aptitude install libpam-pkcs11 opensc-pkcs11 pcscd
cp -r pam_pkcs11 /etc
vim /etc/pam_pkcs11/subject_mapping
pkcs11_inspect debug
can be used to output the Subject on the SSL certificate. put that in subject_mapping
you might want to use your own CA certificate.
WARNING: NEVER TURN OFF CA VERIFICATION IN /etc/pam_pkcs11/pam_pkcs11.conf
(cert_policy = none;
)
add this line to the relevant pam
files:
auth sufficient pam_pkcs11.so
pam.d/
includes examples.
ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
will load your smart card SSL certificate into ssh-agent
ssh-add -L
will then list it.
you can also use ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so user@host
yubico-piv-tool -s 9a --action generate -o public.pem
yubico-piv-tool -S "/CN=neoice.users.neoice.net/" -s 9a --action verify --action request-certificate -i public.pem
this magic ASN1 address is the "Microsoft Universal Principal Name", aka SSL_CLIENT_SAN_OTHER_msUPN_0
vault write pki-users/sign/users-neoice-net common_name="neoice.users.neoice.net" other_sans="1.3.6.1.4.1.311.20.2.3;utf8:neoice@neoice.net" csr=@req.csr
you can also load Smart Card support into Firefox
this magic can be used to authenticate against Gogs.
RequestHeader set X-WEBAUTH-USER %{SSL_CLIENT_SAN_OTHER_msUPN_0}e
RequestHeader edit X-WEBAUTH-USER "([^@]+)@.*" $1
you can use udev
to lock on device removal. you need to expose the serial number over the USB descriptor. TODO: provide instructions.
WARNING: launching tools that program the device will trigger a device removal. you might have to disable these rules. I've caused myself to loop.
TODO: more instructions, I don't want to troubleshoot your broken stuff.
you must use rdesktop
and you need this package too: libfreerdp-plugins-standard
example: rdesktop -r scard -g 1400x1200 -d REALM aa.bb.cc.dd