stafwag Blog

staf wagemakers blog

Starting to Protect My Private Keys With SmartCard-Hsm

I still have too many private keys on a local filesystem, I started to use the yubikey neo for my ssh authentication. Mainly because the nice formfactor of the yubikey.

For my other private keys/data I was looking for something cheeper since I need to have a backup of my secured data so I bought a few Smartcard-HSM smartcards they cost 16 € each while a yubi-key neo cost 54 € at amazon.de

Preparing Backup and Restore

The Smartcard-HSM has a backup/restore functionality this needs to be enabled before any keys are generated on the HSM.

To store our Device Key Encryption Key (DKEK) securely we need a safe place, we’ll use an ecrypted usb stick.

It'is possible to configure multiple DKEK shares e.g. you will need multiple keys to perform a backup restore you might want to store these DKEK shares over multiple (encrypted) USB sticks/people.

If you want to create a backup of your DKEK shares we need to store at least two encrypted USB sticks.

For the convenience we’ll store all DKEK shares on 1 encrypted USB stick in the example below you should executed it on an secured computer.

Install opensc

1
2
3
4
5
6
7
staf@vicky ~]$ sudo dnf install opensc
Last metadata expiration check performed 0:23:14 ago on Wed Nov 11 14:47:21 2015.
Package opensc-0.15.0-2.fc23.x86_64 is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
[staf@vicky ~]$ 

Create an encrypted USB key stick

Write random data to the USB stick

1
2
3
4
5
6
7
[staf@vicky ~]$ sudo dd if=/dev/urandom of=/dev/sdn bs=1024
[sudo] password for staf:                                                                                      
dd: error writing ‘/dev/sdn’: No space left on device                                                          
4029441+0 records in                                                                                           
4029440+0 records out                                                                                          
4126146560 bytes (4.1 GB) copied, 1280.14 s, 3.2 MB/s                                                          
[staf@vicky ~]$ 

luksFormat

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[staf@vicky ~]$ sudo cryptsetup luksFormat --cipher serpent-cbc-essiv:sha256 --key-size 256 /dev/sdn

WARNING!
========
This will overwrite data on /dev/sdn irrevocably.

Are you sure? (Type uppercase yes): YES
Enter passphrase: 
Verify passphrase: 
[staf@vicky ~]$ sudo cry
cryptoflex-tool  cryptsetup       crywrap          
[staf@vicky ~]$ sudo cryptsetup luksOpen /dev/sdn myprivatedata
Enter passphrase for /dev/sdn: 
[staf@vicky ~]$ 

luksOpen

1
2
3
[staf@vicky ~]$ sudo cryptsetup luksOpen /dev/sdn myprivatedata
Enter passphrase for /dev/sdn: 
[staf@vicky ~]$ 

mkfs

1
2
3
4
5
6
7
8
9
10
11
12
13
[staf@vicky ~]$ sudo mkfs.ext4 /dev/mapper/myprivatedata
mke2fs 1.42.13 (17-May-2015)
Creating filesystem with 1007360 4k blocks and 251968 inodes
Filesystem UUID: 49390936-49e3-4606-abf2-567c3f5b50e1
Superblock backups stored on blocks: 
        32768, 98304, 163840, 229376, 294912, 819200, 884736

Allocating group tables: done                            
Writing inode tables: done                            
Creating journal (16384 blocks): done
Writing superblocks and filesystem accounting information: done 

[staf@vicky ~]$ 

Verify the encrypted USB stick

To verify that the USB stick is encrypted and we can’t mount without typing our passphrase we’ll close the luks device and mount it.

luksClose

1
2
3
[staf@vicky ~]$ sudo cryptsetup luksClose myprivatedata
[sudo] password for staf: 
[staf@vicky ~]$ 

Try to mount it without luksOpen

1
2
3
[staf@vicky ~]$ sudo mount /dev/sdn /mnt
mount: unknown filesystem type 'crypto_LUKS'
[staf@vicky ~]$ 

Mount it with luksOpen / mount

1
2
3
4
[staf@vicky ~]$ sudo cryptsetup luksOpen /dev/sdn myhsm_dkek
Enter passphrase for /dev/sdn: 
[staf@vicky ~]$ sudo mount /dev/mapper/myhsm_dkek /mnt
[staf@vicky ~]$ 

update the ownership

Update the usb stick ownership

1
2
3
[staf@vicky mnt]$ sudo chown staf:staf .
[sudo] password for staf: 
[staf@vicky mnt]$ 

SmartCard initialization

pcsc_scan

start the pcscd service

Start/enable the pcscd service if didn’t enable it before

1
2
3
4
5
root@vicky ~]# systemctl list-unit-files -t service | grep pcscd
pcscd.service                               static  
[root@vicky ~]# systemctl start pcscd
[root@vicky ~]# systemctl enable pcscd
[root@vicky ~]# 

run pcsc_scan

Insert the smartcard into the read, run pcsc_scan to verify that you see the smartcard

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[staf@vicky mnt]$ pcsc_scan                    
PC/SC device scanner
V 1.4.23 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.13
Using reader plug'n play mechanism
Scanning present readers...
0: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00

Wed Nov 11 10:58:59 2015
Reader 0: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
  Card state: Card inserted, 
  ATR: 3B FE 18 00 00 81 31 FE 45 80 31 81 54 48 53 4D 31 73 80 21 40 81 07 FA

ATR: 3B FE 18 00 00 81 31 FE 45 80 31 81 54 48 53 4D 31 73 80 21 40 81 07 FA
+ TS = 3B --> Direct Convention
+ T0 = FE, Y(1): 1111, K: 14 (historical bytes)
  TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
    129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s                                                     
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
+ Historical bytes: 80 31 81 54 48 53 4D 31 73 80 21 40 81 07
  Category indicator byte: 80 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: 81
        - Application selection: by full DF name
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card without MF
    Tag: 5, len: 4 (card issuer's data)
      Card issuer data: 48 53 4D 31
    Tag: 7, len: 3 (card capabilities)
      Selection methods: 80
        - DF selection by full DF name
      Data coding byte: 21
        - Behaviour of write functions: proprietary
        - Value 'FF' for the first byte of BER-TLV tag fields: invalid
        - Data unit in quartets: 2
      Command chaining, length fields and logical channels: 40
        - Extended Lc and Le fields
        - Logical channel number assignment: No logical channel
        - Maximum number of logical channels: 1
    Tag: 8, len: 1 (status indicator)
      LCS (life card cycle): 07
+ TCK = FA (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B FE 18 00 00 81 31 FE 45 80 31 81 54 48 53 4D 31 73 80 21 40 81 07 FA
        Smartcard-HSM
        http://www.cardcontact.de/products/sc-hsm.html

Initialize the first smartcard

Create two DKEK shares

  • 1st share;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
[staf@vicky mnt]$ sc-hsm-tool --create-dkek-share dkek-share-1.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00

The DKEK share will be enciphered using a key derived from a user supplied password.
The security of the DKEK share relies on a well chosen and sufficiently long password.
The recommended length is more than 10 characters, which are mixed letters, numbers and
symbols.

Please keep the generated DKEK share file in a safe location. We also recommend to keep a
paper printout, in case the electronic version becomes unavailable. A printable version
of the file can be generated using "openssl base64 -in <filename>".
Enter password to encrypt DKEK share : 

Please retype password to confirm : 

Passwords do not match. Please retry.
Enter password to encrypt DKEK share : 
[staf@vicky mnt]$ sc-hsm-tool --create-dkek-share dkek-share-1.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00

The DKEK share will be enciphered using a key derived from a user supplied password.
The security of the DKEK share relies on a well chosen and sufficiently long password.
The recommended length is more than 10 characters, which are mixed letters, numbers and
symbols.

