OpenPGP card and poldi-ctrl
Hi, I want to do login with my OpenPGP card. So I am following some tutorial on how to do this with Ubuntu (see [1]) but the howto seems outdated and I get an error: poldi-ctrl: error: unknown option '--register-card' poldi-ctrl: error: parsing argument vector failed: Unknown option So I thought maybe I have to build from source which I did from svn://cvs.gnupg.org/poldi/trunk poldi-trunk but this poldi-ctrl does not know the option "'--register-card" either. So what I did was read the textinfo files and added my serial to /etc/poldi/localdb/users. This did not help either. After a quick edit of etc/pam.d/common-auth I still cannot authenticate. I found very litte documentation and discussion regarding poldi on the web and would be happy if someone could shed some light onto this issue. Regards, Markus [1], (German): http://wiki.ubuntuusers.de/Authentifizierung_OpenPGP_SmartCard ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and poldi-ctrl
Hi Markus, Poldi tutorials are outdated. The new versions is configured differently. Poldi 0.4.1 works flawlessly with my Cryptostick token (OpenPGP card V2) for PAM authentication I used the default /etc/poldi/poldi.conf *auth-method localdb log-file /var/log/poldi.log debug scdaemon-program /usr/bin/scdaemon * Added one line to /etc/poldi/localdb/users with CryptoStick's serial number (get it from gpg --card status | grep Application) : *D1234678912346789123467891234678 alpha* And they dumped the public key from my Cryptostick into poldi local db: *sudo poldi-ctrl -k > /etc/poldi/localdb/keys/* D1234678912346789123467891234678 The rest is pretty standard as it requires to modify pam configuration files. I keep the possibility to log in with password for the moment so I just added in /etc/pam.d/gdm /etc/pam.d/login /etc/pam.d/sudo /etc/pam.d/gnome-screensaver: *authsufficientpam_poldi.so* That's it really! One more thing, for better stability I recommend to disable opensc daemon when using Cryptostick. I had it enabled because I was playing with a PKCSC#11 token and got all sort of problems. I also had opensc-pkcs11.so module loaded in Thunderbird that had a tendency to restart opensc daemon also. So best is to disable it too. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and poldi-ctrl
Hi Alphazo, thanks for this great howto. I got it working right away. Where I still have problems: The gnome-keyring (seahorse), still demands the user-password. Also I often have to unplug and replug the reader to authenticate. This works, but it is very inconvenient. Regards, Markus On 2010-11-27 08:31, wrote: > Hi Markus, > > Poldi tutorials are outdated. The new versions is configured > differently. Poldi 0.4.1 works flawlessly with my Cryptostick token > (OpenPGP card V2) for PAM authentication > > I used the default /etc/poldi/poldi.conf > /auth-method localdb > log-file /var/log/poldi.log > debug > scdaemon-program /usr/bin/scdaemon > / > Added one line to /etc/poldi/localdb/users with CryptoStick's serial > number (get it from gpg --card status | grep Application) : > /D1234678912346789123467891234678 alpha/ > > And they dumped the public key from my Cryptostick into poldi local db: > /sudo poldi-ctrl -k > > /etc/poldi/localdb/keys//D1234678912346789123467891234678 > > The rest is pretty standard as it requires to modify pam configuration > files. I keep the possibility to log in with password for the moment > so I just added in /etc/pam.d/gdm /etc/pam.d/login > /etc/pam.d/sudo /etc/pam.d/gnome-screensaver: > /authsufficientpam_poldi.so/ > > That's it really! > > One more thing, for better stability I recommend to disable opensc > daemon when using Cryptostick. I had it enabled because I was playing > with a PKCSC#11 token and got all sort of problems. I also had > opensc-pkcs11.so module loaded in Thunderbird that had a tendency to > restart opensc daemon also. So best is to disable it too. ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and poldi-ctrl
