No description, website, or topics provided.
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.

Smartcard integration with PAM

This has been tested on Ubuntu 14.04 LTS with a Feitian PKI (FTCOS/PK-01C) smartcard and a generic USB smartcard reader.


The general steps:

  • Erase and initialize card
  • Create public/private key pair on smartcard
  • Generate X.509 certificate with our email address as a subjectAltName value
  • Configure PAM to use the PKCS#11 module

The details:

  1. Install smartcard middleware and libraries

    sudo apt-get install pcscd opensc libengine-pkcs11-openssl libpam-pkcs11

  2. Erase smartcard

    pkcs15-init -E

  3. Initialize smartcard

    pkcs15-init --create-pkcs15 -p pkcs15+onepin --pin 1234 --puk 4321

  4. Create public/private key pair on smartcard

    pkcs15-init -G rsa/2048 -i 01 -a 01 -u sign --pin 1234

  5. Generate a self-signed certificate

    openssl req -config openssl_pkcs11.conf -new -x509 -days 90 -keyform engine -engine pkcs11 -key slot_1-id_01 -out ~/my_cert.pem

  6. Store the cert on your card

    pkcs15-init -X ~/my_cert.pem -i 01 -a 01 --format pem

  7. Configure the pkcs11 pam module

    sudo mkdir -p /etc/pam_pkcs11/{,cacerts,crls}

    zcat /usr/share/doc/libpam-pkcs11/examples/pam_pkcs11.conf.example.gz | sudo tee /etc/pam_pkcs11/pam_pkcs11.conf

    sudo cp ~/my_cert.pem /etc/pam_pkcs11/cacerts/

    cd /etc/pam_pkcs11/cacerts && sudo pkcs11_make_hash_link

    echo "me@website.example -> userid" | sudo tee /etc/pam_pkcs11/mail_mapping

    Edit the "module = /usr/lib/" line of /etc/pam_pkcs11/pam_pkcs11.conf to point to the right location of the module on your system

  8. Configure your PAM modules For example: add auth sufficient to the top of /etc/pam.d/common-auth