Please keep the generated DKEK share file in a safe location. We also recommend to keep a
paper printout, in case the electronic version becomes unavailable. A printable version
of the file can be generated using "openssl base64 -in <filename>".
Enter password to encrypt DKEK share : 

Please retype password to confirm : 

Enciphering DKEK share, please wait...
DKEK share created and saved to dkek-share-1.pbe
[staf@vicky mnt]$ 
  • 2nd share;
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[staf@vicky mnt]$ sc-hsm-tool --create-dkek-share dkek-share-2.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00

The DKEK share will be enciphered using a key derived from a user supplied password.
The security of the DKEK share relies on a well chosen and sufficiently long password.
The recommended length is more than 10 characters, which are mixed letters, numbers and
symbols.

Please keep the generated DKEK share file in a safe location. We also recommend to keep a
paper printout, in case the electronic version becomes unavailable. A printable version
of the file can be generated using "openssl base64 -in <filename>".
Enter password to encrypt DKEK share : 

Please retype password to confirm : 
[staf@vicky mnt]$ sc-hsm-tool --create-dkek-share dkek-share-2.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00

The DKEK share will be enciphered using a key derived from a user supplied password.
The security of the DKEK share relies on a well chosen and sufficiently long password.
The recommended length is more than 10 characters, which are mixed letters, numbers and
symbols.

Please keep the generated DKEK share file in a safe location. We also recommend to keep a
paper printout, in case the electronic version becomes unavailable. A printable version
of the file can be generated using "openssl base64 -in <filename>".
Enter password to encrypt DKEK share : 

Please retype password to confirm : 

Enciphering DKEK share, please wait...
DKEK share created and saved to dkek-share-2.pbe
[staf@vicky mnt]$ 

If you want a backup of DKEK shares copy them to another (encrypted) USB stick(s).

Initialize the SmartCard

  • Initialize

Use sc-hsm-tool to Intialize the smartcard and specify the number DKEK shares that you’ll use. You’ll need to pick a PIN code for the “security officer” and the “user”.

If you forget the so-pin you can not reinitialize the smartcard again so be sure that you pick so-pin that you can remember or write it down and store it on secure location. The so-pin has to be 16 digits long.

The sc-hsm-tool only asks for the PIN code ones so be sure that you know what you have typed. If you don’t know it you smartcard becomes trash…

It possible to specify the pin code with “–so-pin” and “–pin” argument but this leaves the pin code in your shell history or in the process list…

1
2
3
4
5
6
7
[staf@vicky mnt]$ sc-hsm-tool --initialize --dkek-shares 2
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter SO-PIN (16 hexadecimal characters) : 

Enter initial User-PIN (6 - 16 characters) : 

[staf@vicky mnt]$ 

If you execute the sc-hsm-tool command you’ll see that the DKEK shares are still missing;

1
2
3
4
5
6
7
[staf@vicky mnt]$ sc-hsm-tool 
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Version              : 1.2
User PIN tries left  : 3
DKEK shares          : 2
DKEK import pending, 2 share(s) still missing
[staf@vicky mnt]$ 
  • import the dkek shares
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[staf@vicky mnt]$ sc-hsm-tool --import-dkek-share dkek-share-1.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter password to decrypt DKEK share : 

Deciphering DKEK share, please wait...
DKEK share imported
DKEK shares          : 2
DKEK import pending, 1 share(s) still missing
[staf@vicky mnt]$ sc-hsm-tool --import-dkek-share dkek-share-2.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter password to decrypt DKEK share : 

Deciphering DKEK share, please wait...
DKEK share imported
DKEK shares          : 2
DKEK key check value : 2C63E9E5D6FE0B8C
[staf@vicky mnt]$ 

test the user and so pin

list the pkcs#11 slots

1
2
3
4
5
6
7
8
9
10
11
12
13
[staf@vicky mnt]$ pkcs11-tool --module opensc-pkcs11.so -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): Generic Smart Card Reader Interface [Smart Card Reader Interface
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 24.13
  firmware version   : 1.2
  serial num         : DECM0102332
[staf@vicky mnt]$ 

test the user pin;

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
staf@vicky mnt]$ pkcs11-tool --module opensc-pkcs11.so --slot 1 --login --test
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only RSA signatures)
Signatures: no private key found in this slot
Verify (currently only for RSA):
  No private key found for testing
Unwrap: not implemented
Decryption (RSA)
No errors
[staf@vicky mnt]$ 

test the so pin

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
[staf@vicky mnt]$ pkcs11-tool --module opensc-pkcs11.so --slot 1 --login --test --login-type so
Logging in to "SmartCard-HSM (UserPIN)".
Please enter SO PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures: not logged in, skipping signature tests
Verify: not logged in, skipping verify tests
Key unwrap: not a R/W session, skipping key unwrap tests
Decryption: not logged in, skipping decryption tests
No errors
[staf@vicky mnt]$ 

Create your first keypair

create key pair

The command below an Elliptic Curve Cryptography (ECC) key pair.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
[staf@vicky mnt]$ pkcs11-tool --module opensc-pkcs11.so --keypairgen --key-type EC:prime256v1 --label myfirst_keypair --login
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
Key pair generated:
Private Key Object; EC
  label:      myfirst_keypair
  ID:         ae79417e809ed19b9a69d4c14f444462ad0bd66c
  Usage:      sign, derive
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104f8ead77d1411e016196141d9d1f747a481aec4be40d1f8822d26d407fee05902082e18843ee58db4f5575b19ff243a735b66b2c91adbec1a59aeacc7c1ae8b52
  EC_PARAMS:  06082a8648ce3d030107
  label:      myfirst_keypair
  ID:         ae79417e809ed19b9a69d4c14f444462ad0bd66c
  Usage:      verify
[staf@vicky mnt]$ 

list objects

list the objects to verif that your keypair in on the smartcard

1
2
3
4
5
6
7
8
9
staf@vicky mnt]$ pkcs11-tool --module opensc-pkcs11.so --list-objects
Using slot 1 with a present token (0x1)
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104f8ead77d1411e016196141d9d1f747a481aec4be40d1f8822d26d407fee05902082e18843ee58db4f5575b19ff243a735b66b2c91adbec1a59aeacc7c1ae8b52
  EC_PARAMS:  06082a8648ce3d030107
  label:      myfirst_keypair
  ID:         ae79417e809ed19b9a69d4c14f444462ad0bd66c
  Usage:      none
[staf@vicky mnt]$ 

Copy objects to another smartcard

Backup

To create a backup of our keys or data we need to extract it from the smartcard and copy it to another. To store the object temporary we can use an encrypted filesystem or even a ram disk on a secured computer.

