SSH autentifikacia s eID obcianskym preukazom pod Linuxom

eID_citackaeID obciansky je v podstate standardny pkcs11 system. Rozdiel (oproti inym eID – napr. belgickym) je len v tom, ze slovensky eID vyzaduje login pred vylistovanim ulozenych objektov (certifikatov). V ssh klientovi je vsak tento login nekorektne implementovany, takze som musel urobit patch (https://github.com/openssh/openssh-portable/pull/42/commits/d6be677d1befd84fdbef0259316ebf4383feef6c), ktory riesi tento bug . Z toho dovodu aj musime kompilovat vlastnu verziu ssh klienta. Ak Vas to neodradilo, podme na to. Dufajme, ze casom to bude opravene aj v standardnej verzii, pull request som zadal.

Zda sa, ze po 2 rokoch je to fixnute a bude to v oficialnom release 8.0: https://bugzilla.mindrot.org/show_bug.cgi?id=2652#c24

Poznamka: Tento postup predpoklada, ze obciansky s certifikatmi uz mate aktivovany a funkcny.

Instalacia eID klienta

  1. V prvom kroku si zo stranky ministerstva stiahneme eID klienta pre Linux:
~/Apps/eID$ wget https://eidas.minv.sk/TCTokenService/download/linux/ubuntu/eidklient_amd64_ubuntu.tar.gz
--2016-05-30 17:23:16--  https://eidas.minv.sk/TCTokenService/download/linux/ubuntu/eidklient_amd64_ubuntu.tar.gz
Resolving eidas.minv.sk (eidas.minv.sk)... 213.81.171.180
Connecting to eidas.minv.sk (eidas.minv.sk)|213.81.171.180|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 12354224 (12M) [application/x-gzip]
Saving to: ‘eidklient_amd64_ubuntu.tar.gz’

eidklient_amd64_ubuntu.t 100%[===============================>]  11.78M   840KB/s    in 14s     

2016-05-30 17:23:30 (856 KB/s) - ‘eidklient_amd64_ubuntu.tar.gz’ saved [12354224/12354224]

2.  rozbalime ho

~/Apps/eID$ tar zxvf eidklient_amd64_ubuntu.tar.gz
eID_klient/
eID_klient/eIDklient_uninstall.sh
eID_klient/eidklient_amd64_ubuntu.deb
eID_klient/eIDklient_install.sh

3.  a nainstalujeme

~/Apps/eID$ cd eID_klient/
~/Apps/eID/eID_klient$ ./eIDklient_install.sh
gdebi-core musí byť nainštalovaný
Inštalujem...
[sudo] password for danman:
Hit:1 http://ppa.launchpad.net/webupd8team/sublime-text-2/ubuntu xenial InRelease
Hit:2 http://cz.archive.ubuntu.com/ubuntu xenial InRelease
Hit:3 http://cz.archive.ubuntu.com/ubuntu xenial-updates InRelease
Get:4 http://cz.archive.ubuntu.com/ubuntu xenial-backports InRelease [92.2 kB]        
Get:5 http://cz.archive.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB]                   
Hit:6 http://nightly.apt.ring.cx/ubuntu_16.04 ring InRelease                                    
Fetched 187 kB in 0s (258 kB/s)                       
Reading package lists... Done
Building dependency tree       
Reading state information... Done
The following NEW packages will be installed:
  gdebi-core
0 upgraded, 1 newly installed, 0 to remove and 107 not upgraded.
Need to get 9,716 B of archives.
After this operation, 135 kB of additional disk space will be used.
Get:1 http://cz.archive.ubuntu.com/ubuntu xenial/main amd64 gdebi-core all 0.9.5.7ubuntu1 [9,716 B]
Fetched 9,716 B in 0s (106 kB/s)      
Selecting previously unselected package gdebi-core.
(Reading database ... 258232 files and directories currently installed.)
Preparing to unpack .../gdebi-core_0.9.5.7ubuntu1_all.deb ...
Unpacking gdebi-core (0.9.5.7ubuntu1) ...
Processing triggers for man-db (2.7.5-1) ...
Setting up gdebi-core (0.9.5.7ubuntu1) ...
Inštalujeme balík: eidklient_amd64_ubuntu.deb
Reading package lists... Done
Building dependency tree        
Reading state information... Done
Reading state information... Done
Requires the installation of the following packages: libccid pcscd

