Re: MUSCLE Linux Login with RSA SmartCards
Hi Guido, Does Siemens have JavaCards?? If so, could you give-me infos about they?? Thanks a lot. [ ]´s Luciano da Silva Coelho [EMAIL PROTECTED] Sun Certified Programmer for JAVA2 Sun Certified Instructor for JAVA2 Diretor de Tecnologia e-Sec Tecnologia em Segurança de Dados www.esec.com.br - Original Message - From: "Treutwein Guido" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Friday, June 08, 2001 8:36 AM Subject: AW: MUSCLE Linux Login with RSA SmartCards > > > -Ursprüngliche Nachricht- > Von: Erwann ABALEA [mailto:[EMAIL PROTECTED]] > Gesendet am: Freitag, 8. Juni 2001 12:07 > An: [EMAIL PROTECTED] > Betreff: Re: MUSCLE Linux Login with RSA SmartCards > > >You can design your application so that whenever a signature (or > >decryption) operation is to be performed, a PIN code should be presented, > >the operation performed, and the authentication state reset. That's how > >it's done with the French banking applications. The card in itself doesn't > >reset the authentication state after the operation, but the payment > >terminals must do it. > > Hi, > > it's possibly interesting, that cards exist, where the access condition > expires automatically after the operation is completed. This is how our > German Digital Signature Law compliant card works. (No, it isn't a > JavaCard.) The advantage is, that you don't have to rely on a good-natured > terminal. > > http://crypto.mchh.siemens.de/produkte/smartcards.asp?lang=eng > > Guido Treutwein > Siemens ICN ISA TNA 21 > [EMAIL PROTECTED] > > *** > Linux Smart Card Developers - M.U.S.C.L.E. > (Movement for the Use of Smart Cards in a Linux Environment) > http://www.linuxnet.com/smartcard/index.html > *** > *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
On Fri, 8 Jun 2001, Dr S N Henson wrote: > Carlos Prados wrote: > > > > > > Again, I would pay more athention to local security. > > Why is the file /tmp/.pcscrx world writtable? isn't > > this a security hole? > > > > On the subject of security... > > As may be apparent I've only just got my setup working and I've not > examined things in any detail. I did notice a few things which might be > cause for concern. > > Consider a Netscape PKCS#11 module. In this application the connection > to the reader may need to be kept open for an extended period of time > (typically the whole browser session) and may not be closed cleanly. As > we are all painfully aware its not entirely unknown for a browser to > crash. For the PKCS#11 part, there's a solution: just use random session numbers, and close all the sessions if you detect at least 3 invalid session numbers... That way, the application can crash, but trying to attach to this previous session and keep the authenticated state would be difficult. -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - A computer is a state machine. Threads are for people who can't program state machines. Alan Cox in a discussion about the threads and the Linux scheduler *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
On Thu, 7 Jun 2001, Carlos Prados wrote: > Hi, > > --- David Corcoran <[EMAIL PROTECTED]> wrote: > > Definitely. The interface exported must be a subset > > of the > > available functionality or else someone could write > > a worm which does a > > Verify Key function incorrectly and blocks cards > > where services are > > available. > > Even worst. If you leave your card with your private > PGP key in the reader and the smartcard is accesible > to anybody over the net, somebody could connect to it, > and write signed messages with your private key, read > your private e-mail... You can design your application so that whenever a signature (or decryption) operation is to be performed, a PIN code should be presented, the operation performed, and the authentication state reset. That's how it's done with the French banking applications. The card in itself doesn't reset the authentication state after the operation, but the payment terminals must do it. > He only needs your PIN, that he can get by snooping > the network, or donig trial and error. Trial and error is not a valid attack, as the card usually disables the code as soon as 3 bad code guesses have been presented. Since you can enhance the PIN length, guessing the PIN in 3 tries is difficult. -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - ``There are basically two types of people. People who accomplish things, and people who claim to have accomplished things. The first group is less crowded.'' Mark Twain *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Carlos Prados wrote: > > > Again, I would pay more athention to local security. > Why is the file /tmp/.pcscrx world writtable? isn't > this a security hole? > On the subject of security... As may be apparent I've only just got my setup working and I've not examined things in any detail. I did notice a few things which might be cause for concern. Consider a Netscape PKCS#11 module. In this application the connection to the reader may need to be kept open for an extended period of time (typically the whole browser session) and may not be closed cleanly. As we are all painfully aware its not entirely unknown for a browser to crash. This situation needs to be handled, i.e. a connection can be kept open for a long time with no security issues and if the application using it crashes then the session is cleaned up appopriately. