --read-ssh-key 45d70cc6cdd46ce9914edcf6a81cb4fa60bf21ec 
   88: Using reader with a card: Feitian ePass2003 00 00
   89: ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl/O9hhKOos+1KkL7Q/jqrmSN9EXKFP86kZp+nRyCDErYBNiNl4PTGBfS7sx//suPIxzw8epmHR26JSIq0e0ZErjwBMTDzksUwLJ3+hOMgVnlInYPn+p569EcHiIWsKurfZBClllNHOMmTf3ZblbpN3+lwQUHNaUFECmLeh+wcDq6wGnHyCYF/UPUkqr/eiO2DkAYRhCgyPSfcM6a41H4hPWvo/HZgZvq3+Rpd0NHHHdleWfqHlGrdt00nzFV1TCsW16VhGh0KBfSfTKhH2WywqKGL5ik7SS5pFbD/rFSqn5Toc68hrkfbTbb5WBep2JM6htsSLuJ4079EKV3tIfpF pettai@NetBSD.org
   90: </code></pre>
   91: 
   92: Now you can use your smartcard's private key then ssh:ing to your remote host
   93: 
   94: <pre><code>$ ssh -I /usr/pkg/lib/opensc-pkcs11.so pettai@localhost
   95: Enter PIN for 'pettai@NetBSD.org (User PIN)':
   96: Last login: Fri Oct  2 15:41:21 2015 from 109.105.104.135
   97: NetBSD 7.99.19 (GENERIC) #0: Mon Jun 22 06:11:15 UTC 2015
   98: </code></pre>

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb