HUT Linux PKI Client

1
HUT Linux PKI Client

• Anna Erika Suortti
• HUT/Computing Centre
• Erika.Suortti_at_hut.fi

2
Overview
Netscape
xdm
PAM
PKCS11
OpenSSH
PC/SC Architecture
3
The PC/SC Architecture
Application
Service Provider
Card SP
Resource Manager
IFD Handler
4
Communication between the layers
App
RM
SP
HST
1) EstablishContext()
2) Attach()
3) GetUserKey()
4) Detach()
5) ReleaseContext()
5
PAM
PAM
xdm
/etc/pam.d/xdm
PAM
PAM module
stackable -single point of
failure reusable combinable data transfer
6
Authentication
Authentication
4) Check the validity and the CA signature
of the certificate 5) Encrypt random data with
the public key 6) Ask the user for PIN 1 9)
Compare the original and decrypted data
LDAP-server
2) Send the certificate
Workstation
3) Return the user id and the CA certificate
1) Read the certificate from the smartcard 7)
Verify PIN 1 8) Send the encrypted random data to
the card to be decrypted
7
Functionality
Functionality under different Unix variants
Operating system Resource Manager Service Provider PAM module
Linux, Solaris, FreeBSD, HPUX yes yes yes (yes) yes yes yes (yes) yes (yes) (yes) (yes)
AIX (yes) (yes) (?)
Digital Unix yes yes no (SIA)
MacOS X (original) (?) (?)
8
Cardreader drivers
Card reader Working under Linux Source code available
Towitoko yes yes
Utimaco no no
Gemplus no yes
SCM no no
9
Links
Links

• MUSCLE smartcard developers http//www.linuxnet.or
  g
• CITI Projects Smart Cards http//www.citi.umic
  h.edu/projects/smartcard/
• Smartcard-Login HOWTO http//www.strongsec.com/sma
  rtcards/howto/html/SmartCard-Login-HOWTO.html
• alt.technology.smartcards FAQ http//www.scdk.com/
  atsfaq.htm
• Henkilön Sähköinen Tunnistaminen Yliopistoissa ja
  Ammattikorkeakouluissa (HSTYA)
• http//hstya.funet.fi
• RSA Labs (PCKS11)
• http//www.rsalabs.com
• Linux PAM
• http//www.us.kernel.org/pub/linux/libs/pam/