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Hi, --- David Corcoran <[EMAIL PROTECTED]> wrote: > Definitely. The interface exported must be a subset > of the > available functionality or else someone could write > a worm which does a > Verify Key function incorrectly and blocks cards > where services are > available. Even worst. If you leave your card with your private PGP key in the reader and the smartcard is accesible to anybody over the net, somebody could connect to it, and write signed messages with your private key, read your private e-mail... He only needs your PIN, that he can get by snooping the network, or donig trial and error. > A signature function must be carefully > exported and > authenticated to so it does not perform signature > operations for undesired > applications. Currently this is protected by a PIN > number so secure PIN > transfer is a must. Also, blocking the PIN is a > concern > IMO the smartcard, like your private key or your login password must be kept private, and only accessible to the local authenticated user. We are supposed to be enthusiasts of smartcards as the best security token to provide security services such as authentication and privacy. So if we are designing a system to authenticate and earn secure access to a remote smartcard, we would en up getting to the paradox that we would need another local smartcard to athenticate to the remote smartcard, Of course this is a madness and doesn't make any sense, as it leads to an infinite loop ;-) Again, I would pay more athention to local security. Why is the file /tmp/.pcscrx world writtable? isn't this a security hole? > Dave > > *** > Linux Smart Card Developers - M.U.S.C.L.E. > (Movement for the Use of Smart Cards in a Linux > Environment) > http://www.linuxnet.com/smartcard/index.html > *** __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Definitely. The interface exported must be a subset of the available functionality or else someone could write a worm which does a Verify Key function incorrectly and blocks cards where services are available. A signature function must be carefully exported and authenticated to so it does not perform signature operations for undesired applications. Currently this is protected by a PIN number so secure PIN transfer is a must. Also, blocking the PIN is a concern Dave *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Hi, I think the PCSC is good enough if it enables access to the local smartcard to local proceses, and verifies that the user has UNIX permission to use the smartcard reader (for instance if /tmp/.pcsctx anc /tmp/.pcscrx are accessibe to the user). For remote authentication, a client/server application would need to implement the client/server dialog for authentication. For instance if a user in Computer A needs to connect via ssh to Computer B, the user is authenticated to Computer A OS and has UNIX priviledges to access to the smartcard reader on Computer A: 1) When the ssh client connects to the ssh server, the ssh server sends some random challenge to the ssh client 2) The ssh client encrypts the challenge with the private key stored in the smartcard and sends the result back to the server. 3) The ssh server that has the public key of the user on his local filesystem, decrypts the data and checks that is the same challenge that was sent to the client. 