[CentOS] Smart cards, mostly solved

Wed Dec 15 19:21:57 UTC 2010
m.roth at 5-cent.us <m.roth at 5-cent.us>

Jason Pyeron wrote:
>> [mailto:centos-bounces at centos.org] On Behalf Of m.roth at 5-cent.us
>> So, it *seems* to be working, pretty much. I needed to
>> install opensc, openct pcsc-lite, pcsc-lite-openct, and
>> ctapi-common will be installed as a dependency.
> Awesome.

Glad to help. Don't see any reason for anyone else to tear out their hair,
when there's a solution. Esp. given that this is a) all open source, and
b) I work for a federal contractor, this is defined as public domain info.
>> I *removed* coolkey and esc, which depended on it. 100% of
>> the time, they misidentifed the new/current US federal ID
>> PIV-II cards as coolkey cards, and popped up this "phone
>> home" window, then a "manage smartcards" window.
>> Without them, I also don't see an icon in the taskbar... but
>> using ssh-add (actually, my manager built openssh, opensc and
>> openct from current source, 5.4? 5.5?, and renamed stuff to
>> piv-....), so I do piv-ssh-add -s opensc-pkcs11.so, and it
>> adds the card. Before you do that... configure
>> /etc/pam_pkcs11/pam_pkcs11.conf so that # Filename of the
>> PKCS #11 module. The default value is "default"
>>       use_pkcs11_module = opensc;
>> and you may have to decide on a mapper. Then restart pcscd,
>> and you should be good to go.
>> At any rate, no wrong/confusing windows, and logins work. I
>> do note that if I try to use my regular password, I need to
>> pull my card out of the reader.
> I am going to try to duplicate this. With my CAC I got in October (should
> be a PIV II).

Try this, once you've got the reader plugged in, and pcscd running:

To list all the public certificates on a PIV card do

pkcs15-tool --list-public-keys

At this point, there are websites out there with more info on cert
extraction and installation. Note that your security org should have a CA
cert that you'll need to install.

>> On a related note, from WinDoze, there's a version of putty
>> that works
>> <http://www.risacher.org/putty-cac/putty-cac-experimental/wind
> ows/?C=N;O=D>.
>> Once installed, when you bring up the putty window, click on
>> expand ssh, then click on pkcs. The one thing needed is the
>> right dll, which, if you're running a 64 bit system, and
>> using, say, ActivIdentity, c:\Program Files
>> (x86)\ActivIdentity\ActivClient\acpkcs211.dll
>> MAKE SURE you get the right .dll; if you're running 32 bit,
>> it will be the other one.
> Going to try this right now.
Good luck.