For security reasons you might want to separate your DKEK share from you key backups, For the convenience we’ll store everything on an encrypted USB stick.

get the object reference

First we need to find the object reference

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
[staf@vicky mnt]$ pkcs15-tool -D
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
PKCS#15 Card [SmartCard-HSM]:
        Version        : 0
        Serial number  : DECM0102332
        Manufacturer ID: www.CardContact.de
        Flags          : 

PIN [UserPIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x81A], local, unblock-disabled, initialized, exchangeRefData
        Length         : min_len:6, max_len:15, stored_len:0
        Pad char       : 0x00
        Reference      : 129 (0x81)
        Type           : ascii-numeric
        Tries left     : 3

PIN [SOPIN]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0x9E], local, change-disabled, unblock-disabled, initialized, soPin
        Length         : min_len:16, max_len:16, stored_len:0
        Pad char       : 0x00
        Reference      : 136 (0x88)
        Type           : bcd
        Tries left     : 3

Private EC Key [myfirst_keypair]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x10C], sign, signRecover, derive
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        FieldLength    : 256
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : e82b0601040181c31f0201::
        Auth ID        : 01
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        MD:guid        : {3a03d245-ea49-1da1-d8cd-f2ced0526400}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Public EC Key [myfirst_keypair]
        Object Flags   : [0x0]
        Usage          : [0x0]
        Access Flags   : [0x2], extract
        FieldLength    : 256
        Key ref        : 0 (0x0)
        Native         : no
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        DirectValue    : <present>

[staf@vicky mnt]$ pkcs15-tool -D

extract the object(s)

1
2
3
4
5
6
7
8
9
10
11
[staf@vicky mnt]$ sc-hsm-tool --wrap-key private_myfirst_keypair --key-reference 1 
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter User PIN : 

[staf@vicky mnt]$ ls -l
total 28
-rw-r--r-- 1 swagemakers backup    64 Nov 11 13:42 dkek-share-1.pbe
-rw-r--r-- 1 swagemakers backup    64 Nov 11 13:42 dkek-share-2.pbe
drwx------ 2 root        root   16384 Nov 11 13:37 lost+found
-rw-rw-r-- 1 staf        staf     926 Nov 11 14:05 private_myfirst_keypair
[staf@vicky mnt]$ 

Please not that we only need to copy the private key, the backup object also contains the public keypair.

Initialize a second smartcard

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
[staf@vicky mnt]$ sc-hsm-tool --initialize --dkek-shares 2
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter SO-PIN (16 hexadecimal characters) : 

Enter initial User-PIN (6 - 16 characters) : 

[staf@vicky mnt]$ sc-hsm-tool 
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Version              : 1.2
User PIN tries left  : 3
DKEK shares          : 2
DKEK import pending, 2 share(s) still missing
[staf@vicky mnt]$ sc-hsm-tool --import-dkek-share dkek-share-1.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter password to decrypt DKEK share : 

Deciphering DKEK share, please wait...
DKEK share imported
DKEK shares          : 2
DKEK import pending, 1 share(s) still missing
[staf@vicky mnt]$ sc-hsm-tool --import-dkek-share dkek-share-2.pbe
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Enter password to decrypt DKEK share : 

Deciphering DKEK share, please wait...
DKEK share imported
DKEK shares          : 2
DKEK key check value : 2C63E9E5D6FE0B8C
[staf@vicky mnt]$ 

Store the key pair

It’s possible to write the private object to another smartcard with the same DKEK shares.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
[staf@vicky mnt]$ sc-hsm-tool --unwrap-key private_myfirst_keypair --key-reference 1
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
Wrapped key contains:
  Key blob
  Private Key Description (PRKD)
  Certificate
Enter User PIN : 

Key successfully imported
[staf@vicky mnt]$ pkcs11-tool --list-objects 
Using slot 1 with a present token (0x1)
Public Key Object; EC  EC_POINT 256 bits
  EC_POINT:   044104f8ead77d1411e016196141d9d1f747a481aec4be40d1f8822d26d407fee05902082e18843ee58db4f5575b19ff243a735b66b2c91adbec1a59aeacc7c1ae8b52
  EC_PARAMS:  06082a8648ce3d030107
  label:      myfirst_keypair
  ID:         ae79417e809ed19b9a69d4c14f444462ad0bd66c
  Usage:      none
[staf@vicky mnt]$ pkcs15-tool -D
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
PKCS#15 Card [SmartCard-HSM]:
        Version        : 0
        Serial number  : DECM0102330
        Manufacturer ID: www.CardContact.de
        Flags          : 

PIN [UserPIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x81A], local, unblock-disabled, initialized, exchangeRefData
        Length         : min_len:6, max_len:15, stored_len:0
        Pad char       : 0x00
        Reference      : 129 (0x81)
        Type           : ascii-numeric
        Tries left     : 3

PIN [SOPIN]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0x9E], local, change-disabled, unblock-disabled, initialized, soPin
        Length         : min_len:16, max_len:16, stored_len:0
        Pad char       : 0x00
        Reference      : 136 (0x88)
        Type           : bcd
        Tries left     : 3

Private EC Key [myfirst_keypair]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x10C], sign, signRecover, derive
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        FieldLength    : 256
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : e82b0601040181c31f0201::
        Auth ID        : 01
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        MD:guid        : {8e96ad75-4f6c-eb5e-6bb3-4a637bbcda50}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Public EC Key [myfirst_keypair]
        Object Flags   : [0x0]
        Usage          : [0x0]
        Access Flags   : [0x2], extract
        FieldLength    : 256
        Key ref        : 0 (0x0)
        Native         : no
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        DirectValue    : <present>

[staf@vicky mnt]$ 

Done…

We have a backup to our second smartcard and an ecrypted backup of the key on the usb, umount the backup and store it to a safe location.

1
2
3
4
5
6
7
8
[staf@vicky ~]$ mount | grep mnt
/dev/mapper/my on /mnt type ext4 (rw,relatime,data=ordered)
[staf@vicky ~]$ umount /mnt
umount: /mnt: umount failed: Operation not permitted
[staf@vicky ~]$ sudo umount /mnt
[sudo] password for staf: 
[staf@vicky ~]$ sudo cryptsetup luksClose my
[staf@vicky ~]$ 

I might publish some smartcard-hsm usage examples in the further….

Links

https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM

Rataplan Becomes a Watchdog

My NAS runs on FreeBSD I’m quiet happy with it. It’s named after the dog rataplan from the Lucky Luke comic

However transferring large data files to it causes the network to hang. The realtek network interface had issues with freebsd from the beginning. On the screen and in syslog the entry “re0: watchdog timeout” is printed.

Most FreeBSD people recommends to use Intel nics, I ordered a new Intel nic at dx.com. After the installation of the new NIC the network seems to be stable again.

Lookat 1.4.4rc1 Released

It is a national holiday in Belgium so I have some time to code again.

Lookat 1.4.4rc1 is the first release candicate of Lookat 1.4.4

ChangeLog

  • openBSD support
  • English translation issues corrected
  • autoconf updated to 2.69
  • Corrected mirror compile warnings

Lookat 1.4.4rc1 is available at:

http://www.wagemakers.be/english/programs/lookat , download it directly Download latest development release (1.4.4rc1).

Or at the Git repository at GNU savannah http://git.savannah.gnu.org/cgit/lookat.git/

OpenBSD

I forgot to mention it but Lookat has landed in OpenBSD Thanks to Brian Callahan for the port!

Have fun

Using Squid to Cache FreeBSD Packages

PKGNG config

I manage a few FreeBSD jails behind a squid proxy. pkgng is configured to use the proxy:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@rataplan:/root # cat /etc/pkg/FreeBSD.conf 
# $FreeBSD: releng/10.1/etc/pkg/FreeBSD.conf 263938 2014-03-30 15:29:54Z bdrewery $
#
# To disable this repository, instead of modifying or removing this file,
# create a /usr/local/etc/pkg/repos/FreeBSD.conf file:
#
#   mkdir -p /usr/local/etc/pkg/repos
#   echo "FreeBSD: { enabled: no }" > /usr/local/etc/pkg/repos/FreeBSD.conf
#

pkg_env: {

        http_proxy: "http://xxx.xxx.xxx.xxx:3128"

}

FreeBSD: {
  url: "pkg+http://pkg.FreeBSD.org/${ABI}/latest",
  mirror_type: "srv",
  signature_type: "fingerprints",
  fingerprints: "/usr/share/keys/pkg",
  enabled: yes
}
root@rataplan:/root # 

SQUID config

Recompile

The squid proxy doesn’t cache to the FreeBSD packages. The squid pkgng package is compiled with “LAX_HTTP Do not enforce strict HTTP compliance” option disabled. which doesn’t allow you to override the cache headers sent by the remote site.

