File:  [NetBSD Developer Wiki] / wikisrc / tutorials / howto_bootstrap_the_ePass2003_smartcard.mdwn
Revision 1.6: download - view: text, annotated - select for diffs
Tue Oct 6 10:01:13 2015 UTC (5 years, 3 months ago) by uwe
Branches: MAIN
CVS tags: HEAD
Fix fancy quotes to ascii double quotes in shell command examples.

First you need to Install security/ccid + security/opensc from pkgsrc.

Once installed, start the pcscd daemon

<code> # /etc/rc.d/pcscd onestart</code>

Verify that OpenSC finds your ePass2003 smartcard

<pre><code>$ opensc-tool -n
Using reader with a card: Feitian ePass2003 00 00
epass2003
</code></pre>

Start by erasing the card

<code> $ pkcs15-init --erase-card </code>

Bootstrap the ePass2003

<pre><code>$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label "pettai@NetBSD.org"
Using reader with a card: Feitian ePass2003 00 00
New User PIN.
Please enter User PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
</code></pre>

Generate a new RSA key on the card

<pre><code>$ pkcs15-init --generate-key rsa/2048 --key-usage sign,decrypt --auth-id 01 --label "pettai@NetBSD.org"
Using reader with a card: Feitian ePass2003 00 00
User PIN [User PIN] required.
Please enter User PIN [User PIN]:
</code></pre>

Check the ID of the generated key 

<pre><code>$ pkcs15-tool --dump
Using reader with a card: Feitian ePass2003 00 00
PKCS#15 Card [pettai@NetBSD.org]:
        Version        : 0
        Serial number  : 0926531503081201
        Manufacturer ID: EnterSafe
        Last update    : 20151002154352Z
        Flags          : EID compliant

PIN [User PIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x32], local, initialized, needs-padding
        Length         : min_len:4, max_len:16, stored_len:16
        Pad char       : 0x00
        Reference      : 1 (0x01)
        Type           : ascii-numeric
        Path           : 3f005015

Private RSA Key [pettai@NetBSD.org]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 0 (0x0)
        Native         : yes
        Path           : 3f0050152900
        Auth ID        : 01
        ID             : 45d70cc6cdd46ce9914edcf6a81cb4fa60bf21ec
        MD:guid        : {ceefd809-2b85-adf5-c5a6-1205790bc09e}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Public RSA Key [pettai@NetBSD.org]
        Object Flags   : [0x2], modifiable
        Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
        Access Flags   : [0x0]
        ModLength      : 2048
        Key ref        : 0 (0x0)
        Native         : no
        Path           : 3f0050153000
        ID             : 45d70cc6cdd46ce9914edcf6a81cb4fa60bf21ec
</code></pre>

Export the public key (and copy it to your <code> .ssh/authorized_keys </code> file on your remote host)

<pre><code>$ pkcs15-tool --read-ssh-key 45d70cc6cdd46ce9914edcf6a81cb4fa60bf21ec 
Using reader with a card: Feitian ePass2003 00 00
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl/O9hhKOos+1KkL7Q/jqrmSN9EXKFP86kZp+nRyCDErYBNiNl4PTGBfS7sx//suPIxzw8epmHR26JSIq0e0ZErjwBMTDzksUwLJ3+hOMgVnlInYPn+p569EcHiIWsKurfZBClllNHOMmTf3ZblbpN3+lwQUHNaUFECmLeh+wcDq6wGnHyCYF/UPUkqr/eiO2DkAYRhCgyPSfcM6a41H4hPWvo/HZgZvq3+Rpd0NHHHdleWfqHlGrdt00nzFV1TCsW16VhGh0KBfSfTKhH2WywqKGL5ik7SS5pFbD/rFSqn5Toc68hrkfbTbb5WBep2JM6htsSLuJ4079EKV3tIfpF pettai@NetBSD.org
</code></pre>

Now you can use your smartcard's private key then ssh:ing to your remote host

<pre><code>$ ssh -I /usr/pkg/lib/opensc-pkcs11.so pettai@localhost
Enter PIN for 'pettai@NetBSD.org (User PIN)':
Last login: Fri Oct  2 15:41:21 2015 from 109.105.104.135
NetBSD 7.99.19 (GENERIC) #0: Mon Jun 22 06:11:15 UTC 2015
</code></pre>

CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb