eID obciansky je v podstate standardny pkcs11 system. Rozdiel (oproti inym eID – napr. belgickym) je len v tom, ze slovensky eID vyzaduje login pred vylistovanim ulozenych objektov (certifikatov). V ssh klientovi je vsak tento login nekorektne implementovany, takze som musel urobit patch (https://github.com/openssh/openssh-portable/pull/42/commits/d6be677d1befd84fdbef0259316ebf4383feef6c), ktory riesi tento bug . Z toho dovodu aj musime kompilovat vlastnu verziu ssh klienta. Ak Vas to neodradilo, podme na to. Dufajme, ze casom to bude opravene aj v standardnej verzii, pull request som zadal.
Zda sa, ze po 2 rokoch je to fixnute a bude to v oficialnom release 8.0: https://bugzilla.mindrot.org/show_bug.cgi?id=2652#c24
Poznamka: Tento postup predpoklada, ze obciansky s certifikatmi uz mate aktivovany a funkcny.
Instalacia eID klienta
- V prvom kroku si zo stranky ministerstva stiahneme eID klienta pre Linux:
~/Apps/eID$ wget https://eidas.minv.sk/TCTokenService/download/linux/ubuntu/eidklient_amd64_ubuntu.tar.gz --2016-05-30 17:23:16-- https://eidas.minv.sk/TCTokenService/download/linux/ubuntu/eidklient_amd64_ubuntu.tar.gz Resolving eidas.minv.sk (eidas.minv.sk)... 213.81.171.180 Connecting to eidas.minv.sk (eidas.minv.sk)|213.81.171.180|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 12354224 (12M) [application/x-gzip] Saving to: ‘eidklient_amd64_ubuntu.tar.gz’ eidklient_amd64_ubuntu.t 100%[===============================>] 11.78M 840KB/s in 14s 2016-05-30 17:23:30 (856 KB/s) - ‘eidklient_amd64_ubuntu.tar.gz’ saved [12354224/12354224]
2. rozbalime ho
~/Apps/eID$ tar zxvf eidklient_amd64_ubuntu.tar.gz eID_klient/ eID_klient/eIDklient_uninstall.sh eID_klient/eidklient_amd64_ubuntu.deb eID_klient/eIDklient_install.sh
3. a nainstalujeme
~/Apps/eID$ cd eID_klient/ ~/Apps/eID/eID_klient$ ./eIDklient_install.sh gdebi-core musí byť nainštalovaný Inštalujem... [sudo] password for danman: Hit:1 http://ppa.launchpad.net/webupd8team/sublime-text-2/ubuntu xenial InRelease Hit:2 http://cz.archive.ubuntu.com/ubuntu xenial InRelease Hit:3 http://cz.archive.ubuntu.com/ubuntu xenial-updates InRelease Get:4 http://cz.archive.ubuntu.com/ubuntu xenial-backports InRelease [92.2 kB] Get:5 http://cz.archive.ubuntu.com/ubuntu xenial-security InRelease [94.5 kB] Hit:6 http://nightly.apt.ring.cx/ubuntu_16.04 ring InRelease Fetched 187 kB in 0s (258 kB/s) Reading package lists... Done Building dependency tree Reading state information... Done The following NEW packages will be installed: gdebi-core 0 upgraded, 1 newly installed, 0 to remove and 107 not upgraded. Need to get 9,716 B of archives. After this operation, 135 kB of additional disk space will be used. Get:1 http://cz.archive.ubuntu.com/ubuntu xenial/main amd64 gdebi-core all 0.9.5.7ubuntu1 [9,716 B] Fetched 9,716 B in 0s (106 kB/s) Selecting previously unselected package gdebi-core. (Reading database ... 258232 files and directories currently installed.) Preparing to unpack .../gdebi-core_0.9.5.7ubuntu1_all.deb ... Unpacking gdebi-core (0.9.5.7ubuntu1) ... Processing triggers for man-db (2.7.5-1) ... Setting up gdebi-core (0.9.5.7ubuntu1) ... Inštalujeme balík: eidklient_amd64_ubuntu.deb Reading package lists... Done Building dependency tree Reading state information... Done Reading state information... Done Requires the installation of the following packages: libccid pcscd Aplikácia eID klient Klientská aplikácia pre Slovenský autentifikačný server Do you want to install the software package? [y/N]:y Get:1 http://cz.archive.ubuntu.com/ubuntu xenial-updates/universe amd64 libccid amd64 1.4.22-1ubuntu0.1 [85.8 kB] Get:2 http://cz.archive.ubuntu.com/ubuntu xenial/universe amd64 pcscd amd64 1.8.14-1ubuntu1 [55.5 kB] Fetched 141 kB in 0s (0 B/s) Selecting previously unselected package libccid. (Reading database ... 