4) If the verification is OK, then the server has the security that the client is the owner of the smartcard which conveys the private key, and so it has access to the server host. The ssh client and server source code would neeed to be modified, but I guess there is more chance if you want to use improved security. Said this, the "Secure Internet Smartcards" model looks fine to me, and could be implemented to help client/server applications to use smartcards for authentication. --- Jim Rees <[EMAIL PROTECTED]> wrote: > For accessing remote computers (which the original > query was about) > something like ssh or secure telnet using smart > card based keys > for authentication would be more appropriate. > > Of course what you really want is for the session to > be secure all the way > to the card, not just to the terminal. And since > you can't use the PIN as > an encryption key, you need something like a > diffie-hellman exchange. And > since the terminal makes a perfect > man-in-the-middle, you need to add some > more protocol and use something like EKE, SPEKE, or > OKE. > > We did all this and wrote a paper: > > N. Itoi, T. Fukuzawa, and P. Honeyman, "Secure > Internet Smartcards," August > 2000. Java Card Workshop, Cannes (September 2000). > > http://www.citi.umich.edu/projects/smartcard/scpapers.html > *** > Linux Smart Card Developers - M.U.S.C.L.E. > (Movement for the Use of Smart Cards in a Linux > Environment) > http://www.linuxnet.com/smartcard/index.html > *** __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
David Corcoran wrote: > > Hi, > > Sorry for the confusion, when I said RPC like service I meant a service > that uses GSS-API or something tunnelled under ssh. Keep in mind this is > a separate service that acts as an application to PC/SC - I would never > make this part of PC/SC and it would never be Sun RPC. > > I do need some sort of authentication service which uses GSS-API or > something so that in an environment such as the SunRay or Citrix I can > call back to the local smartcard reader since the authentication device > does not reside on the machine wishing to authenticate. Also, this is > needed for remote authentication services such as ftp/telnet. > Well it depends on how you do it. If you allow a remote application unrestricted access to a smart card reader, even if the traffic is encrypted it can have bad consequences. For example it could send a request to the card to sign additional data (e.g. to access another host) or to decrypt data (e.g. S/MIME email secured with the same key). If the protocol is designed properly, such problems can readily be avoided. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
For accessing remote computers (which the original query was about) something like ssh or secure telnet using smart card based keys for authentication would be more appropriate. Of course what you really want is for the session to be secure all the way to the card, not just to the terminal. And since you can't use the PIN as an encryption key, you need something like a diffie-hellman exchange. And since the terminal makes a perfect man-in-the-middle, you need to add some more protocol and use something like EKE, SPEKE, or OKE. We did all this and wrote a paper: N. Itoi, T. Fukuzawa, and P. Honeyman, "Secure Internet Smartcards," August 2000. Java Card Workshop, Cannes (September 2000). http://www.citi.umich.edu/projects/smartcard/scpapers.html *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Hi, Sorry for the confusion, when I said RPC like service I meant a service that uses GSS-API or something tunnelled under ssh. Keep in mind this is a separate service that acts as an application to PC/SC - I would never make this part of PC/SC and it would never be Sun RPC. I do need some sort of authentication service which uses GSS-API or something so that in an environment such as the SunRay or Citrix I can call back to the local smartcard reader since the authentication device does not reside on the machine wishing to authenticate. Also, this is needed for remote authentication services such as ftp/telnet. Dave On Wed, 6 Jun 2001, Dr S N Henson wrote: > > > Ludovic Rousseau wrote: > > > > > > I don't think using RPC is a good idea. > > You use a smartcard to provide security in a unsecure environment. > > I don't want to send my PIN code in clear over RPC. You need to have > > authentication, integrity and confidentiality of your networks > > communications. > > You could use 'secure RPC' but it will be hard to find implementations > > of it outside SUN. > > > > If you send your PIN code in clear over the network why not just use > > telnet ? :-( > > > > I want a secure channel between my smartcard and the program sending > > commands to it. > > > > Yes, I agree. I also don't want some untrusted program (even if the > server is authenticated) sending arbitrary commands to the smart card > and, for example, grabbing the PIN and signing/decrypting anything it > wants. > > For accessing remote computers (which the original query was about) > something like ssh or secure telnet using smart card based keys > for authentication would be more appropriate. > > Steve. > *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Hello, On Wed, 6 Jun 2001, Dr S N Henson wrote: > > I don't think using RPC is a good idea. > > You use a smartcard to provide security in a