In order to cache the FreeBSD packages we need to recompile squid with “LAX_HTTPD” enabled.

Updating the ports

Physical system

If you use a physical FreeBSD system as your proxy run the “portsnap fetch” command.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
[root@rataplan ~]# portsnap fetch
Looking up portsnap.FreeBSD.org mirrors... 7 mirrors found.
Fetching snapshot tag from ec2-eu-west-1.portsnap.freebsd.org... done.
Fetching snapshot metadata... done.
Updating from Mon Jun 22 14:30:21 CEST 2015 to Tue Jun 23 08:39:41 CEST 2015.
Fetching 4 metadata patches... done.
Applying metadata patches... done.
Fetching 0 metadata files... done.
Fetching 417 patches. 
(417/417) 100.00%  done.                                       
done.
Applying patches... 
done.
Fetching 3 new ports or files... done.
[root@rataplan ~]# 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
[root@rataplan ~]# portsnap extract
/usr/ports/.arcconfig
/usr/ports/.gitignore
/usr/ports/CHANGES
/usr/ports/CONTRIBUTING.md
/usr/ports/COPYRIGHT
/usr/ports/GIDs

<snip>

/usr/ports/x11/zenity/
Building new INDEX files... done.
[root@rataplan ~]# 

Jail

If you use an ezjail as your proxy run the “ezjail-admin update -P” command.

Build

Stop SQUID
1
2
3
root@stafproxy:/usr/ports/www/squid # /usr/local/etc/rc.d/squid stop
squid not running? (check /var/run/squid/squid.pid).
root@stafproxy:/usr/ports/www/squid # 
Make config
1
2
3
root@stafproxy:/usr/ports/www/squid # cd
root@stafproxy:/root # cd /usr/ports/www/squid
root@stafproxy:/usr/ports/www/squid # make config
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

       ┌─────────────────────────────── squid-3.5.5 ──────────────────────────────────┐
       │ ┌──────────────────────────────────────────────────────────────────────────┐ │  
       │ │ [ ] ARP_ACL         ARP/MAC/EUI based authentification                   │ │  
       │ │ [ ] AUTH_LDAP       Install LDAP authentication helpers                  │ │  
       │ │ [x] AUTH_NIS        Install NIS/YP authentication helpers                │ │  
       │ │ [ ] AUTH_SASL       Install SASL authentication helpers                  │ │  
       │ │ [ ] AUTH_SMB        Install SMB auth. helpers (req. Samba)               │ │  
       │ │ [ ] AUTH_SQL        Install SQL based auth (uses MySQL)                  │ │  
       │ │ [ ] CACHE_DIGESTS   Use cache digests                                    │ │  
       │ │ [ ] DEBUG           Build with extended debugging support                │ │  
       │ │ [ ] DELAY_POOLS     Delay pools (bandwidth limiting)                     │ │  
       │ │ [x] DOCS            Build and/or install documentation                   │ │  
       │ │ [ ] ECAP            Loadable content adaptation modules                  │ │  
       │ │ [ ] ESI             ESI support                                          │ │  
       │ │ [x] EXAMPLES        Build and/or install examples                        │ │  
       │ │ [ ] FOLLOW_XFF      Support for the X-Following-For header               │ │  
       │ │ [x] FS_AUFS         AUFS (threaded-io) support                           │ │  
       │ │ [x] FS_DISKD        DISKD storage engine controlled by separate service  │ │  
       │ │ [ ] FS_ROCK         ROCK storage engine                                  │ │  
       │ │ [x] HTCP            HTCP support                                         │ │  
       │ │ [ ] ICAP            the ICAP client                                      │ │  
       │ │ [ ] ICMP            ICMP pinging and network measurement                 │ │  
       │ │ [x] IDENT           Ident lookups (RFC 931)                              │ │  
       │ │ [x] IPV6            IPv6 protocol support                                │ │  
       │ │ [x] KQUEUE          Kqueue(2) support                                    │ │  
       │ │ [ ] LARGEFILE       Support large (>2GB) cache and log files             │ │  
       │ │ [x] LAX_HTTP        Do not enforce strict HTTP compliance                │ │  
       │ │ [ ] NETTLE          Nettle MD5 algorithm support                         │ │  
       │ │ [x] SNMP            SNMP support                                         │ │  
       │ │ [ ] SSL             SSL gatewaying support                               │ │  
       │ │ [ ] SSL_CRTD        Use ssl_crtd to handle SSL cert requests             │ │  
       │ │ [ ] STACKTRACES     Enable automatic backtraces on fatal errors          │ │  
       │ │ [ ] TP_IPF          Transparent proxying with IPFilter                   │ │  
       │ │ [ ] TP_IPFW         Transparent proxying with IPFW                       │ │  
       │ │ [ ] TP_PF           Transparent proxying with PF                         │ │  
       │ │ [ ] VIA_DB          Forward/Via database                                 │ │  
       │ └─────v(+)─────────────────────────────────────────────────────────82%─────┘ │  
       ├──────────────────────────────────────────────────────────────────────────────┤  
       │                       <  OK  >            <Cancel>                           │  
       └──────────────────────────────────────────────────────────────────────────────┘  
                                                                                         
Make install
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
root@stafproxy:/usr/ports/www/squid # make
===>  License GPLv2 accepted by the user
===>  Found saved configuration for squid-3.5.5
===>   squid-3.5.5 depends on file: /usr/local/sbin/pkg - found
===> Fetching all distfiles required by squid-3.5.5 for building
===>  Extracting for squid-3.5.5
=> SHA256 Checksum OK for squid3.5/squid-3.5.5.tar.xz.

<snip>

Making install in test-suite
install  -m 0644 /var/ports/basejail/usr/ports/www/squid/work/squid-3.5.5/helpers/basic_auth/DB/passwd.sql  /var/ports/basejail/usr/ports/www/squid/work/stage/usr/local/share/examples/squid
(cd /var/ports/basejail/usr/ports/www/squid/work/squid-3.5.5 && install  -m 0644 QUICKSTART README RELEASENOTES.html doc/debug-sections.txt /var/ports/basejail/usr/ports/www/squid/work/stage/usr/local/share/doc/squid)
/bin/mkdir -p /var/ports/basejail/usr/ports/www/squid/work/stage/var/squid/logs
/bin/rmdir /var/ports/basejail/usr/ports/www/squid/work/stage/var/run/squid
====> Compressing man pages (compress-man)
===> Staging rc.d startup script(s)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
root@stafproxy:/usr/ports/www/squid # make install clean
===>  Installing for squid-3.5.5                                                                                                                                                                                                             
===>   squid-3.5.5 depends on file: /usr/local/bin/perl5.20.2 - found                                                                                                                                                                        
===>  Checking if squid already installed                                                                                                                                                                                                    
===>   Registering installation for squid-3.5.5                                                                                                                                                                                              

<snip>

===> SECURITY REPORT: 
      This port has installed the following files which may act as network
      servers and may therefore pose a remote security risk to the system.
/usr/local/libexec/squid/basic_radius_auth
/usr/local/sbin/squid

      This port has installed the following startup scripts which may cause
      these network services to be started at boot time.
/usr/local/etc/rc.d/squid

      If there are vulnerabilities in these programs there may be a security
      risk to the system. FreeBSD makes no guarantee about the security of
      ports included in the Ports Collection. Please type 'make deinstall'
      to deinstall the port if this is a concern.