258246 files and directories currently installed.) Preparing to unpack .../libccid_1.4.22-1ubuntu0.1_amd64.deb ... Unpacking libccid (1.4.22-1ubuntu0.1) ... Selecting previously unselected package pcscd. Preparing to unpack .../pcscd_1.8.14-1ubuntu1_amd64.deb ... Unpacking pcscd (1.8.14-1ubuntu1) ... Processing triggers for man-db (2.7.5-1) ... Processing triggers for ureadahead (0.100.0-19) ... ureadahead will be reprofiled on next reboot Processing triggers for systemd (229-4ubuntu4) ... Setting up libccid (1.4.22-1ubuntu0.1) ... Setting up pcscd (1.8.14-1ubuntu1) ... Processing triggers for ureadahead (0.100.0-19) ... Processing triggers for systemd (229-4ubuntu4) ... Selecting previously unselected package eidklient. (Reading database ... 258276 files and directories currently installed.) Preparing to unpack eidklient_amd64_ubuntu.deb ... Unpacking eidklient (1.9.1) ... Setting up eidklient (1.9.1) ...
Instalacia opatchovaneho ssh klienta
1. ked mame eID aplikaciu nainstalovanu, naklonujeme si ssh z mojho repozitara
~/Apps/eID/eID_klient$ cd .. ~/Apps/eID$ git clone https://github.com/danielkucera/openssh-portable Cloning into 'openssh-portable'... remote: Counting objects: 47149, done. remote: Total 47149 (delta 0), reused 0 (delta 0), pack-reused 47149 Receiving objects: 100% (47149/47149), 12.88 MiB | 196.00 KiB/s, done. Resolving deltas: 100% (36907/36907), done. Checking connectivity... done.
2. pripravime ho na kompilaciu
~/Apps/eID$ cd openssh-portable/ ~/Apps/eID/openssh-portable$ aclocal ~/Apps/eID/openssh-portable$ autoconf ~/Apps/eID/openssh-portable$ autoheader ~/Apps/eID/openssh-portable$ ./configure checking for gcc... gcc checking whether the C compiler works... yes checking for C compiler default output file name... a.out checking for suffix of executables... checking whether we are cross compiling... no checking for suffix of object files... o checking whether we are using the GNU C compiler... yes checking whether gcc accepts -g... yes checking for gcc option to accept ISO C89... none needed checking build system type... x86_64-unknown-linux-gnu checking host system type... x86_64-unknown-linux-gnu checking how to run the C preprocessor... gcc -E checking for grep that handles long lines and -e... /bin/grep checking for egrep... /bin/grep -E checking for ANSI C header files... yes checking for sys/types.h... yes checking for sys/stat.h... yes checking for stdlib.h... yes checking for string.h... yes checking for memory.h... yes checking for strings.h... yes ...... configure: creating ./config.status config.status: creating Makefile config.status: creating buildpkg.sh config.status: creating opensshd.init config.status: creating openssh.xml config.status: creating openbsd-compat/Makefile config.status: creating openbsd-compat/regress/Makefile config.status: creating survey.sh config.status: creating config.h OpenSSH has been configured with the following options: User binaries: /usr/local/bin System binaries: /usr/local/sbin Configuration files: /usr/local/etc Askpass program: /usr/local/libexec/ssh-askpass Manual pages: /usr/local/share/man/manX