unsecure environment. > > I don't want to send my PIN code in clear over RPC. You need to have > > authentication, integrity and confidentiality of your networks > > communications. [snip] > For accessing remote computers (which the original query was about) > something like ssh or secure telnet using smart card based keys > for authentication would be more appropriate. Might I suggest something like SOAP or XML-RPC? (SOAP == Simple Object Access Protocol.) I'm actually only just learning about them myself, so what I'm about to say may not be entirely accurate... Both of these are mechanisms for doing RPC where the actual data passed over the network is formatted as XML. I think it's a good idea because it allows easy cross platform compatibility and also is implementation language independent. Just about every language implementation has HTTP and XML libraries, so it would be trivial for anyone to develop a wrapper library that can speak to MUSCLE readers. And there's no need to link against the MUSCLE libs or deal with whether SUN RPC has been ported to your platform (think *very* small embedded systems on obscure hardware). Neither spec mentions anything about security, but since they both run over HTTP, using HTTPS (i.e. SSL) is pretty obvious. (And you don't HAVE to use HTTP/HTTPS.) Personally I like ssh, but it doesn't quite have the acceptance of SSL (no flames, please!), and neither is it the whole solution (i.e. it doesn't address the encoding for the RPC data). Something like XML-RPC over SSL (requiring client certificates for full authentication) seems the way to go. Or even XML-RPC over ssh if that works for you. >From http://www.w3.org/TR/SOAP/ SOAP is a lightweight protocol for exchange of information in a decentralized, distributed environment. It is an XML based protocol that consists of three parts: an envelope that defines a framework for describing what is in a message and how to process it, a set of encoding rules for expressing instances of application-defined datatypes, and a convention for representing remote procedure calls and responses. SOAP can potentially be used in combination with a variety of other protocols; however, the only bindings defined in this document describe how to use SOAP in combination with HTTP and HTTP Extension Framework >From http://www.xmlrpc.com/spec What is XML-RPC? It's a spec and a set of implementations that allow software running on disparate operating systems, running in different environments to make procedure calls over the Internet. It's remote procedure calling using HTTP as the transport and XML as the encoding. XML-RPC is designed to be as simple as possible, while allowing complex data structures to be transmitted, processed and returned. The "full" XML-RPC spec is here: http://www.xmlrpc.com/spec (it seems a little TOO simple). Added bonus is that you can do the RPC through firewalls (via HTTP proxies) fairly easily. I'm not sure what the technical differences are between SOAP and XML-RPC, but there seems to be some political issues (i.e. what company supports which standard). Just some food for thought. --Jeremy Jeremy Impson Sr. Associate Network Engineer Advanced Technologies Department Lockheed Martin Systems Integration email: [EMAIL PROTECTED] phone: 607-751-5618 fax: 607-751-6025 *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Ludovic Rousseau wrote: > > > I don't think using RPC is a good idea. > You use a smartcard to provide security in a unsecure environment. > I don't want to send my PIN code in clear over RPC. You need to have > authentication, integrity and confidentiality of your networks > communications. > You could use 'secure RPC' but it will be hard to find implementations > of it outside SUN. > > If you send your PIN code in clear over the network why not just use > telnet ? :-( > > I want a secure channel between my smartcard and the program sending > commands to it. > Yes, I agree. I also don't want some untrusted program (even if the server is authenticated) sending arbitrary commands to the smart card and, for example, grabbing the PIN and signing/decrypting anything it wants. For accessing remote computers (which the original query was about) something like ssh or secure telnet using smart card based keys for authentication would be more appropriate. Steve. -- Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/ Personal Email: [EMAIL PROTECTED] Senior crypto engineer, Celo Communications: http://www.celocom.com/ Core developer of the OpenSSL project: http://www.openssl.org/ Business Email: [EMAIL PROTECTED] PGP key: via homepage. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
