* Todd Denniston (Todd.Denniston@xxxxxxxxxxxxxxxxxx) wrote: > Jeff Krebs wrote, On 12/04/2007 08:00 PM: >> * Todd Denniston (Todd.Denniston@xxxxxxxxxxxxxxxxxx) wrote: >>> From what I understood, the change to openssh listed in: >>> rpm -q --changelog openssh |less >>> as: >>> "* Wed Jun 20 2007 Tomas Mraz <tmraz@xxxxxxxxxx> - 4.5p1-7 >>> - experimental NSS keys support >>> - correctly setup context when empty level requested (#234951) >>> " >>> was supposed to allow the Common Access Card (CAC) to work with the >>> shipped Fedora 8 ssh. >>> >>> As per NSS usual, everything is undocumented, i.e., `ssh-add --help` does >>> not help at all, and `man ssh-add` points to `ssh-add -s reader` >>> # ssh-add -s 0 >>> Enter passphrase for smartcard: >>> SSH_AGENT_FAILURE >>> Could not add card: 0 >>> # ssh-add -s 1 >>> Enter passphrase for smartcard: >>> SSH_AGENT_FAILURE >>> Could not add card: 1 >>> >>> So does anyone know how to use the possible functionality, or are we >>> reduced to reading the source? >>> >> >> There is a link: >> >> http://www.nabble.com/ssh-and-CAC-t2483281.html > > Look at the next to the last email in that thread... yep that's me. > >> >> with some information. >> >> You have the SmartCard setup working under Linux? > > Yes, well _had_ in FC[1457]. > https://bugzilla.redhat.com/show_bug.cgi?id=186469#c8 > > But Red Hat believes that known to be working (and documented) solutions are bad: > https://bugzilla.redhat.com/show_bug.cgi?id=186469#c11 > so they tried to put their buggered up (my opinion) NSS solution in FC8 ssh > instead. > (I will comment more on this when I get done doing minimal testing on > Alon's patches to > http://www.openvpn.net > http://gnupg-pkcs11.sourceforge.net/ > As we (DoD) need all of these to work, and apparently Alon has had them > working for over a year now, considering the date on the mail you pointed > to. > At least the twists they did to pam_pkcs11 worked, even if they did not > update the documentation to explain how to make it work. I was fortunately > on another mailing list where someone had posted a quick how to get it to > sort of work.) > > > My real problem here is that I am trying to work with what the distribution > has (RH's NSS), instead of dropping back and punting Alon and my patches > into yet another version of the distro which would mean I have to support > it each time a new fedora ssh patch is released. > > >> >> What reader are you using? I've tried the ActiveCard v2.0 USB to no >> avail. Actually, this is known not to work, but I had to try anyway :) >> > > SCM SCR331 firmware 5.18 > there is newer firmware that makes the SCR331 perform full length CCID > transfers (needed for the PIV applet), and I intend to update the whole > batch we have after I test a few. > > BTW IIRC the ActiveCard v2.0 USB can be updated with the SCR firmware to > effectively make it act as an SCR, or so I have read, YMMV. I highly > suggest researching the change before doing it though, and I think at ~$20 > a new SCRx31 or gemplus reader are easier to deal with. (So I suppose if > you consider the ActiveCard reader a door stop anyway, you would not loose > anything if you burn it out in the attempt to update the firmware). > >> I should have an Athena USB reader coming my way soon. Hopefully that >> will allow use with FireFox. > Assuming Athena USB reader is CCID Compliant > http://pcsclite.alioth.debian.org/ccid.html#CCID_compliant > then at least the CAC, through pcscd and CoolKey can be made to work with > pam_pkcs11 and Mozilla products. > > Hope this helps you. > > -- > Todd Denniston > Crane Division, Naval Surface Warfare Center (NSWC Crane) > Harnessing the Power of Technology for the Warfighter > > -- > fedora-list mailing list > fedora-list@xxxxxxxxxx > To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Thank you for the helpful response. I just need to hit DoD sites... As long as I can use the PKI certificates, I should be good to go. The Athena is CCID compliant, so there should be no issues. I also built an RPM of the Athena-provided driver, so either way I should be covered. My ActiveCard Reader "brick" is a really old model, and it's only mine to use, not to modify. You mentioned the SCM readers for ~$20... Where? That's a damn good price! Jeff Krebs