PID file: /var/run Privilege separation chroot path: /var/empty sshd default user PATH: /usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin Manpage format: doc PAM support: no OSF SIA support: no KerberosV support: no SELinux support: no Smartcard support: S/KEY support: no MD5 password support: no libedit support: no Solaris process contract support: no Solaris project support: no Solaris privilege support: no IP address in $DISPLAY hack: no Translate v4 in v6 hack: yes BSD Auth support: no Random number source: OpenSSL internal ONLY Privsep sandbox style: seccomp_filter Host: x86_64-unknown-linux-gnu Compiler: gcc Compiler flags: -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE Preprocessor flags: Linker flags: -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie Libraries: -lcrypto -ldl -lutil -lz -lcrypt -lresolv
6. ak vsetko dopadlo OK a vidime vypis vyssie, ideme kompilovat (ak nie, treba doinstalovat chybajuce kniznice/binarky a opakovat)
~/Apps/eID/openssh-portable$ make ... gcc -g -O2 -Wall -Wpointer-arith -Wuninitialized -Wsign-compare -Wformat-security -Wsizeof-pointer-memaccess -Wno-pointer-sign -Wno-unused-result -fno-strict-aliasing -D_FORTIFY_SOURCE=2 -ftrapv -fno-builtin-memset -fstack-protector-strong -fPIE -I. -I. -DSSHDIR=\"/usr/local/etc\" -D_PATH_SSH_PROGRAM=\"/usr/local/bin/ssh\" -D_PATH_SSH_ASKPASS_DEFAULT=\"/usr/local/libexec/ssh-askpass\" -D_PATH_SFTP_SERVER=\"/usr/local/libexec/sftp-server\" -D_PATH_SSH_KEY_SIGN=\"/usr/local/libexec/ssh-keysign\" -D_PATH_SSH_PKCS11_HELPER=\"/usr/local/libexec/ssh-pkcs11-helper\" -D_PATH_SSH_PIDDIR=\"/var/run\" -D_PATH_PRIVSEP_CHROOT_DIR=\"/var/empty\" -DHAVE_CONFIG_H -c sftp-glob.c -o sftp-glob.o gcc -o sftp progressmeter.o sftp.o sftp-client.o sftp-common.o sftp-glob.o -L. -Lopenbsd-compat/ -Wl,-z,relro -Wl,-z,now -Wl,-z,noexecstack -fstack-protector-strong -pie -lssh -lopenbsd-compat -lcrypto -ldl -lutil -lz -lcrypt -lresolv
7. Ak kompilacia skoncila bez chyby, sme pripraveni na pouzivanie. Mohli by sme sice este upravene ssh nainstalovat do systemu cez make install ale predpokladam, ze bude vydana opravena verzia, tazke zatial len pouzivajme binarku z tohoto priecinka, pripadne si upravme PATH alebo spravme alias
Prvotna konfiguracia
Pozrime sa co mame na karte (pri praci s kartou nam semtam moze vyskocit tabulka na zadanie BOK
, takze ho poslusne zadame a pokracujeme):
$ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -l --list-token-slots Available slots: Slot 0 (0x1): Alcor Micro AU9540 (vnet002) 00 00; SIG_ZEP manufacturer: Plaut Slovensko, s.r.o. hardware ver: 0.0 firmware ver: 0.0 flags: token present, removable device, hardware slot token label : SIG_ZEP token manufacturer : Atos IT Solutions and Services token model : CardOS V5.0 token flags : rng, login required, PIN initialized, PIN pad present, token initialized hardware version : 0.0 firmware version : 0.0 serial num : 02034AFD00132232 Slot 1 (0x2): Alcor Micro AU9540 (vnet002) 00 00; SIG_EP manufacturer: Plaut Slovensko, s.r.o. hardware ver: 0.0 firmware ver: 0.0 flags: token present, removable device, hardware slot token label : SIG_EP token manufacturer : Atos IT Solutions and Services token model : CardOS V5.0 token flags : rng, login required, PIN initialized, PIN pad present, token initialized hardware version : 0.0 firmware version : 0.0 serial num : 02034AFD00132232 error: PKCS11 function C_OpenSession failed: rv = CKR_SLOT_ID_INVALID (0x3) Aborting.