      For more information, and contact details about the security
      status of this software, see the following webpage: 
http://www.squid-cache.org/
pkg lock

Lock the squid package to prevent the upgrade from pkgng tree.

1
2
3
4
root@stafproxy:/usr/ports/www/squid # pkg lock squid
squid-3.5.5: lock this package? [y/N]: y
Locking squid-3.5.5
root@stafproxy:/usr/ports/www/squid #

View the locked pkgng packages

1
2
3
4
root@stafproxy:/usr/ports/www/squid # pkg lock -l
Currently locked packages:
squid-3.5.5
root@stafproxy:/usr/ports/www/squid # 

SQUID config

Update squid.conf

Edit the squid config:

1
2
root@stafproxy:/usr/ports/www/squid # cd /usr/local/etc/squid/
root@stafproxy:/usr/local/etc/squid # vi squid.conf

Add a “refresh_pattern” for “pkgmir.pkg.freebsd.org”:

1
2
3
4
5
refresh_pattern ^ftp:           1440    20%     10080
refresh_pattern ^http://pkgmir.pkg.freebsd.org/.*\.txz          1440    100%    10080 ignore-private ignore-must-revalidate override-expire ignore-no-cache
refresh_pattern ^gopher:        1440    0%      1440
refresh_pattern -i (/cgi-bin/|\?) 0     0%      0
refresh_pattern .               0       20%     4320

Start squid

1
2
3
root@stafproxy:/usr/local/etc/squid # ../rc.d/squid start
Starting squid.
root@stafproxy:/usr/local/etc/squid # 

rc.conf

Make sure that the system is configured to start squid during the system startup.

1
2
3
4
5
6
7
8
root@stafproxy:/usr/local/etc/squid # cat /etc/rc.conf 
#
# squid
#

squid_enable="YES"

root@stafproxy:/usr/local/etc/squid # 

SQUID should cache the pkgng downloads now.

Have fun

Using YubiKey Neo as Gpg Smartcard for SSH Authentication

I purchased a Yubi NEO I’ll use it to hold my Luks password and for ssh authentication instead of the password authentication that I still use.

You’ll find my journey to get the smartcard interface working with ssh on a fedora 22 system below;

Install the yubiclient and smartcard software

Install the ykclient

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
ykclient.x86_64 : Yubikey management library and client
[root@vicky ~]# dnf install ykclient
Last metadata expiration check performed 1:00:07 ago on Sun Jun 14 09:14:34 2015.
Dependencies resolved.
====================================================================================================================
 Package                    Arch                     Version                         Repository                Size
====================================================================================================================
Installing:
 ykclient                   x86_64                   2.13-1.fc22                     fedora                    35 k

Transaction Summary
====================================================================================================================
Install  1 Package

Total download size: 35 k
Installed size: 58 k
Is this ok [y/N]: y
Downloading Packages:
ykclient-2.13-1.fc22.x86_64.rpm                                                      48 kB/s |  35 kB     00:00    
--------------------------------------------------------------------------------------------------------------------
Total                                                                                11 kB/s |  35 kB     00:03     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : ykclient-2.13-1.fc22.x86_64                                                                     1/1 
  Verifying   : ykclient-2.13-1.fc22.x86_64                                                                     1/1 

Installed:
  ykclient.x86_64 2.13-1.fc22                                                                                       

Complete!
[root@vicky ~]# 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
root@vicky ~]# ykinfo
bash: ykinfo: command not found...
Install package 'ykpers' to provide command 'ykinfo'? [N/y] ^C

[root@vicky ~]# dnf install ykpers
Last metadata expiration check performed 1:01:23 ago on Sun Jun 14 09:14:34 2015.
Dependencies resolved.
====================================================================================================================
 Package                     Arch                    Version                          Repository               Size
====================================================================================================================
Installing:
 libyubikey                  x86_64                  1.11-3.fc22                      fedora                   33 k
 ykpers                      x86_64                  1.17.1-1.fc22                    fedora                  101 k

Transaction Summary
====================================================================================================================
Install  2 Packages

Total download size: 135 k
Installed size: 372 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): libyubikey-1.11-3.fc22.x86_64.rpm                                             13 kB/s |  33 kB     00:02    
(2/2): ykpers-1.17.1-1.fc22.x86_64.rpm                                               38 kB/s | 101 kB     00:02    
--------------------------------------------------------------------------------------------------------------------
Total                                                                                22 kB/s | 135 kB     00:06     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : libyubikey-1.11-3.fc22.x86_64                                                                   1/2 
  Installing  : ykpers-1.17.1-1.fc22.x86_64                                                                     2/2 
  Verifying   : ykpers-1.17.1-1.fc22.x86_64                                                                     1/2 
  Verifying   : libyubikey-1.11-3.fc22.x86_64                                                                   2/2 

Installed:
  libyubikey.x86_64 1.11-3.fc22                             ykpers.x86_64 1.17.1-1.fc22                            

Complete!

Verify that you’ve access to the yubikey

“ykinfo -v” shows you the version on the yubikey.

1
2
3
[root@vicky ~]# ykinfo -v
version: 3.4.0
[root@vicky ~]# 

If you try with the user that you’ll for the yubi authentication you might get a permission denied:

1
2
3
staf@vicky ~]$ ykinfo -v
USB error: Access denied (insufficient permissions)
[staf@vicky ~]$ 

Update the udev permissions

Update rule file

On a fedora 22 system to udev rules for the yubi key are defined in “/usr/lib/udev/rules.d/69-yubikey.rules”

It is a good practice to only grant access to user that will use the yubikey.

1
2
[root@vicky ~]# cd /usr/lib/udev/rules.d/
[root@vicky rules.d]# vi 69-yubikey.rules 
1
2
3
4
5
6
7
8
9
ACTION!="add|change", GOTO="yubico_end"

# Udev rules for letting the console user access the Yubikey USB
# device node, needed for challenge/response to work correctly.

# Yubico Yubikey II
ATTRS{idVendor}=="1050", ATTRS{idProduct}=="0010|0110|0111|0114|0116|0401|0403|0405|0407|0410", OWNER="staf", MODE="0600"

LABEL="yubico_end"
Update udev rules
1
2
# udevadm control --reload
# udevadm trigger
Test it again
1
2
3
[staf@vicky ~]$ ykinfo -v
version: 3.4.0
[staf@vicky ~]$ 

Enable the smartcard interface

1
2
3
4
5
6
7
staf@vicky yubi]$ ykpersonalize -m82
Firmware version 3.4.0 Touch level 1551 Program sequence 3

The USB mode will be set to: 0x82

Commit? (y/n) [n]: y
[staf@vicky yubi]$ 

Remove the yubi key from your system and plug it back to activate the new interface.