Hi Markus, What you are seeing with gnome-keyring is normal. The database of gnome-keyring is encrypted with a password that is usually the same as the login password. Therefore when you login with password, your gnome-keyring database gets automatically decrypted and you can access your WPA protected Wifi (if using network-manager) network without entering any additional password. Now when you login with an OpenPGP card, you can no longer decrypt the gnome-keyring database. I haven't found a practical way to avoid that. One alternative could be to use an encrypted space (truecrypt/encfs...) to store the gnome-keyring database and other home related information and therefore get rid of the gnome-keyring password. But you will still have to enter a password to unlock this encrypted space ;( Alphazo On Sun, Dec 12, 2010 at 6:10 PM, Markus Krainz wrote: > Hi Alphazo, > > thanks for this great howto. I got it working right away. > Where I still have problems: The gnome-keyring (seahorse), still demands > the user-password. Also I often have to unplug and replug the reader to > authenticate. This works, but it is very inconvenient. > > Regards, > Markus > > > > On 2010-11-27 08:31, wrote: > > Hi Markus, > > Poldi tutorials are outdated. The new versions is configured > differently. Poldi 0.4.1 works flawlessly with my Cryptostick token (OpenPGP > card V2) for PAM authentication > > I used the default /etc/poldi/poldi.conf > *auth-method localdb > log-file /var/log/poldi.log > debug > scdaemon-program /usr/bin/scdaemon > * > Added one line to /etc/poldi/localdb/users with CryptoStick's serial number > (get it from gpg --card status | grep Application) : > * D1234678912346789123467891234678 alpha* > > And they dumped the public key from my Cryptostick into poldi local db: > *sudo poldi-ctrl -k > /etc/poldi/localdb/keys/* > D1234678912346789123467891234678 > > The rest is pretty standard as it requires to modify pam configuration > files. I keep the possibility to log in with password for the moment so I > just added in /etc/pam.d/gdm /etc/pam.d/login /etc/pam.d/sudo > /etc/pam.d/gnome-screensaver: > *authsufficientpam_poldi.so* > > That's it really! > > One more thing, for better stability I recommend to disable opensc daemon > when using Cryptostick. I had it enabled because I was playing with a > PKCSC#11 token and got all sort of problems. I also had opensc-pkcs11.so > module loaded in Thunderbird that had a tendency to restart opensc daemon > also. So best is to disable it too. > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
Re: OpenPGP card and poldi-ctrl
Also regarding the unplug/replug issue. Please make sure that pcsc daemon is not running and openct is not installed. I also had to uninstall libpkcs11.so in Thunderbird (used for PKCS#11 token). Please also disable gnupg agent as it can interact with the OpenPGP card. On Sun, Dec 12, 2010 at 6:10 PM, Markus Krainz wrote: > Hi Alphazo, > > thanks for this great howto. I got it working right away. > Where I still have problems: The gnome-keyring (seahorse), still demands > the user-password. Also I often have to unplug and replug the reader to > authenticate. This works, but it is very inconvenient. > > Regards, > Markus > > > > On 2010-11-27 08:31, wrote: > > Hi Markus, > > Poldi tutorials are outdated. The new versions is configured > differently. Poldi 0.4.1 works flawlessly with my Cryptostick token (OpenPGP > card V2) for PAM authentication > > I used the default /etc/poldi/poldi.conf > *auth-method localdb > log-file /var/log/poldi.log > debug > scdaemon-program /usr/bin/scdaemon > * > Added one line to /etc/poldi/localdb/users with CryptoStick's serial number > (get it from gpg --card status | grep Application) : > * D1234678912346789123467891234678 alpha* > > And they dumped the public key from my Cryptostick into poldi local db: > *sudo poldi-ctrl -k > /etc/poldi/localdb/keys/* > D1234678912346789123467891234678 > > The rest is pretty standard as it requires to modify pam configuration > files. I keep the possibility to log in with password for the moment so I > just added in /etc/pam.d/gdm /etc/pam.d/login /etc/pam.d/sudo > /etc/pam.d/gnome-screensaver: > *authsufficientpam_poldi.so* > > That's it really! > > One more thing, for better stability I recommend to disable opensc daemon > when using Cryptostick. I had it enabled because I was playing with a > PKCSC#11 token and got all sort of problems. I also had opensc-pkcs11.so > module loaded in Thunderbird that had a tendency to restart opensc daemon > also. So best is to disable it too. > > ___ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users