Aplikácia eID klient
 Klientská aplikácia pre Slovenský autentifikačný server
Do you want to install the software package? [y/N]:y
Get:1 http://cz.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 libccid amd64 1.4.22-1ubuntu0.1 [85.8 kB]
Get:2 http://cz.archive.ubuntu.com/ubuntu xenial/universe amd64 pcscd amd64 1.8.14-1ubuntu1 [55.5 kB]
Fetched 141 kB in 0s (0 B/s)                                                                    
Selecting previously unselected package libccid.
(Reading database ... 258246 files and directories currently installed.)
Preparing to unpack .../libccid_1.4.22-1ubuntu0.1_amd64.deb ...
Unpacking libccid (1.4.22-1ubuntu0.1) ...
Selecting previously unselected package pcscd.
Preparing to unpack .../pcscd_1.8.14-1ubuntu1_amd64.deb ...
Unpacking pcscd (1.8.14-1ubuntu1) ...
Processing triggers for man-db (2.7.5-1) ...
Processing triggers for ureadahead (0.100.0-19) ...
ureadahead will be reprofiled on next reboot
Processing triggers for systemd (229-4ubuntu4) ...
Setting up libccid (1.4.22-1ubuntu0.1) ...
Setting up pcscd (1.8.14-1ubuntu1) ...
Processing triggers for ureadahead (0.100.0-19) ...
Processing triggers for systemd (229-4ubuntu4) ...
Selecting previously unselected package eidklient.
(Reading database ... 258276 files and directories currently installed.)
Preparing to unpack eidklient_amd64_ubuntu.deb ...
Unpacking eidklient (1.9.1) ...
Setting up eidklient (1.9.1) ...

Instalacia opatchovaneho ssh klienta

1. ked mame eID aplikaciu nainstalovanu, naklonujeme si ssh z mojho repozitara

~/Apps/eID/eID_klient$ cd ..
~/Apps/eID$ git clone https://github.com/danielkucera/openssh-portable
Cloning into 'openssh-portable'...
remote: Counting objects: 47149, done.
remote: Total 47149 (delta 0), reused 0 (delta 0), pack-reused 47149
Receiving objects: 100% (47149/47149), 12.88 MiB | 196.00 KiB/s, done.
Resolving deltas: 100% (36907/36907), done.
Checking connectivity... done.

2. pripravime ho na kompilaciu

~/Apps/eID$ cd openssh-portable/
~/Apps/eID/openssh-portable$ aclocal
~/Apps/eID/openssh-portable$ autoconf
~/Apps/eID/openssh-portable$ autoheader
~/Apps/eID/openssh-portable$ ./configure
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking build system type... x86_64-unknown-linux-gnu
checking host system type... x86_64-unknown-linux-gnu
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /bin/grep
checking for egrep... /bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
......
configure: creating ./config.status
config.status: creating Makefile
config.status: creating buildpkg.sh
config.status: creating opensshd.init
config.status: creating openssh.xml
config.status: creating openbsd-compat/Makefile
config.status: creating openbsd-compat/regress/Makefile
config.status: creating survey.sh
config.status: creating config.h

OpenSSH has been configured with the following options:
                     User binaries: /usr/local/bin
                   System binaries: /usr/local/sbin
               Configuration files: /usr/local/etc
                   Askpass program: /usr/local/libexec/ssh-askpass
                      Manual pages: /usr/local/share/man/manX
                          PID file: /var/run
  Privilege separation chroot path: /var/empty
            sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin
                    Manpage format: doc
                       PAM support: no
                   OSF SIA support: no
                 KerberosV support: no
                   SELinux support: no
                 Smartcard support:
                     S/KEY support: no
              MD5 password support: no
                   libedit support: no
  Solaris process contract support: no
           Solaris project support: no
         Solaris privilege support: no
       IP address in $DISPLAY hack: no
           Translate v4 in v6 hack: yes
                  BSD Auth support: no
              Random number source: OpenSSL internal ONLY
             Privsep sandbox style: seccomp_filter