Install the required smartcard software

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
[root@vicky ~]# dnf install pcsc-tools   
Last metadata expiration check performed 0:33:58 ago on Sun Jun 14 09:14:34 2015.
Dependencies resolved.                                       
====================================================================================================================
 Package                         Arch                  Version                          Repository             Size
====================================================================================================================
Installing:                                                 
 pcsc-lite                       x86_64                1.8.13-1.fc22                    fedora                101 k
 pcsc-lite-asekey                x86_64                3.7-1.fc22                       fedora                 34 k
 pcsc-perl                       x86_64                1.4.12-11.fc22                   fedora                 61 k
 pcsc-tools                      x86_64                1.4.23-1.fc22                    fedora                116 k
 perl-Cairo                      x86_64                1.105-1.fc22                     fedora                126 k
 perl-Glib                       x86_64                1.310-1.fc22                     fedora                362 k
 perl-Gtk2                       x86_64                1.2495-1.fc22                    fedora                1.8 M
 perl-HTML-Tree                  noarch                1:5.03-8.fc22                    fedora                223 k
 perl-Pango                      x86_64                1.226-3.fc22                     fedora                220 k
                                                           
Transaction Summary                                        
====================================================================================================================
Install  9 Packages                                        
                                                            
Total download size: 3.0 M                                  
Installed size: 8.4 M                                       
Is this ok [y/N]: y                                          
Downloading Packages:                                        
(1/9): pcsc-tools-1.4.23-1.fc22.x86_64.rpm                                           38 kB/s | 116 kB     00:03    
(2/9): pcsc-perl-1.4.12-11.fc22.x86_64.rpm                                           20 kB/s |  61 kB     00:03    
(3/9): pcsc-lite-1.8.13-1.fc22.x86_64.rpm                                            23 kB/s | 101 kB     00:04    
(4/9): perl-Glib-1.310-1.fc22.x86_64.rpm                                            159 kB/s | 362 kB     00:02    
(5/9): perl-Cairo-1.105-1.fc22.x86_64.rpm                                            56 kB/s | 126 kB     00:02    
(6/9): perl-HTML-Tree-5.03-8.fc22.noarch.rpm                                         99 kB/s | 223 kB     00:02    
(7/9): perl-Gtk2-1.2495-1.fc22.x86_64.rpm                                           342 kB/s | 1.8 MB     00:05    
(8/9): perl-Pango-1.226-3.fc22.x86_64.rpm                                            89 kB/s | 220 kB     00:02    
(9/9): pcsc-lite-asekey-3.7-1.fc22.x86_64.rpm                                        21 kB/s |  34 kB     00:01    
--------------------------------------------------------------------------------------------------------------------
Total                                                                               257 kB/s | 3.0 MB     00:11     
Running transaction check                                   
Transaction check succeeded.                                
Running transaction test                                     
Transaction test succeeded.                                   
Running transaction                                             
  Installing  : perl-Glib-1.310-1.fc22.x86_64                                                                   1/9 
  Installing  : pcsc-lite-asekey-3.7-1.fc22.x86_64                                                              2/9 
  Installing  : pcsc-lite-1.8.13-1.fc22.x86_64                                                                  3/9 
  Installing  : perl-Cairo-1.105-1.fc22.x86_64                                                                  4/9 
  Installing  : perl-Pango-1.226-3.fc22.x86_64                                                                  5/9 
  Installing  : perl-HTML-Tree-1:5.03-8.fc22.noarch                                                             6/9 
  Installing  : perl-Gtk2-1.2495-1.fc22.x86_64                                                                  7/9 
  Installing  : pcsc-perl-1.4.12-11.fc22.x86_64                                                                 8/9 
  Installing  : pcsc-tools-1.4.23-1.fc22.x86_64                                                                 9/9 
  Verifying   : pcsc-tools-1.4.23-1.fc22.x86_64                                                                 1/9 
  Verifying   : pcsc-lite-1.8.13-1.fc22.x86_64                                                                  2/9 
  Verifying   : pcsc-perl-1.4.12-11.fc22.x86_64                                                                 3/9 
  Verifying   : perl-Glib-1.310-1.fc22.x86_64                                                                   4/9 
  Verifying   : perl-Gtk2-1.2495-1.fc22.x86_64                                                                  5/9 
  Verifying   : perl-Cairo-1.105-1.fc22.x86_64                                                                  6/9 
  Verifying   : perl-HTML-Tree-1:5.03-8.fc22.noarch                                                             7/9 
  Verifying   : perl-Pango-1.226-3.fc22.x86_64                                                                  8/9 
  Verifying   : pcsc-lite-asekey-3.7-1.fc22.x86_64                                                              9/9 

Installed:
  pcsc-lite.x86_64 1.8.13-1.fc22       pcsc-lite-asekey.x86_64 3.7-1.fc22       pcsc-perl.x86_64 1.4.12-11.fc22     
  pcsc-tools.x86_64 1.4.23-1.fc22      perl-Cairo.x86_64 1.105-1.fc22           perl-Glib.x86_64 1.310-1.fc22       
  perl-Gtk2.x86_64 1.2495-1.fc22       perl-HTML-Tree.noarch 1:5.03-8.fc22      perl-Pango.x86_64 1.226-3.fc22      

Complete!
[root@vicky ~]# 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
root@vicky ~]# dnf install opensc
Last metadata expiration check performed 0:37:38 ago on Sun Jun 14 09:14:34 2015.
Dependencies resolved.
====================================================================================================================
 Package                  Arch                     Version                           Repository                Size
====================================================================================================================
Installing:
 opensc                   x86_64                   0.14.0-2.fc22                     fedora                   976 k

Transaction Summary
====================================================================================================================
Install  1 Package

Total download size: 976 k
Installed size: 2.8 M
Is this ok [y/N]: y
Downloading Packages:
opensc-0.14.0-2.fc22.x86_64.rpm                                                     277 kB/s | 976 kB     00:03    
--------------------------------------------------------------------------------------------------------------------
Total                                                                               203 kB/s | 976 kB     00:04     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : opensc-0.14.0-2.fc22.x86_64                                                                     1/1 
  Verifying   : opensc-0.14.0-2.fc22.x86_64                                                                     1/1 

Installed:
  opensc.x86_64 0.14.0-2.fc22                                                                                       

Complete!
[root@vicky ~]# dnf search opensc
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[root@vicky ~]# dnf search ccid
Last metadata expiration check performed 0:39:03 ago on Sun Jun 14 09:14:34 2015.
================================================ N/S Matched: ccid =================================================
pcsc-lite-ccid.x86_64 : Generic USB CCID smart card reader driver
libykneomgr.i686 : YubiKey NEO CCID Manager C Library
libykneomgr.x86_64 : YubiKey NEO CCID Manager C Library
[root@vicky ~]# dnf install pcsc-lite-ccid
Last metadata expiration check performed 0:39:34 ago on Sun Jun 14 09:14:34 2015.
Dependencies resolved.
====================================================================================================================
 Package                        Arch                   Version                         Repository              Size
====================================================================================================================
Installing:
 pcsc-lite-ccid                 x86_64                 1.4.18-1.fc22                   fedora                 177 k

Transaction Summary
====================================================================================================================
Install  1 Package

Total download size: 177 k
Installed size: 599 k
Is this ok [y/N]: y
Downloading Packages:
pcsc-lite-ccid-1.4.18-1.fc22.x86_64.rpm                                              47 kB/s | 177 kB     00:03    
--------------------------------------------------------------------------------------------------------------------
Total                                                                                27 kB/s | 177 kB     00:06     
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : pcsc-lite-ccid-1.4.18-1.fc22.x86_64                                                             1/1 
  Verifying   : pcsc-lite-ccid-1.4.18-1.fc22.x86_64                                                             1/1 

