SuisseID as Linux login token

SuisseID as Linux login token

By | | Comments 2 comments

The linux PAM authentication framework also supports PKCS11 based logins, which makes it easy for us to use our SuisseID for that.

Basically, you can use the entry PAM Authentication in this HOWTO. To use it with your SuisseID, you must have an eye on the following points:

/etc/pam_pkcs11/pam_pkcs11.conf configuration

Create a new module configuration:

# SuisseID pkcs11 module
pkcs11_module suisseid {
module = /usr/lib/libcvP11.so;
description = "SuisseID pkcs#11 module";
slot_num = 0;
token_type = "Suisse ID"
support_threads = false;
ca_dir = /etc/pam_pkcs11/cacerts;
crl_dir = /etc/pam_pkcs11/crls;
cert_policy = ca;
crl_policy = crl_auto;
}

and set this configuration as your PKCS#11 module:

# Filename of the PKCS #11 module. The default value is "default"
use_pkcs11_module = suisseid;

Store certificates of your CA under /etc/pam_pkcs11/cacerts

The module needs to check if your certificate is signed from a trusted source. In web browsers, this certificates are usually preinstalled, for the pam module we have to installed it by ourself.
The easiest way is to check who has signed your certificat and then export this certificates from Firefox to the folder /etc/pam_pkcs11/cacerts.

2 Replies to “SuisseID as Linux login token”

  1. Hello David!
    Nice use of the SuisseID Token! May I ask you which certificat is used? I can’t implement your solution because of this :s I did export every certificat from SwissSign (and quovadis just to test) and it’s not ok 🙁 Otherwise, did you do some c code to access the SuisseID token?
    Thank you very much!

  2. Hi Palo

    Sorry for the late answer, may be you have already solved your problem.
    I’ve exported the following certs: (using the Post SuisseID)


    david@david-ubuntu:/etc/pam_pkcs11/cacerts$ ls -al
    insgesamt 32
    drwxr-xr-x 2 root root 20480 2011-01-23 16:26 .
    drwxr-xr-x 4 root root 4096 2011-01-23 16:45 ..
    lrwxrwxrwx 1 root root 22 2011-01-23 16:26 46b2fd3b.0 -> SwissSignPlatinumCA-G2
    lrwxrwxrwx 1 root root 34 2011-01-23 16:26 a8784db6.0 -> SwissSignSuisseIDPlatinumCA2010-G2
    -rw-r--r-- 1 david david 2090 2011-01-23 16:23 SwissSignPlatinumCA-G2
    -rw-r--r-- 1 david david 2330 2011-01-23 16:23 SwissSignSuisseIDPlatinumCA2010-G2
    david@david-ubuntu:/etc/pam_pkcs11/cacerts$

    Unfortunately I can’t use my SuisseID anymore because I’ve misstyped the password too many times…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.