              Host: x86_64-unknown-linux-gnu
          Compiler: gcc
    Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE
Preprocessor flags:
      Linker flags:  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie
         Libraries: -lcrypto -ldl -lutil -lz  -lcrypt -lresolv

6. ak vsetko dopadlo OK a vidime vypis vyssie, ideme kompilovat (ak nie, treba doinstalovat chybajuce kniznice/binarky a opakovat)

~/Apps/eID/openssh-portable$ make
...
gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE  -I. -I.  -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sftp-glob.c -o sftp-glob.o gcc -o sftp progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o -L. -Lopenbsd-compat/  -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz  -lcrypt -lresolv

7. Ak kompilacia skoncila bez chyby, sme pripraveni na pouzivanie. Mohli by sme sice este upravene ssh nainstalovat do systemu cez make install ale predpokladam, ze bude vydana opravena verzia, tazke zatial len pouzivajme binarku z tohoto priecinka, pripadne si upravme PATH alebo spravme alias

Prvotna konfiguracia

Pozrime sa co mame na karte (pri praci s kartou nam semtam moze vyskocit tabulka na zadanie BOKzadajte_bok, takze ho poslusne zadame a pokracujeme):

$ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -l --list-token-slots
Available slots:
Slot 0 (0x1): Alcor Micro AU9540 (vnet002) 00 00; SIG_ZEP
  manufacturer:  Plaut Slovensko, s.r.o.
  hardware ver:  0.0
  firmware ver:  0.0
  flags:         token present, removable device, hardware slot
  token label        : SIG_ZEP
  token manufacturer : Atos IT Solutions and Services
  token model        : CardOS V5.0
  token flags        : rng, login required, PIN initialized, PIN pad present, token initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 02034AFD00132232
Slot 1 (0x2): Alcor Micro AU9540 (vnet002) 00 00; SIG_EP
  manufacturer:  Plaut Slovensko, s.r.o.
  hardware ver:  0.0
  firmware ver:  0.0
  flags:         token present, removable device, hardware slot
  token label        : SIG_EP
  token manufacturer : Atos IT Solutions and Services
  token model        : CardOS V5.0
  token flags        : rng, login required, PIN initialized, PIN pad present, token initialized
  hardware version   : 0.0
  firmware version   : 0.0
  serial num         : 02034AFD00132232
error: PKCS11 function C_OpenSession failed: rv = CKR_SLOT_ID_INVALID (0x3)

Aborting.

Na karte teda mame tam 2 sloty: zaruceny el. podpis a el. podpis. Vylistujeme si objekty v oboch slotoch:

$ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -l --list-objects --slot 1
Using slot with ID 0x1
Private Key Object; RSA
  label:      571cd7f3-0935-4218-b7cf-4b43af29d1bc
  ID:         32363061653832632d373331652d343637372d386461662d653462623132363935366165
  Usage:      decrypt, sign
  Access:     always authenticate
Certificate Object, type = X.509 cert
  label:      571cd7f3-0935-4218-b7cf-4b43af29d1bc
  ID:         32363061653832632d373331652d343637372d386461662d653462623132363935366165
$ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -l --list-objects --slot 2
Using slot with ID 0x2
Private Key Object; RSA
  label:      7ee9e2d6-7ad1-4ad3-bafe-c15e9651b21d
  ID:         37646530313337612d363039342d343935612d613930302d363335393633366632633563
  Usage:      decrypt, sign
Private Key Object; RSA
  label:      60452c8e-5366-491b-86d6-a7f489ee3f7e
  ID:         30323561356232362d306664362d346430362d613238322d336530373834306164663066
  Usage:      decrypt, sign
Certificate Object, type = X.509 cert
  label:      7ee9e2d6-7ad1-4ad3-bafe-c15e9651b21d
  ID:         37646530313337612d363039342d343935612d613930302d363335393633366632633563
Certificate Object, type = X.509 cert
  label:      60452c8e-5366-491b-86d6-a7f489ee3f7e
  ID:         30323561356232362d306664362d346430362d613238322d336530373834306164663066

