using a card i don't know everything about.

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

using a card i don't know everything about.

syrius.ml

Hi there.

I'm in a strange situation, my company has bought a smartcard system.
Unfortunatly the system only works with windows terminals and I'd like
to use it to authenticate users on linux boxes.
I have installed the windows program and using an usb monitor i've
been able to find out some of the commands and where the basic
informations are.

I know where the unique user id is stored. (i'm able to "read bin"
it using scriptor for example)
I also have dumps of the pin code verification. (it uses 04 20
but i guess i could verify it without secure messaging for a start)

I don't know exactly the content of the smartcard, and obviously i
don't want to change it since it's mainly used by some other windows
applications. (pretty sure I can't change it anyway)

I'd like to be able to allow users to logon (gdm) using their
card+pin_code.
(the userid on the card is a valid unique unix username. i'm already
using {pam,nss}-ldap)


How could I easily achieve that ?
Quickly looking at muscleframework sources (and also at opensc) i
think i can adapt a card-driver. But before doing so, i prefer to ask
if cleaner/easier soluion may alreay exist.


also, it seems the windows program uses the "select file key" command
(to authenticate the card if i understand correctly).
What do I need to know/find to be able to do the same under linux ? (i
guess i'm lacking some crucial informations/key here)

any help would be greatly appreciated.

thanks

--
_______________________________________________
Muscle mailing list
[hidden email]
http://lists.drizzle.com/mailman/listinfo/muscle
Reply | Threaded
Open this post in threaded view
|

Re: using a card i don't know everything about.

Karsten Ohme
[hidden email] wrote:

> Hi there.
>
> I'm in a strange situation, my company has bought a smartcard system.
> Unfortunatly the system only works with windows terminals and I'd like
> to use it to authenticate users on linux boxes.
> I have installed the windows program and using an usb monitor i've
> been able to find out some of the commands and where the basic
> informations are.
>
> I know where the unique user id is stored. (i'm able to "read bin"
> it using scriptor for example)
> I also have dumps of the pin code verification. (it uses 04 20
> but i guess i could verify it without secure messaging for a start)
>
> I don't know exactly the content of the smartcard, and obviously i
> don't want to change it since it's mainly used by some other windows
> applications. (pretty sure I can't change it anyway)
>
> I'd like to be able to allow users to logon (gdm) using their
> card+pin_code.
> (the userid on the card is a valid unique unix username. i'm already
> using {pam,nss}-ldap)
>
>
> How could I easily achieve that ?
> Quickly looking at muscleframework sources (and also at opensc) i
> think i can adapt a card-driver. But before doing so, i prefer to ask
> if cleaner/easier soluion may alreay exist.

You can take MusclePAM:

http://svn.debian.org/wsvn/muscleapps/trunk/MusclePAM/?rev=0&sc=0

and communicate with pcsc-lite to the card using you reengineered APDUs.

Karsten

>
>
> also, it seems the windows program uses the "select file key" command
> (to authenticate the card if i understand correctly).
> What do I need to know/find to be able to do the same under linux ? (i
> guess i'm lacking some crucial informations/key here)
>
> any help would be greatly appreciated.
>
> thanks
>

_______________________________________________
Muscle mailing list
[hidden email]
http://lists.drizzle.com/mailman/listinfo/muscle
Reply | Threaded
Open this post in threaded view
|

Re: using a card i don't know everything about.

syrius.ml
Karsten Ohme <[hidden email]> writes:

Hi,

>> [...]
>> How could I easily achieve that ?
>> Quickly looking at muscleframework sources (and also at opensc) i
>> think i can adapt a card-driver. But before doing so, i prefer to ask
>> if cleaner/easier soluion may alreay exist.
>
> You can take MusclePAM:
>
> http://svn.debian.org/wsvn/muscleapps/trunk/MusclePAM/?rev=0&sc=0
>
> and communicate with pcsc-lite to the card using you reengineered APDUs.

That mean i should adapt one of the muscle plugin to use the correct
APDUs, doesn't it ?
I'm a bit lost, especially with muscle.

Using opensc, it's seem it would be easier to adapt a
card-something.c, but i'm not sure.

for a start, i'd like to be able to read the content of an elementary
file and use it as the login name, and then authenticate the user
against his ldap passwd.
(i guess that's the first step, the pin verification would be the next
step)


--
_______________________________________________
Muscle mailing list
[hidden email]
http://lists.drizzle.com/mailman/listinfo/muscle
Reply | Threaded
Open this post in threaded view
|

Re: using a card i don't know everything about.

Karsten Ohme
[hidden email] wrote:

> Karsten Ohme <[hidden email]> writes:
>
> Hi,
>
>
>>>[...]
>>>How could I easily achieve that ?
>>>Quickly looking at muscleframework sources (and also at opensc) i
>>>think i can adapt a card-driver. But before doing so, i prefer to ask
>>>if cleaner/easier soluion may alreay exist.
>>
>>You can take MusclePAM:
>>
>>http://svn.debian.org/wsvn/muscleapps/trunk/MusclePAM/?rev=0&sc=0
>>
>>and communicate with pcsc-lite to the card using you reengineered APDUs.
>
>
> That mean i should adapt one of the muscle plugin to use the correct
> APDUs, doesn't it ?

No. You talk directly with the APDU with SCardTransmit to your card.

Karsten

> I'm a bit lost, especially with muscle.
>
> Using opensc, it's seem it would be easier to adapt a
> card-something.c, but i'm not sure.
>
> for a start, i'd like to be able to read the content of an elementary
> file and use it as the login name, and then authenticate the user
> against his ldap passwd.
> (i guess that's the first step, the pin verification would be the next
> step)
>
>

_______________________________________________
Muscle mailing list
[hidden email]
http://lists.drizzle.com/mailman/listinfo/muscle