Ssh askpass pkcs11 provider?

pwFoo · 2 August 2024 10:51

Hi,
got client cert auth working with Chrome (opensc, pcscd), but ssh client fails to prompt for etoken pin? Looks like etoken is requested (led flickering), but no prompt and so ssh user password is prompted instead of etoken pin?
Any idea whats wrong / missing?

Mirdarthos · 2 August 2024 11:47

Hi @pwFoo,

While I have no experience with this, and in fact didn’t even know of this until I read you post, this seems to be your answer:

https://wiki.archlinux.org/title/Smartcards#SafeNet_eToken

Install the sac-core^AUR to pkcs11 library installation.

There’s also instructions to setup:

SafeNet eToken on Google Chrome

But I don’t know anything more. Sorry.

However, I hope it helps!

pwFoo · 2 August 2024 11:51

Hi,
thanks! Yes, sac-core (and opensc, pcscd) is installed and works fine. Chrome client cert auth works too.
But ssh logins with smartcard fails. Looks like etoken is addressed, but fails because no pin prompted.

Looks like a askpass ssh package or configuration is missed.

Added provider line to client config to force to the opensc-pkcs11.so file. Token is visible from shell… So I think just pin prompt or some kind of certificate selection (2 certs stored at etoken…) is missing?

Maybe I should also test some clients like remina oder putty instead of just shell ssh cmd.

Mirdarthos · 2 August 2024 12:10

Welp,

Sadly I have to say…

pwFoo · 2 August 2024 13:52

Fixed it! Initial all was fine, but during testing changed from libetoken.so to opensc-pkcs11.so, because I thought it would the right one…
No askpass or something else needed because prompt within shell should appear

Use it manually:

ssh -I /usr/lib/pkcs11/libeToken.so user@server

OR forced by client config: ~/.ssh/config

PKCS11Provider /usr/lib/pkcs11/libeToken.so

Now just use ssh user@<server

Mirdarthos · 2 August 2024 14:58

There are these instructions as well:

# eToken for SSH
ssh-keygen -D libeToken.so.5
ssh -I libeToken.so.5 localhost
sftp -oPKCS11Provider=libeToken.so.5 localhost
	
# eToken for SSH agent
sudo mv /etc/xdg/autostart/gnome-keyring-ssh.desktop /etc/xdg/autostart/gnome-keyring-ssh.desktop.disabled
logout # for restarting ssh-agent
ssh-add ~/.ssh/id_???
ssh-add -s /usr/local/lib/libeToken.so.5
ssh-add -l

From:

gist.github.com

https://gist.github.com/dex4er/1354710/7cdf49665a0bb66026564624377488e3d1f4e8bc#file-etoken-sh-L27

eToken-9.sh

# udev
wget https://gist.githubusercontent.com/dex4er/1354710/raw/0f9738c7439cdfb9e4446663d137f91ee153b4d8/etc_udev_rules.d_90-hid-eToken.rules
sudo cp etc_udev_rules.d_90-hid-eToken.rules /etc/udev/rules.d
sudo service udev reload

# required packages
sudo apt-get -yy install pcscd opensc

# legacy library
wget http://mirrors.kernel.org/ubuntu/pool/universe/h/hal/libhal1_0.5.14-8_amd64.deb

This file has been truncated. show original

etc_udev_rules.d_90-hid-eToken.rules

SUBSYSTEM=="block" , ATTRS{idVendor}=="0529", ATTRS{idProduct}=="0602|3002|3004|3005|3006|3007", GROUP="plugdev"
SUBSYSTEM=="usb" , ATTRS{idVendor}=="0529", ATTRS{idProduct}=="0602|3002|3004|3005|3006|3007", GROUP="plugdev"
SUBSYSTEM=="usbmisc" , ATTRS{idVendor}=="0529", ATTRS{idProduct}=="0602|3002|3004|3005|3006|3007", GROUP="plugdev"
SUBSYSTEM=="hid" , ATTRS{idVendor}=="0529", ATTRS{idProduct}=="0602|3002|3004|3005|3006|3007", GROUP="plugdev"
SUBSYSTEM=="hidraw" , ATTRS{idVendor}=="0529", ATTRS{idProduct}=="0602|3002|3004|3005|3006|3007", GROUP="plugdev"

system · 5 August 2024 14:58

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.