Finally: Login via SSH authentication with OpenPGP smart card &
100% Free Software PCMCIA reader
Georg C. F. Greve
greve at fsfeurope.org
Sun Feb 12 12:05:24 CET 2006
Hi all,
this is more a "fyi notice" than anything else:
Thanks to the efforts of Werner Koch, Harald Welte, Nils Färber and
myself, last week I finally managed to solve two major problems for my
personal use of smart cards / OpenPGP crypto cards, such as the
Fellowship crypto card [1], that might be bothering others as well.
* 100% Free Software PCMCIA smart card reader
Problem one was to find a PCMCIA smart card reader that could be used
under GNU/Linux with 100% Free Software.
Most PCMCIA readers under GNU/Linux seem to use proprietary libraries,
which is unacceptable. From a security viewpoint, I also consider it
self-defeating: Obviously the security of the system is only as strong
as the security of the non-freelayer and all its maintaining
infrastructure at the producing company, which the user has no control
over.
Thanks to Werner, Harald and Nils, it is now possible to use the
Omnikey CardMan 4040 exclusively with Free Software under
GNU/Linux. You will find more information here:
http://www.fsfe.org/fellows/greve/freedom_bits/fellowship_crypto_card_the_cool_way
* Remote SSH logins with crypto card authentication
Problem two was to do remote logins via SSH with authentication
through the smart card. There was a problem with the gpg-agent that
did not do PIN caching, and thus was somewhat annoying to use in real
life. Werner just addressed this problem, and now it works rather
flawlessly.
The gpg-agent replaces the ssh-agent for authentication, and it is
possible to do remote securely authenticated OpenSSH logins. You can
find information here:
http://www.fsfe.org/fellows/greve/freedom_bits/authenticating_ssh_logins_with_the_fellowship_crypto_card
So I hope this will help others with similar problems to solve them.
If anyone feels like playing with it, adding to it, making it easier
to use, or GUIfying it, that would be great. It would be good to see
the technology improve and spread.
Also, if people were to join the Fellowship (and such contribute to
the work of FSFE) in order to have play with the cards and find more
applications of it that are both fun and useful, that would be great.
Regards,
Georg
[1] http://www.fsfe.org/card/
--
Georg C. F. Greve <greve at fsfeurope.org>
Free Software Foundation Europe (http://fsfeurope.org)
Join the Fellowship and protect your freedom! (http://www.fsfe.org)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 306 bytes
Desc: not available
Url : /pipermail/attachments/20060212/e3ce298f/attachment.pgp
More information about the Gnupg-users
mailing list