Installed:
  pcsc-lite-ccid.x86_64 1.4.18-1.fc22                                                                               

Complete!
[root@vicky ~]# 

Start the pcscd service

1
2
3
4
5
root@vicky ~]# systemctl list-unit-files -t service | grep pcscd
pcscd.service                               static  
[root@vicky ~]# systemctl start pcscd
[root@vicky ~]# systemctl enable pcscd
[root@vicky ~]# 

Verify that you are able to see the yubi smartcard

Run pcsc_scan

Execute “pcsc_scan” to verify that you see the smartcard

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
[staf@vicky ~]$ pcsc_scan 
PC/SC device scanner
V 1.4.23 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.13
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:06.7-1) 00 00
1: Yubico Yubikey NEO OTP+CCID 01 00

Mon Jun 15 11:36:44 2015
Reader 0: Gemalto Gemplus USB SmartCard Reader 433-Swap [CCID Interface] (1-0000:00:06.7-1) 00 00
  Card state: Card removed, 
Reader 1: Yubico Yubikey NEO OTP+CCID 01 00
  Card state: Card inserted, 
  ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1

defined(@array) is deprecated at /usr/lib64/perl5/vendor_perl/Chipcard/PCSC.pm line 69.
        (Maybe you should just omit the defined()?)
ATR: 3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
+ TS = 3B --> Direct Convention
+ T0 = FC, Y(1): 1111, K: 12 (historical bytes)
  TA(1) = 13 --> Fi=372, Di=4, 93 cycles/ETU
    43010 bits/s at 4 MHz, fMax for Fi = 5 MHz => 53763 bits/s
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = 00 --> Extra guard time: 0
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 15 --> Block Waiting Integer: 1 - Character Waiting Integer: 5
+ Historical bytes: 59 75 62 69 6B 65 79 4E 45 4F 72 33
  Category indicator byte: 59 (proprietary format)
+ TCK = E1 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B FC 13 00 00 81 31 FE 15 59 75 62 69 6B 65 79 4E 45 4F 72 33 E1
        YubiKey NEO (PKI)
        http://www.yubico.com/

Remote smartcard access

By default only console logins have access to the smartcard if you want to grant access to remote logins (e.g. ssh) create a polkit rule for the user that will use the smartcard.

1
2
[root@vicky ~]# cd /usr/share/polkit-1/rules.d/                                    
[root@vicky rules.d]# vi 30_smartcard_access.rules 
1
2
3
4
5
6
7
8
9
10
11
12
13
polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_pcsc" &&
        subject.user == "staf") {
            return polkit.Result.YES;
    }
});

polkit.addRule(function(action, subject) {
    if (action.id == "org.debian.pcsc-lite.access_card" &&
        action.lookup("reader") == 'name_of_reader' &&
        subject.user == "staf") {
            return polkit.Result.YES;    }
});

Reset smartcard PIN codes

The default user PIN code is “123456” the default admin PIN code is “12345678”

1
2
3
4
5
6
7
8
9
10
11
12
[staf@vicky ~]$ gpg --change-pin 
gpg: OpenPGP card no. D2760001240102000006035062250000 detected

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

#### Change user PIN

Your selection? 
1
2
3
4
5
6
7
8
Your selection? 1

Please enter the PIN
           
New PIN
               
New PIN
PIN changed.     

Change admin PIN

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 3
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN
                 
New Admin PIN
                     
New Admin PIN
PIN changed.     

1 - change PIN
2 - unblock PIN
3 - change Admin PIN
4 - set the Reset Code
Q - quit

Your selection? 

Generate a new key pair

Execute “gpg –card-edit”

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
[staf@vicky ~]$ gpg --card-edit 

Application ID ...: D2760001240102000006035062250000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 03506225
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 5
Signature key ....: 1E41 4C61 B1CE F02A F431  85BF 46B9 3657 54DF 802E
      created ....: 2015-06-15 11:47:23
Encryption key....: BB75 75F4 404A 2681 4331  4B46 34E7 EE51 4199 C702
      created ....: 2015-06-15 11:47:23
Authentication key: A7F8 A844 4762 C44D 20C7  A2AF E06D 602C 069D 7EFF
      created ....: 2015-06-15 11:47:23
General key info..: 
pub  2048R/54DF802E 2015-06-15 qwerty <qwert@qwert>
sec>  2048R/54DF802E  created: 2015-06-15  expires: never     
                      card-no: 0006 03506225
ssb>  2048R/069D7EFF  created: 2015-06-15  expires: never     
                      card-no: 0006 03506225
ssb>  2048R/4199C702  created: 2015-06-15  expires: never     
                      card-no: 0006 03506225

gpg/card> 

Enable admin commands

1
2
3
4
gpg/card> admin
Admin commands are allowed                                                      
                                                                                
gpg/card>                                                                        

Generate key

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
gpg/card> generate 
Make off-card backup of encryption key? (Y/n) n

gpg: NOTE: keys are already stored on the card!

Replace existing keys? (y/N) y

Please note that the factory settings of the PINs are
   PIN = `123456'     Admin PIN = `12345678'
You should change them using the command --change-pin


Please enter the PIN
Please specify how long the key should be valid.
         0 = key does not expire
      <n>  = key expires in n days
      <n>w = key expires in n weeks
      <n>m = key expires in n months
      <n>y = key expires in n years
Key is valid for? (0) 
Key does not expire at all
Is this correct? (y/N) y

You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
    "Heinrich Heine (Der Dichter) <heinrichh@duesseldorf.de>"

Real name: staf wagemakers
Email address: staf@wagemakers.be
Comment: 
You selected this USER-ID:
    "staf wagemakers <staf@wagemakers.be>"

Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O
gpg: existing key will be replaced
gpg: 3 Admin PIN attempts remaining before card is permanently locked

Please enter the Admin PIN
gpg: please wait while key is being generated ...
gpg: key generation completed (5 seconds)
gpg: signatures created so far: 0
gpg: existing key will be replaced
gpg: please wait while key is being generated ...
gpg: key generation completed (35 seconds)
gpg: signatures created so far: 1
gpg: signatures created so far: 2
gpg: existing key will be replaced
gpg: please wait while key is being generated ...
gpg: key generation completed (9 seconds)
gpg: signatures created so far: 3
gpg: signatures created so far: 4
gpg: key C15CE3D7 marked as ultimately trusted
public and secret key created and signed.

gpg: checking the trustdb
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0  valid:   2  signed:   0  trust: 0-, 0q, 0n, 0m, 0f, 2u
pub   2048R/C15CE3D7 2015-06-15
      Key fingerprint = B702 663D 833B DC19 0EEF  663A 54FA 0B1E C15C E3D7
uid                  staf wagemakers <staf@wagemakers.be>
sub   2048R/D2AEBBA3 2015-06-15
sub   2048R/6C2C699A 2015-06-15


gpg/card> 

Extract the public key

Execute gpg –card-status

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
staf@vicky ~]$ gpg --card-status
Application ID ...: D2760001240102000006035062250000
Version ..........: 2.0
Manufacturer .....: unknown
Serial number ....: 03506225
Name of cardholder: [not set]
Language prefs ...: [not set]
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: 2048R 2048R 2048R
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 3 3
Signature counter : 5
Signature key ....: AED7 C79B 574D 45CC 7C1B  CC35 BDDE E66F 0C2C CF82
      created ....: 2015-06-16 06:32:02
Encryption key....: 6650 AB0A 5F31 059F 3221  3F29 C9F3 2031 01B3 1F53
      created ....: 2015-06-16 06:32:02
Authentication key: A387 A45A 446E DC9C D78E  F173 7C19 5D7D A1D9 9813
      created ....: 2015-06-16 06:32:02
General key info..: pub  2048R/0C2CCF82 2015-06-16 staf wagemakers <staf@wagemakers.be>
sec>  2048R/0C2CCF82  created: 2015-06-16  expires: never     
                      card-no: 0006 03506225
ssb>  2048R/A1D99813  created: 2015-06-16  expires: never     
                      card-no: 0006 03506225
ssb>  2048R/01B31F53  created: 2015-06-16  expires: never     
                      card-no: 0006 03506225
[staf@vicky ~]$ 