On Wed, 6 Jun 2001, Ludovic Rousseau wrote: > On Mon, Jun 04, 2001 at 12:57:20PM -0700, David Corcoran wrote: > > Hello, > > > > You can't use pcsc-lite-0.9.1 for remote use of the resource manager. I > > wanted to create the core package as local only. I'm working on an RPC > > like service that sits atop the local service which will export the PC/SC > > interface . To the apps it will be identical to the older versions > > that used RPC. > > I don't think using RPC is a good idea. > You use a smartcard to provide security in a unsecure environment. > I don't want to send my PIN code in clear over RPC. You need to have > authentication, integrity and confidentiality of your networks > communications. > You could use 'secure RPC' but it will be hard to find implementations > of it outside SUN. Or maybe provide some kind of key exchange, and send the PIN code (and all the card commands) hidden in an opaque data blob, simply encrypted. That's surely difficult to design and implement correctly, but I agree with Ludovic, it's not a good idea to transmit everything in clear. > If you send your PIN code in clear over the network why not just use > telnet ? :-( > > I want a secure channel between my smartcard and the program sending > commands to it. > > -- Erwann ABALEA [EMAIL PROTECTED] RSA PGP Key ID: 0x2D0EABD5 - Two most common elements in the universe: Hydrogen and Stupidity. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
On Mon, Jun 04, 2001 at 12:57:20PM -0700, David Corcoran wrote: > Hello, > > You can't use pcsc-lite-0.9.1 for remote use of the resource manager. I > wanted to create the core package as local only. I'm working on an RPC > like service that sits atop the local service which will export the PC/SC > interface . To the apps it will be identical to the older versions > that used RPC. I don't think using RPC is a good idea. You use a smartcard to provide security in a unsecure environment. I don't want to send my PIN code in clear over RPC. You need to have authentication, integrity and confidentiality of your networks communications. You could use 'secure RPC' but it will be hard to find implementations of it outside SUN. If you send your PIN code in clear over the network why not just use telnet ? :-( I want a secure channel between my smartcard and the program sending commands to it. -- Ludovic Rousseau [EMAIL PROTECTED] - Gemplus/Information Security Team O ascii ribbon campaign against html |\email and Microsoft attachments. *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Hello, You can't use pcsc-lite-0.9.1 for remote use of the resource manager. I wanted to create the core package as local only. I'm working on an RPC like service that sits atop the local service which will export the PC/SC interface . To the apps it will be identical to the older versions that used RPC. Dave *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Hi, The package looks fine for me. It fails for me with Cyberflex, but it's due to the timeout issue I have asked in the other thread in this mailing list. Just one question: do you intend to hanlde the case where the user logs in from a remote computer via, let's say `telnet` ? Because pam_smartcard will use reader directly connected to the telnet server machine where 'login' is running, and not the telnet client machine. AFAIK, since pcsc-lite 0.9.1 uses local filesystem for inter process comunication, it's no longer possible to use a remote reader, isn't it, David? Thanks. Carlos. --- [EMAIL PROTECTED] wrote: > Hi, > > You're right, you have to change these two lines > that it works properly. > __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Hi, You're right, you have to change these two lines that it works properly. The standard file size for the 0x file (CHV) is 39 (0x27). We forgot to add the header while creating the file, so it is 16 bytes too short. It is strange that it worked for our cards. Thanks for your hint! Martin Sägesser >Hi, > >I got 67 00 (wrong length) while running `makecard', >when the program tried to do an Update Binary of the >EF 0x (CHV1). > >The message returned by the program was "error writing >PIN" > >I edited the file cat/makecard.c, line 250, activated >the line: > >check = createFile(0x, 0x0027, BINARYFILE, acl); > >and deactivated the line: > >check = createFile(0x, 0x0017, BINARYFILE, acl); > >to create a larger PIN file, and the program run >successfully. > >I'm ussing Cyberflex Access (ATR: 3B169481100601812F). > >Is this a problem of my card? > >Thanks, >Carlos. > >--- Mario Strasser <[EMAIL PROTECTED]> wrote: >> Hi, >> >> in the context of a project work at the University >> of Applied Sciences >> Winterthur in Switzerland we built a package, which >> alows you to use a RSA >> smartcard for login. The package