Na karte teda mame tam 2 sloty: zaruceny el. podpis a el. podpis. Vylistujeme si objekty v oboch slotoch:
$ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -l --list-objects --slot 1 Using slot with ID 0x1 Private Key Object; RSA label: 571cd7f3-0935-4218-b7cf-4b43af29d1bc ID: 32363061653832632d373331652d343637372d386461662d653462623132363935366165 Usage: decrypt, sign Access: always authenticate Certificate Object, type = X.509 cert label: 571cd7f3-0935-4218-b7cf-4b43af29d1bc ID: 32363061653832632d373331652d343637372d386461662d653462623132363935366165 $ pkcs11-tool -vvv --module /usr/lib/eidklient/libpkcs11_sig_x64.so -l --list-objects --slot 2 Using slot with ID 0x2 Private Key Object; RSA label: 7ee9e2d6-7ad1-4ad3-bafe-c15e9651b21d ID: 37646530313337612d363039342d343935612d613930302d363335393633366632633563 Usage: decrypt, sign Private Key Object; RSA label: 60452c8e-5366-491b-86d6-a7f489ee3f7e ID: 30323561356232362d306664362d346430362d613238322d336530373834306164663066 Usage: decrypt, sign Certificate Object, type = X.509 cert label: 7ee9e2d6-7ad1-4ad3-bafe-c15e9651b21d ID: 37646530313337612d363039342d343935612d613930302d363335393633366632633563 Certificate Object, type = X.509 cert label: 60452c8e-5366-491b-86d6-a7f489ee3f7e ID: 30323561356232362d306664362d346430362d613238322d336530373834306164663066
Podla vypisu mame na karte 3 privatne kluce a 3 certifikaty k nim. Podme ziskat verejne kluce z certifikatov vo forme vhodnej pre SSH (tu uz treba pouzit opatchovanu verziu ssh):
~/Apps/eID/openssh-portable$ ./ssh-keygen -D /usr/lib/eidklient/libpkcs11_sig_x64.so -e ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYoRA7CMaR2NmOiKuSZViPIc8T0zKJR661LCLpE6eh2z0R1LyUguG/1M2ce8T7vZ+LnorTJ4GnT5Mzgo9joJcZOjtGxf+4EBgNIKB3H+FTRhSeTQfWLQTFHWDPDvP+QWPtKuASDAhg1ej17D5BOyXU0TsKzAyYcCFTU9qYuAh8f6BPvxoNa/sduY4RQ0YFBHL4yiRnLb7XjwXAGDmYObVX1lM22FT3/m0ytsQ67DaPU3t73MuYyhoJLDBNoD+dR6fTVdetThbl/NM+1rwzn8XuoiJbnb5G9jxJvO8ostgpGhExYFX9RFGbeDta6Kri0uM6s2Zyit56RqlkCMnWrQvn ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCW4V3vZrj609EbI3lSHI/Ksf0UmMYzPbhpBYiGRsTyALK85Ijr0CbGOYHwSqOAFoEc6ZgL/w40ld2VrfF6rnwBiFeb+WEDo8o5GNRSVM2bmg3rZ+MYuiEGkNubCfe0R+Mf/tUZPUFZIPQeTq3fUPsCpTBCWRPkj9lNTt8OpnuBctdZwc3zxGi7rQsLFU29IYNMHWJpVevK+bQEtU0glQhkGnLbAA/p9XfghrEhAhz3uHSBI0PTRPeuweTefHVUpVrf9u3YBgDN2wapw9ykO6D93lvv4hN4202QzbjKXtymy3a9WVyuGnUTjyk7XKTbkvti64JSoJECAJY5slHVa3Q5gf ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYPIIzDCt8geOTVJyogcj2aSp9yT+0cRH4NxqUl/TiUvLK6ZqhfLsmR0X+BY0iV/z3TrImuEXXiVbmpqX7rlsBfmOhFmGzRKfVAJuV20Iy6ypToCZmwyVQ+GWkOWtCIj7FPZEitpWR3GcLPdChV3iORKv+GdfPHYuYX8lUGdHAn77/nHGxZPejEf8m/EAsrXIP+2+i/4G5WJtKrKCSEPV6/qkxvjgHMoiMJbmvxBin7nGOhwPRC8Hs5QT6LjZ083mGjoaUioCeu04+5r5edb5QIxCYv9q8Ephnj1wmHf4rHI9Ym5Jfctbhh5sTKXnHcbrUcX8b0KDjUckHaMLWSpsGJ
Prvy kluc je z certifikatu podpisaneho ACA, duhy PCA a treti SCA CA. Viac info tu: https://www.slovensko.sk/sk/zep . ACA si zakazdym vyzaduje zadanie pinu a ani po zadani pinu mi autentifikacia na server nefunfovala, takze pre nas nie je vhodny. SCA a PCA vsak fungovali. Ich platnost je rovnako 10 rokov od vydania, takze mozme pouzit ktorykolvek z nich. Verejne kluce si odporucam niekam ulozit (netreba bezpecne) aby sme ich zakazdym nemuseli vytahovat z karty.