Podla vypisu mame na karte 3 privatne kluce a 3 certifikaty k nim. Podme ziskat verejne kluce z certifikatov vo forme vhodnej pre SSH (tu uz treba pouzit opatchovanu verziu ssh):

~/Apps/eID/openssh-portable$ ./ssh-keygen -D /usr/lib/eidklient/libpkcs11_sig_x64.so -e
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYoRA7CMaR2NmOiKuSZViPIc8T0zKJR661LCLpE6eh2z0R1LyUguG/1M2ce8T7vZ+LnorTJ4GnT5Mzgo9joJcZOjtGxf+4EBgNIKB3H+FTRhSeTQfWLQTFHWDPDvP+QWPtKuASDAhg1ej17D5BOyXU0TsKzAyYcCFTU9qYuAh8f6BPvxoNa/sduY4RQ0YFBHL4yiRnLb7XjwXAGDmYObVX1lM22FT3/m0ytsQ67DaPU3t73MuYyhoJLDBNoD+dR6fTVdetThbl/NM+1rwzn8XuoiJbnb5G9jxJvO8ostgpGhExYFX9RFGbeDta6Kri0uM6s2Zyit56RqlkCMnWrQvn
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCW4V3vZrj609EbI3lSHI/Ksf0UmMYzPbhpBYiGRsTyALK85Ijr0CbGOYHwSqOAFoEc6ZgL/w40ld2VrfF6rnwBiFeb+WEDo8o5GNRSVM2bmg3rZ+MYuiEGkNubCfe0R+Mf/tUZPUFZIPQeTq3fUPsCpTBCWRPkj9lNTt8OpnuBctdZwc3zxGi7rQsLFU29IYNMHWJpVevK+bQEtU0glQhkGnLbAA/p9XfghrEhAhz3uHSBI0PTRPeuweTefHVUpVrf9u3YBgDN2wapw9ykO6D93lvv4hN4202QzbjKXtymy3a9WVyuGnUTjyk7XKTbkvti64JSoJECAJY5slHVa3Q5gf
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYPIIzDCt8geOTVJyogcj2aSp9yT+0cRH4NxqUl/TiUvLK6ZqhfLsmR0X+BY0iV/z3TrImuEXXiVbmpqX7rlsBfmOhFmGzRKfVAJuV20Iy6ypToCZmwyVQ+GWkOWtCIj7FPZEitpWR3GcLPdChV3iORKv+GdfPHYuYX8lUGdHAn77/nHGxZPejEf8m/EAsrXIP+2+i/4G5WJtKrKCSEPV6/qkxvjgHMoiMJbmvxBin7nGOhwPRC8Hs5QT6LjZ083mGjoaUioCeu04+5r5edb5QIxCYv9q8Ephnj1wmHf4rHI9Ym5Jfctbhh5sTKXnHcbrUcX8b0KDjUckHaMLWSpsGJ

Prvy kluc je z certifikatu podpisaneho ACA, duhy PCA a treti SCA CA. Viac info tu: https://www.slovensko.sk/sk/zep . ACA si zakazdym vyzaduje zadanie pinu a ani po zadani pinu mi autentifikacia na server nefunfovala, takze pre nas nie je vhodny.  SCA a PCA vsak fungovali. Ich platnost je rovnako 10 rokov od vydania, takze mozme pouzit ktorykolvek z nich. Verejne kluce si odporucam niekam ulozit (netreba bezpecne) aby sme ich zakazdym nemuseli vytahovat z karty.

Povolenie pristupu danej karty  na server (pridanie kluca)

Tento postup je obdobny ako pri klasickej klucovej autentifikacii.

