[CentOS] Smart cards, mostly solved

m.roth at 5-cent.us

m.roth at 5-cent.us
Wed Dec 15 18:55:01 UTC 2010


So, it *seems* to be working, pretty much. I needed to install
opensc, openct pcsc-lite, pcsc-lite-openct, and ctapi-common will be
installed as a dependency.

I *removed* coolkey and esc, which depended on it. 100% of the time, they
misidentifed the new/current US federal ID PIV-II cards as coolkey cards,
and popped up this "phone home" window, then a "manage smartcards" window.

Without them, I also don't see an icon in the taskbar... but using ssh-add
(actually, my manager built openssh, opensc and openct from current
source, 5.4? 5.5?, and renamed stuff to piv-....), so I do piv-ssh-add -s
opensc-pkcs11.so, and it adds the card. Before you do that... configure
/etc/pam_pkcs11/pam_pkcs11.conf so that
# Filename of the PKCS #11 module. The default value is "default"
      use_pkcs11_module = opensc;
and you may have to decide on a mapper. Then restart pcscd, and you should
be good to go.

At any rate, no wrong/confusing windows, and logins work. I do note that
if I try to use my regular password, I need to pull my card out of the
reader.

On a related note, from WinDoze, there's a version of putty that works
<http://www.risacher.org/putty-cac/putty-cac-experimental/windows/?C=N;O=D>.
Once installed, when you bring up the putty window, click on expand ssh,
then click on pkcs. The one thing needed is the right dll, which, if
you're running a 64 bit system, and using, say, ActivIdentity, c:\Program
Files (x86)\ActivIdentity\ActivClient\acpkcs211.dll

MAKE SURE you get the right .dll; if you're running 32 bit, it will be the
other one.

          mark




More information about the CentOS mailing list