Run gpgkey2ssh on the authentication key

1
2
3
[staf@vicky ~]$ gpgkey2ssh A1D99813
ssh-rsa qwertyqwertyqwerty COMMENT
[staf@vicky ~]$ 

Test ssh access

Configure the gpg agent

The gpg-agent can be use as a ssh-agent

Enable ssh support in your gpg-agent.conf

Create your gpg-agent.conf file

1
[staf@vicky ~]$ vi .gnupg/gpg-agent.conf
1
2
pinentry-program  /usr/bin/pinentry
enable-ssh-support

Start the gpg-agent

1
2
3
4
5
6
staf@vicky ~]$ gpg-agent --daemon --verbose
gpg-agent[1395]: listening on socket '/home/staf/.gnupg/S.gpg-agent'
gpg-agent[1395]: listening on socket '/home/staf/.gnupg/S.gpg-agent.ssh'
gpg-agent[1396]: gpg-agent (GnuPG) 2.1.4 started
SSH_AUTH_SOCK=/home/staf/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;
[staf@vicky ~]$ 

Export the SSH_AUTH_SOCK variable

1
SSH_AUTH_SOCK=/home/staf/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;

Verify the agent

Run ssh-add -L

1
2
3
[staf@vicky ~]$ ssh-add -L
error fetching identities for protocol 1: agent refused operation
ssh-rsa qwertyqwertyqwerty cardno:xxxx

The public key must be the same as extracted with “gpgkey2ssh”

Add the public key to the remote system

Add this public key to ~/.ssh/authorized_keys on the remote system.

Test

Try to logon to your remote system

1
staf@vicky ~]$ ssh -v xxx.xxx.xxx.xxx

You should get a window that asks for user PIN code.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19







               ┌──────────────────────────────────────────────┐
               │ Please enter the PIN                         │
               │                                              │
               │ PIN ________________________________________ │
               │                                              │
               │      <OK>                        <Cancel>    │
               └──────────────────────────────────────────────┘





1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
FreeBSD 10.1-RELEASE-p10 (GENERIC) #0: Wed May 13 06:54:13 UTC 2015

Welcome to FreeBSD!

Release Notes, Errata: https://www.FreeBSD.org/releases/
Security Advisories:   https://www.FreeBSD.org/security/
FreeBSD Handbook:      https://www.FreeBSD.org/handbook/
FreeBSD FAQ:           https://www.FreeBSD.org/faq/
Questions List: https://lists.FreeBSD.org/mailman/listinfo/freebsd-questions/
FreeBSD Forums:        https://forums.FreeBSD.org/

Documents installed with the system are in the /usr/local/share/doc/freebsd/
directory, or can be installed later with:  pkg install en-freebsd-doc
For other languages, replace "en" with a language code like de or fr.

Show the version of FreeBSD installed:  freebsd-version ; uname -a
Please include that output and any error messages when posting questions.
Introduction to manual pages:  man man
FreeBSD directory layout:      man hier

Edit /etc/motd to change this login announcement.
Want to run the same command again?
In tcsh you can type "!!"
$ 

CleanUp

Start the gpg-daemon

Add

1
2
gpg-agent --daemon
SSH_AUTH_SOCK=/home/staf/.gnupg/S.gpg-agent.ssh; export SSH_AUTH_SOCK;

To your .bash_profile or setup a generic script for all users in /etc/profile.d/

Disable password login in the /etc/ssh/sshd_config

Have fun!

Links

Openvas 7: Adding Credentials Failed

I’m creating a new openvas 7 system running centos 7 as a KVM instance.

The installation went fine but it was impossible to create new credentials.

I had a similar issue with my openvas 6 installation, this was resolved by creating the /etc/openvas/gnupg directory and creating the key openvasmd --create-credentials-encryption-key

But on my openvas 7 installation a creation of the encryption key was slooooow. As always Good Randomness is important for creating keys. So I decided to install haveged to get more randomness and hopefully this would speed up key creation.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
[root@localhost ~]# yum install haveged

Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * atomic: www6.atomicorp.com
 * base: centos.cu.be
 * extras: centos.cu.be
 * updates: centos.cu.be
Package haveged-1.9.1-2.el7.art.x86_64 already installed and latest version
Nothing to do
[root@localhost ~]# 
[root@localhost ~]# systemct list-unit-files --type=service | grep haveged
-bash: systemct: command not found
[root@localhost ~]# systemctl list-unit-files --type=service | grep haveged
haveged.service                             disabled
[root@localhost ~]# systemctl enable haveged
ln -s '/usr/lib/systemd/system/haveged.service' '/etc/systemd/system/multi-user.target.wants/haveged.service'
[root@localhost ~]# systemctl start haveged
[root@localhost ~]# 

The key creation took a only sec.

1
2
3
[root@localhost ~]# openvasmd --create-credentials-encryption-key
Key creation succeeded.
[root@localhost ~]# 

Adding new credentials works like a charm now.

Happy hacking!

Run Google Chrome Inside a Fedora Docker Container Over Ssh


Update (Mon Jun 8 2015):

Running google-chrome inside a docker container isn’t stable for me. I switched back to LXC to run google-chrome which seems to be more stable.


Created a docker image to start a docker container with chrome. Destroying the container each time that you start a browser is a easy way to get rid of your cookies and browser history.

Run google chrome inside a fedora docker container over ssh

Installation instructions

1/ Clone the git repo

1
$ git clone https://github.com/stafwag/docker-fedora-chrome-ssh.git

2/ Copy your public ssh to id_rsa.pub

1
2
$ cd docker-fedora-chrome-ssh
$ cp ~/.ssh/id_rsa.pub .

3/ Build the docker image

1
$ docker build -t stafwag/docker-fedora-chrome-ssh .

4/ Update your ssh config

1
$ vi ~/.ssh/config
1
2
3
4
5
6
7
Host mychrome
          User      chrome
          Port      8022
          HostName  127.0.0.1
          StrictHostKeyChecking no
          UserKnownHostsFile=/dev/null
          ForwardX11 yes

5/ Start chrome

1
$ ./startchrome.sh

Happy_new_year_2015

Happy new year!

"2014.jpg"

CGIpaf 1.3.4 Released

CGIpaf 1.3.4 has been released

ChangeLog

version 1.3.4 ( 23 Nov 2014 )
  • Cracklib configuration checking has been improved
  • LDFLAGS is passed to the linker correctly
CGIpaf 1.3.4pre1 (15 Sep 2013)
  • PAM is enabled on FreeBSD 7.3 or above
  • PAM is enabled on NetBSD 6.0 or above
  • xmalloc is updated to support systems with non GNU compatible malloc

CGIpaf 1.3.4 is available at: http://www.wagemakers.be/english/programs/cgipaf

Download the tarball directly at: http://www.wagemakers.be/downloads/cgipaf/

Or at the the Git repository on github: https://github.com/stafwag/cgipaf

Have fun...