Contents

  1. running eToken with libetpkcs11
    1. Mozilla, Firefox, Thunderbird
    2. PAM
    3. VPN
      1. StrongSwan
      2. OpenVPN
    4. command line
    5. openssh
    6. rdesktop
    7. Harddisk encryption
  2. running eToken with opensc / pkcs15
    1. openssh
    2. WPA

running eToken with libetpkcs11

You can use the pkcs11-module libetpkcs11.so that comes with the Aladdin middleware with several different applications.

Mozilla, Firefox, Thunderbird

Can all import the pkcs11-lib as a cryto device.

PAM

can use the pkcs11-lib. So all applications, that do their authentication via PAM, can use the eToken. The pam module now comes in a new release with new mappers: openssh, openssl, ldap, generic.

-> http://www.opensc-project.org/pam_pkcs11/

VPN

There are not much VPNs known. Although Cisco and Checkpoint are solution partners for Aladdin and the support the eToken for there Windows VPN Clients, there is no support for their Linux VPN Clients.

There are two VPN at the moment:

StrongSwan

has a pkcs11 interface. Strongswan was tested successfully with the Aladdin eToken. We will release a HOWTO shortly. Whoever has a already written howto is heartly welcome to share it! mailto:cornelius.koelbel_at_lsexperts.de

-> http://www.strongswan.org

OpenVPN

OpenVPN has pkcs11-support starting with version 2.1beta. It works well with the Aladdin pkcs11-module libetpkcs11.so. Please read this detailed howto http://openvpn.net/howto.html#pkcs11.

More information in german language can be found on http://openvpn-wiki.de.

command line

Using http://www.opensc.org/engine_pkcs11/wiki/QuickStart from opensc version 0.10.0 make it now possible to use the aladdin libetpkcs11.so as an external module. Thus everything from

can be done at the command line!

So - besides using the OpenCA for enrolling and managing your tokens - it is now possible to use the command line. If you just need some Certificates with a private key on the token - maybe for vpn access - you can now use the pkcs11-tool nicely packed in a shell-script.

openssh

There is a pkcs11 patch for openssh 4.1p1 provided by Alon Bar-Lev.

Unfortunately there is no timeline, when this pkcs11 patch will be merged into the openssh tree.

Alon likes to get much feedback about his patch. So he asks to be contacted for this patch and will gladly hand it to you.

When you have patched the openssh source, you can login this way: 

  eval './ssh-agent xterm -s'
  ./ssh-add --pkcs11-ask-pin  /home/koelbel/openssh-kde-dialogs.sh 
  ./ssh-add --pkcs11-add-provider --pkcs11-provider /usr/local/lib/libetpkcs11.so
  ./ssh-add --pkcs11-add-id --pkcs11-slot-type id --pkcs11-slot 0 --pkcs11-id-type label --pkcs11-id NEU

rdesktop

rdesktop now provides smartcard support, that works fine with the eToken. Please take a look at the HowTos/eToken_and_rdesktop.

Harddisk encryption

We published an article about enrcypting partitions of your harddisk using dm_crypt and the eToken in the german magazine Linux Professionell 01/07.

On this site and on the website of LSE you can find a package to authenticate with an eToken to boot your LUKS encrypted root partition: HowTos/eToken_and_LUKS.

running eToken with opensc / pkcs15

All of the above are likely to run with opensc, since opensc also brings a pksc11-lib.

openssh

Openssh has support for smartcards since version 3.9 I guess. But this smartcard support is in fact a linking against the opensc libs. Openssh can store the private key on the eToken. It can store it there, unfortunately not generate it on the eToken!

-> http://www.openssh.org/

WPA

see this http://www.opensc-project.org/opensc/wiki/WPA

Applications_for_eToken (last edited 2008-10-02 09:36:03 by CorneliusKoelbel)