Authenticating Linux with your USB ActiveKey

As I started working for my new employer, I got a new laptop. Linux is allowed here (thank goodness for that!) so I decided to go for a Debian install. I also got this nifty USB ActiveKey token, which can be used to authenticate to a plethora of services - Windows domain login, SAP login, ... fun stuff. But what about Linux? It turns out you can make good use of this key for Linux authentication too.

For simplicity's sake I'll assume here that the ActiveKey you have has already been initialized and you have stored your certificate on it using the standard (Windows) tooling.

First thing you'll need is a set of tools to read the ActiveKey itself.

apt-get install coolkey pcscd pcsc-tools libpam-pkcs11

Start the pcscd daemon and insert your ActiveKey. You'll notice that the light goes from red to green. Check if everything is detected properly:

[alver@Talisker ~]$ pcsc_scan 
PC/SC device scanner
V 1.4.16 (c) 2001-2009, Ludovic Rousseau 
Compiled with PC/SC lite version: 1.5.5
Scanning present readers...
0: Activkey Sim 00 00

Thu Jan 14 12:00:25 2010
 Reader 0: Activkey Sim 00 00
  Card state: Card inserted, Shared Mode,

... and so on. Good, the reader is found, and it knows there's a card inserted. The command will stop without returning to shell because it doesn't know anything about the reader or card - that's okay. Just ctrl-c back to shell.

Now it's time to setup pam_pkcs11. Just installing the package above won't do much; you'll have to manually create the necessary directories and create a config file.

mkdir -p /etc/pam_pkcs11/cacerts
zcat /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.example.gz > /etc/pam_pkcs11/pam_pkcs11.conf

Edit /etc/pam_pkcs11/pam_pkcs11.conf to match the following (not pasting the complete config file, just the relevant bits to change):

use_pkcs11_module = coolkey;

# Coolkey Support
pkcs11_module coolkey {
  module = /usr/lib/pkcs11/ 
  description = "Coolkey";
  slot_num = 0;
  support_threads = false;
  ca_dir = /etc/pam_pkcs11/cacerts;
  cert_policy = ca;

use_mappers = subject;

You can setup a subject-to-user mapping now. You'll have to get your hands on the company Issuer CA certificate first though, otherwise all attempts to validate your personal certificate will (naturally) fail. Copy this certificate file in base64 format to /etc/pam_pkcs11/cacerts.

Last step is mapping your personal certificate to your unix user. Print the certificate listed on your ActiveKey to check if it's found and no certificate errors are given:

[alver@Talisker pam_pkcs11]$ pkcs11_listcerts 
PIN for token: 
Found '1' certificate(s)
Certificate #1:
- Subject:   /O=Your Company/OU=Yada Yada/OU=Foo/CN=Your Name Goes Here/
- Issuer:    / Company/CN=Your Company Primary Certification Authority
- Algorithm: rsaEncryption

Okay, looks fine. You already copied the CA file so the Issuer should be accepted, and the Subject... well, that should be you. If it's not, bail out. Map this Subject to your local user:

echo "$(pkcs11_listcerts | grep Subject | sed 's,^[^/]*/,/,') -> youruser" > /tmp/subject_mapping

Copy this file over to /etc/pam_pkcs11/. Okay... done. Verify that the mapping is properly detected:

[alver@Talisker pam_pkcs11]$ pklogin_finder

Last thing you need to do is telling pam that you want to authenticate using your ActiveKey. The pam config line is this:

auth	sufficient debug=false config_file=/etc/pam_pkcs11/pam_pkcs11.conf

I personally put it in /etc/pam.d/gdm and /etc/pam.d/gnome-screensaver. GDM will still ask for a username though (it's not fully smart card aware) so you leave the field blank and press enter; it will ask for a pincode next. Gnome-screensaver doesn't have such a quirk.