Povolenie pristupu danej karty na server (pridanie kluca)
Tento postup je obdobny ako pri klasickej klucovej autentifikacii.
Prihlasime sa teda na server (zatial si standardne vypyta heslo):
~/Apps/eID/openssh-portable$ ./ssh -I /usr/lib/eidklient/libpkcs11_sig_x64.so user@moj.server.sk user@moj.server.sk's password: user@moj:~$
Do suboru .ssh/authorized_keys na serveri pridame verejny kluc z karty:
user@moj:~$ vim ~/.ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCYPIIzDCt8geOTVJyogcj2aSp9yT+0cRH4NxqUl/TiUvLK6ZqhfLsmR0X+BY0iV/z3TrImuEXXiVbmpqX7rlsBfmOhFmGzRKfVAJuV20Iy6ypToCZmwyVQ+GWkOWtCIj7FPZEitpWR3GcLPdChV3iORKv+GdfPHYuYX8lUGdHAn77/nHGxZPejEf8m/EAsrXIP+2+i/4G5WJtKrKCSEPV6/qkxvjgHMoiMJbmvxBin7nGOhwPRC8Hs5QT6LjZ083mGjoaUioCeu04+5r5edb5QIxCYv9q8Ephnj1wmHf4rHI9Ym5Jfctbhh5sTKXnHcbrUcX8b0KDjUckHaMLWSpsGJ
Ak subor predtym neexistoval, nastavime korektne opravnenia:
user@moj:~$ chmod 600 ~/.ssh/config
Odhlasime sa a skusime sa prihlasit na server znovu:
user@moj:~$ logout Connection to moj.server.sk closed. ~/Apps/eID/openssh-portable$ ./ssh -I /usr/lib/eidklient/libpkcs11_sig_x64.so user@moj.server.sk user@moj:~$
Citacka par krat zablika a sme tam! 🙂
Ak sa nam nechce zakazdym vypisovat -I a cestu k libke (mne sa teda nechce) a nepouzivame alias, mozeme si pridat do lokalneho ssh configu nasledovne:
$ vim ~/.ssh/config PKCS11Provider /usr/lib/eidklient/libpkcs11_sig_x64.so $ chmod 600 ~/.ssh/config ~/Apps/eID/openssh-portable$ ./ssh user@moj.server.sk user@moj:~$
Ako ste si mohli vsimnut na obrazku, nepouzivam citacku co bola k obcianskemu, takze by malo byt mozne pouzit akukolvek PC/SC kompatibilnu citacku (aspon pod linuxom). Ak sa Vam navod pacil, kliknite mi na reklamu a/alebo napiste komentar.
Prajem prijemne prihlasovanie. 🙂
Super blog, avsak ako uzivatel Archu na mna ministerstvo s eID appkou nemyslelo :-/
skusal si rozbalit ten deb balicek a nakopirovat si ho rucne do systemu?
