Contents

  1. running eToken with libetpkcs11
    1. Mozilla, Firefox, Thunderbird
    2. PAM
    3. VPN
      1. StrongSwan
      2. OpenVPN
    4. command line
      1. pkcs11-tool
      2. pkcs11-data / pkcs11-dump
    5. openssh
    6. rdesktop
    7. Harddisk encryption
    8. Truecrypt
    9. CACert
  2. running eToken with opensc / pkcs15
    1. openssh
    2. WPA

running eToken with libetpkcs11

You can use the pkcs11-module libetpkcs11.so that comes with the Aladdin middleware with several different applications.

Mozilla, Firefox, Thunderbird

Can all import the pkcs11-lib as a cryto device.

PAM

can use the pkcs11-lib. So all applications, that do their authentication via PAM, can use the eToken. The pam module now comes in a new release with new mappers: openssh, openssl, ldap, generic.

-> http://www.opensc-project.org/pam_pkcs11/

VPN

There are not much VPNs known. Although Cisco and Checkpoint are solution partners for Aladdin and the support the eToken for there Windows VPN Clients, there is no support for their Linux VPN Clients.

There are two VPN at the moment:

StrongSwan

has a pkcs11 interface. Strongswan was tested successfully with the Aladdin eToken.

Christoph Lukas provided a howto for this: http://wiki.strongswan.org/wiki/strongswan/EToken.

-> http://www.strongswan.org

OpenVPN

OpenVPN has pkcs11-support starting with version 2.1beta. It works well with the Aladdin pkcs11-module libetpkcs11.so. Please read this detailed howto http://openvpn.net/howto.html#pkcs11.

More information in german language can be found on http://openvpn-wiki.de.

command line

pkcs11-tool

Using engine_pkcs11 and pkcs11-tool from opensc version 0.10.0 make it now possible to use the aladdin libetpkcs11.so as an external module. Thus everything from

can be done at the command line!

So - besides using the OpenCA for enrolling and managing your tokens - it is now possible to use the command line. If you just need some Certificates with a private key on the token - maybe for vpn access - you can now use the pkcs11-tool nicely packed in a shell-script.

pkcs11-data / pkcs11-dump

pkcs11-data lets you write and read data objects on the smartcard. These may be public or private objects. The HowTos/eToken_and_LUKS use this tool to boot an encrypted LUKS root partition.

pkcs11-dump dumps the contents of your smartcards. Very helpful if you are too curious. These tools are written by Alon-Bar Lev and can be found here: http://alon.barlev.googlepages.com/pkcs11-utilities

openssh

There is a pkcs11 patch for openssh 4.1p1 provided by Alon Bar-Lev.

Unfortunately there is no timeline, when this pkcs11 patch will be merged into the openssh tree.

Alon likes to get much feedback about his patch. So he asks to be contacted for this patch and will gladly hand it to you.

When you have patched the openssh source, you can login this way: 

  eval './ssh-agent xterm -s'
  ./ssh-add --pkcs11-ask-pin  /home/koelbel/openssh-kde-dialogs.sh 
  ./ssh-add --pkcs11-add-provider --pkcs11-provider /usr/local/lib/libetpkcs11.so
  ./ssh-add --pkcs11-add-id --pkcs11-slot-type id --pkcs11-slot 0 --pkcs11-id-type label --pkcs11-id NEU

rdesktop

rdesktop now provides smartcard support, that works fine with the eToken. Please take a look at the HowTos/eToken_and_rdesktop.

Harddisk encryption

We published an article about enrcypting partitions of your harddisk using dm_crypt and the eToken in the german magazine Linux Professionell 01/07.

On this site and on the website of LSE you can find a package to authenticate with an eToken to boot your LUKS encrypted root partition: HowTos/eToken_and_LUKS.

Truecrypt

Starting with truecrypt 6.1 it comes with smartcard support by again loading the pkcs11 library. Truecrypt stores a secret key on the smartcard as a simple privat Object. This is the output with pkcs11-dump: Applications_for_eToken/Truecrypt.

CACert

Of course, this is no application but a CA that issues certificates that can be used for all of the above purposes, but nevertheless the eToken works fine with http://www.cacert.org.

running eToken with opensc / pkcs15

All of the above are likely to run with opensc, since opensc also brings a pksc11-lib.

openssh

Openssh has support for smartcards since version 3.9 I guess. But this smartcard support is in fact a linking against the opensc libs. Openssh can store the private key on the eToken. It can store it there, unfortunately not generate it on the eToken!

-> http://www.openssh.org/

WPA

see this http://www.opensc-project.org/opensc/wiki/WPA

Applications_for_eToken (last edited 2010-02-18 16:20:00 by CorneliusKoelbel)