About

Freeskiing. Mountaineering. Biking. Technology.

SuisseID as Linux login token

The linux PAM authentication framework also supports PKCS11 based logins, which makes it easy for us to use our SuisseID for that.

Basically, you can use the entry PAM Authentication in this HOWTO. To use it with your SuisseID, you must have an eye on the following points:

/etc/pam_pkcs11/pam_pkcs11.conf configuration

Create a new module configuration:

# SuisseID pkcs11 module
pkcs11_module suisseid {
module = /usr/lib/libcvP11.so;
description = "SuisseID pkcs#11 module";
slot_num = 0;
token_type = "Suisse ID"
support_threads = false;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
cert_policy = ca;
crl_policy = crl_auto;
}

and set this configuration as your PKCS#11 module:

# Filename of the PKCS #11 module. The default value is "default"
use_pkcs11_module = suisseid;

Store certificates of your CA under /etc/pam_pkcs11/cacerts

The module needs to check if your certificate is signed from a trusted source. In web browsers, this certificates are usually preinstalled, for the pam module we have to installed it by ourself.
The easiest way is to check who has signed your certificat and then export this certificates from Firefox to the folder /etc/pam_pkcs11/cacerts.

    posted by Dave in Technology and has Comments (2)

    2 Responses to “SuisseID as Linux login token”

    1. Palo sagt:

      Hello David!
      Nice use of the SuisseID Token! May I ask you which certificat is used? I can’t implement your solution because of this :s I did export every certificat from SwissSign (and quovadis just to test) and it’s not ok :( Otherwise, did you do some c code to access the SuisseID token?
      Thank you very much!

    2. Dave sagt:

      Hi Palo

      Sorry for the late answer, may be you have already solved your problem.
      I’ve exported the following certs: (using the Post SuisseID)


      david@david-ubuntu:/etc/pam_pkcs11/cacerts$ ls -al
      insgesamt 32
      drwxr-xr-x 2 root root 20480 2011-01-23 16:26 .
      drwxr-xr-x 4 root root 4096 2011-01-23 16:45 ..
      lrwxrwxrwx 1 root root 22 2011-01-23 16:26 46b2fd3b.0 -> SwissSignPlatinumCA-G2
      lrwxrwxrwx 1 root root 34 2011-01-23 16:26 a8784db6.0 -> SwissSignSuisseIDPlatinumCA2010-G2
      -rw-r--r-- 1 david david 2090 2011-01-23 16:23 SwissSignPlatinumCA-G2
      -rw-r--r-- 1 david david 2330 2011-01-23 16:23 SwissSignSuisseIDPlatinumCA2010-G2
      david@david-ubuntu:/etc/pam_pkcs11/cacerts$

      Unfortunately I can’t use my SuisseID anymore because I’ve misstyped the password too many times…

    Place your comment

    Please fill your data and comment below.
    Name
    Email
    Website
    Your comment