contains >> a pam-modul, the necessary tools to administrate the >> smartcards and a >> installation HOWTO. >> You can download it from >> http://www.strongsec.com/smartcards/ . >> >> The package was built for the Schlumberger Cyberflex >> and Cryptoflex cards >> and tested under SuSE Linux >> 7.1 with a Schlumberger Reflex 62 and a Towitoko >> Carddrive reader. But it >> may work with other >> ISO-7816 compatible smartcards, too. >> Let us know what you think about, because we intend >> to upgrade it as part of >> our diploma work. >> (Make it usable in a network environment, for >> example by storing the public >> keys on a LDAP-Server.) >> >> We look forward to hearing from you soon. >> >> Best regards. >> >> Mario Strasser <[EMAIL PROTECTED]> & Martin Saegesser >> <[EMAIL PROTECTED]> >> >> >> >> >*** >> Linux Smart Card Developers - M.U.S.C.L.E. >> (Movement for the Use of Smart Cards in a Linux >> Environment) >> http://www.linuxnet.com/smartcard/index.html >> *** > >__ >Do You Yahoo!? >Get personalized email addresses from Yahoo! Mail - only $35 >a year! http://personal.mail.yahoo.com/ >*** >Linux Smart Card Developers - M.U.S.C.L.E. >(Movement for the Use of Smart Cards in a Linux Environment) >http://www.linuxnet.com/smartcard/index.html >*** > E-Mail for everyone! http://www.bluemail.ch/ powered by Bluewin! *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Hi, You're right, sorry! We did it because - deficiency in documentation - we were not able to change the auth0 of the cryptoflex card. If anyone knows how to do it, please let us know. However, we will change the behaviour of the cleancard and makecard programs. Regards Mario - Original Message - From: "David Corcoran" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Cc: <[EMAIL PROTECTED]> Sent: Saturday, June 02, 2001 4:57 AM Subject: Re: MUSCLE Linux Login with RSA SmartCards > Hi, > > This looks great. A couple of notes: > > the --aut0=aut0 XXX does not seem to work - it still uses the > default keys. I checked the code and if cryptoflex is found then it > overwrites the command line with the cryptoflex default aut0. > > This looks really good though - now I just need to find a blank card > .. > > Dave > > *** > Linux Smart Card Developers - M.U.S.C.L.E. > (Movement for the Use of Smart Cards in a Linux Environment) > http://www.linuxnet.com/smartcard/index.html > *** > *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Hi, I got 67 00 (wrong length) while running `makecard', when the program tried to do an Update Binary of the EF 0x (CHV1). The message returned by the program was "error writing PIN" I edited the file cat/makecard.c, line 250, activated the line: check = createFile(0x, 0x0027, BINARYFILE, acl); and deactivated the line: check = createFile(0x, 0x0017, BINARYFILE, acl); to create a larger PIN file, and the program run successfully. I'm ussing Cyberflex Access (ATR: 3B169481100601812F). Is this a problem of my card? Thanks, Carlos. --- Mario Strasser <[EMAIL PROTECTED]> wrote: > Hi, > > in the context of a project work at the University > of Applied Sciences > Winterthur in Switzerland we built a package, which > alows you to use a RSA > smartcard for login. The package contains > a pam-modul, the necessary tools to administrate the > smartcards and a > installation HOWTO. > You can download it from > http://www.strongsec.com/smartcards/ . > > The package was built for the Schlumberger Cyberflex > and Cryptoflex cards > and tested under SuSE Linux > 7.1 with a Schlumberger Reflex 62 and a Towitoko > Carddrive reader. But it > may work with other > ISO-7816 compatible smartcards, too. > Let us know what you think about, because we intend > to upgrade it as part of > our diploma work. > (Make it usable in a network environment, for > example by storing the public > keys on a LDAP-Server.) > > We look forward to hearing from you soon. > > Best regards. > > Mario Strasser <[EMAIL PROTECTED]> & Martin Saegesser > <[EMAIL PROTECTED]> > > > > *** > Linux Smart Card Developers - M.U.S.C.L.E. > (Movement for the Use of Smart Cards in a Linux > Environment) > http://www.linuxnet.com/smartcard/index.html > *** __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
Re: MUSCLE Linux Login with RSA SmartCards
Hi, This looks great. A couple of notes: the --aut0=aut0 XXX does not seem to work - it still uses the default keys. I checked the code and if cryptoflex is found then it overwrites the command line with the cryptoflex default aut0. This looks really good though - now I just need to find a blank card .. Dave *** Linux Smart Card Developers - M.U.S.C.L.E. (Movement for the Use of Smart Cards in a Linux Environment) http://www.linuxnet.com/smartcard/index.html ***