No vsak nic ine mi neostavalo, len to manualne nakopirovat a poriesit zavislosti….
Ak sa na to citis, mozes spravit balicek do AUR 🙂
Ani nie 😀 Linux je iba take moje hobby. Rad to prenecham skusenym borcom 😉
To su Tvoje vlastne kluce? Dovolil som si ich poslat na analyzu, zatial vsetko OK.
http://phuctor.nosuchlabs.com/gpgkey/4222B8F63EF091A0CD257743909482862B9D7D34A7FD4E635A71C9471097BEEA
http://phuctor.nosuchlabs.com/gpgkey/1E9023E8A70C6DBE5F5E5D7A9C3F1A736F4A7D723FDFF54190662C3ED1277F2A
http://phuctor.nosuchlabs.com/gpgkey/F6D31F1D93B59CE593B403B4A10B5A916BFFF2CECE2737CE593B856DE49C6E1C
Jasne, v pohode. Zakial nieje verejne dostupny kvantovy pocitac tak asymetrickej kryptografii celkom verim…
Kvantove neriesim, ale to ci bol RSA privatny kluc vygenerovany korektne. Ked ti ho niekto da hotovy tak nikdy nevies.
Neviem ci je horsie ze ti niekto da privatny kluc vygenerovany korektne, alebo ze ti niekto uz len da tvoj privatny kluc. Najhorsie je to asi dokopy.
Ahoj,
na fedore mi nefunguje do HP EliteBooku embednuty Alcor Micro AU9540:
00000004 eventhandler.c:333:EHStatusHandlerThread() Error communicating to: Alcor Micro AU9540 00 00
00000008 ccid_usb.c:1213:InterruptRead() libusb_submit_transfer failed: -4
00400283 ccid_usb.c:747:WriteUSB() write failed (1/8): -4 LIBUSB_ERROR_NO_DEVICE
99999999 ccid_usb.c:1158:ControlUSB() control failed (1/10): -7 LIBUSB_ERROR_TIMEOUT
00311552 commands.c:249:CmdPowerOn Card absent or mute
00000058 ifdhandler.c:1206:IFDHPowerICC() PowerUp failed
00000039 eventhandler.c:302:EHStatusHandlerThread() Error powering up card: 2148532246 0x80100016
Pozeram ze Tebe funguje.
Riesil si tam nejako ten powerup problem alebo to islo out-of-the-box?
Vdaka,
a.
a dal si tam tu kartu spravnym smerom?
ked das pcsc_scan tak vidi tu kartu?
Posielal už niekto ten patch to upstreamu?
Please read https://www.openssh.com/report.html for bug reporting instructions and note that we do not use Github for bug reporting or patch/pull-request management.
Ja som posielal pull cez github ale nevedel som ze maju taketo pravidla.
Aha. Majú to napísane rovno v druhom odstavci na https://github.com/openssh/openssh-portable
Ale tiež som si to všimol až teraz, keď som začal hľadať tú zmenu a proste nič som nenašiel, iba ten pull request bez odpovede… a informáciu že github nepoužívajú.
Ideš to poslať do ich bugzilly?
Tak som to postol, uvidime…. https://bugzilla.mindrot.org/show_bug.cgi?id=2652
Super. Dúfam, že im to už bude stačiť.
No tak po 2 rokoch sa zda ze to je fixnute a bude to v oficialnom release 8.0: https://bugzilla.mindrot.org/show_bug.cgi?id=2652#c24
Uz-uz som sa chystal napisat, ze prihlasenie nefunguje ked som zistil, ze ten prvy kluc nesmie byt uvedeny v authorized_keys, inak sa prihlasenie sekne.
Kym patch nie je akceptovany, vzhladom na najdene zranitelnosti v openssh odporucam pred (re)buildom zosynchronizovat zmeny z oficialneho repozitara:
git clone https://github.com/danielkucera/openssh-portable
cd openssh-portable
git remote add official https://github.com/openssh/openssh-portable.git
git pull official master
# potvrdit merge
aclocal
autoconf
./configure
make