Prihlasime sa teda na server (zatial si standardne vypyta heslo):

~/Apps/eID/openssh-portable$ ./ssh -I /usr/lib/eidklient/libpkcs11_sig_x64.so user@moj.server.sk
user@moj.server.sk's password:
user@moj:~$ 

Do suboru .ssh/authorized_keys na serveri pridame verejny kluc z karty:

user@moj:~$ vim ~/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYPIIzDCt8geOTVJyogcj2aSp9yT+0cRH4NxqUl/TiUvLK6ZqhfLsmR0X+BY0iV/z3TrImuEXXiVbmpqX7rlsBfmOhFmGzRKfVAJuV20Iy6ypToCZmwyVQ+GWkOWtCIj7FPZEitpWR3GcLPdChV3iORKv+GdfPHYuYX8lUGdHAn77/nHGxZPejEf8m/EAsrXIP+2+i/4G5WJtKrKCSEPV6/qkxvjgHMoiMJbmvxBin7nGOhwPRC8Hs5QT6LjZ083mGjoaUioCeu04+5r5edb5QIxCYv9q8Ephnj1wmHf4rHI9Ym5Jfctbhh5sTKXnHcbrUcX8b0KDjUckHaMLWSpsGJ

Ak subor predtym neexistoval, nastavime korektne opravnenia:

user@moj:~$ chmod 600 ~/.ssh/config

Odhlasime sa a skusime sa prihlasit na server znovu:

user@moj:~$ logout
Connection to moj.server.sk closed.
~/Apps/eID/openssh-portable$ ./ssh -I /usr/lib/eidklient/libpkcs11_sig_x64.so user@moj.server.sk
user@moj:~$

Citacka par krat zablika a sme tam! 🙂

Ak sa nam nechce zakazdym vypisovat -I a cestu k libke (mne sa teda nechce) a nepouzivame alias, mozeme si pridat do lokalneho ssh configu nasledovne:

$ vim ~/.ssh/config
PKCS11Provider /usr/lib/eidklient/libpkcs11_sig_x64.so
$ chmod 600 ~/.ssh/config
~/Apps/eID/openssh-portable$ ./ssh user@moj.server.sk
user@moj:~$

Ako ste si mohli vsimnut na obrazku, nepouzivam citacku co bola k obcianskemu, takze by malo byt mozne pouzit akukolvek PC/SC kompatibilnu citacku (aspon pod linuxom). Ak sa Vam navod pacil, kliknite mi na reklamu a/alebo napiste komentar.

Prajem prijemne prihlasovanie. 🙂

19 thoughts on “SSH autentifikacia s eID obcianskym preukazom pod Linuxom”

    1. Jasne, v pohode. Zakial nieje verejne dostupny kvantovy pocitac tak asymetrickej kryptografii celkom verim…

      1. Kvantove neriesim, ale to ci bol RSA privatny kluc vygenerovany korektne. Ked ti ho niekto da hotovy tak nikdy nevies.

        1. Neviem ci je horsie ze ti niekto da privatny kluc vygenerovany korektne, alebo ze ti niekto uz len da tvoj privatny kluc. Najhorsie je to asi dokopy.

  1. Ahoj,
    na fedore mi nefunguje do HP EliteBooku embednuty Alcor Micro AU9540:

    00000004 eventhandler.c:333:EHStatusHandlerThread() Error communicating to: Alcor Micro AU9540 00 00
    00000008 ccid_usb.c:1213:InterruptRead() libusb_submit_transfer failed: -4
    00400283 ccid_usb.c:747:WriteUSB() write failed (1/8): -4 LIBUSB_ERROR_NO_DEVICE
    99999999 ccid_usb.c:1158:ControlUSB() control failed (1/10): -7 LIBUSB_ERROR_TIMEOUT
    00311552 commands.c:249:CmdPowerOn Card absent or mute
    00000058 ifdhandler.c:1206:IFDHPowerICC() PowerUp failed
    00000039 eventhandler.c:302:EHStatusHandlerThread() Error powering up card: 2148532246 0x80100016

    Pozeram ze Tebe funguje.
    Riesil si tam nejako ten powerup problem alebo to islo out-of-the-box?

    Vdaka,
    a.

  2. Uz-uz som sa chystal napisat, ze prihlasenie nefunguje ked som zistil, ze ten prvy kluc nesmie byt uvedeny v authorized_keys, inak sa prihlasenie sekne.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.