Thank you. On Fri, Dec 29, 2017 at 12:59 AM, Matthias Apitz <[email protected]> wrote:
> > How to use the OpenPGP Card to unlock the KDE desktop > Matthias Apitz <[email protected]> > Thu Dec 28 20:07:19 CET 2017 > > Based on: gpg (GnuPG) 2.1.19 and poldi VERSION 0.4.2.git > > > I'm using the OpenPGP Card (among other things) to lock my KDE desktop > when the card is withdrawn. This is easy to be done from the script > ${GNUPGHOME}/scd-event which fires up the KDE proc > > ... > nohup /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock & > ... > > to lock the desktop until the correct password is provided. > 'kscreenlocker_greet' > uses /usr/local/lib/kde4/libexec/kcheckpass to check the credentials > with PAM using the rules file /usr/local/etc/pam.d/kde which has the > pointer > to the shared lib to use for this: > > $ grep auth /usr/local/etc/pam.d/kde > auth required pam_unix.so no_warn > try_first_pass > > What I do want here is, that the authentication is not done against the > UNIX > (FreeBSD) password database, but against the OpenPGP Card's key, i.e. > requires the > correct PIN of the card to be entered as password in 'kscreenlocker_greet'. > > Here are the details of installation and configuration. > > > Installation: > > $ git clone https://github.com/gpg/poldi.git > $ cd poldi > $ ./autogen.sh > $ ./configure --enable-maintainer-mode > $ gmake > # gmake install > > There are some issues/bugs in poldi's sources on FreeBSD: > > 1) in subdir tests/ > > $ diff pam-test.c.orig pam-test.c > 23c23 > < #include <security/pam_misc.h> > --- > > #include <security/openpam.h> > 38c38 > < misc_conv, > --- > > openpam_ttyconv, > > and remove '-lpam_misc' from Makefile > > 2) in src/assuan/ add funopen.c and funopen.o to the Makefile > > $ grep -n funopen src/assuan/Makefile > 144: assuan-socket.$(OBJEXT) funopen.$(OBJEXT) > 343: assuan-buffer.c funopen.c \ > > > 3) in conf/Makefile the calls to hard 'install' must be changed to: > > INSTALL = $(install_sh) -c (line 8) > and called as $(INSTALL) (line 465 ff) > after this, the 'gmake install-conf-skeleton' installs the files into > /usr/local/etc/poldi/... > > 4) the pam_poldi.so is search in /usr/local/lib and not in > /usr/local/lib/security > we make a sym link: > > # ln -s /usr/local/lib/security/pam_poldi.so > /usr/local/lib/pam_poldi.so > > 5) the log file will be written as normal user, use chown or chmod 0666 > > # touch /var/log/poldi > # chown guru /var/log/poldi > > > Configuration details: > > # vim /usr/local/etc/poldi/poldi.conf > > auth-method localdb > log-file /var/log/poldi > debug > # Specify SCDaemon executable > scdaemon-program /usr/local/libexec/scdaemon > > $ gpg --card-status | grep 'Application ID' > > Application ID ...: D27600012401020100050000532B0000 > > # vim /usr/local/etc/poldi/localdb/users > > D27600012401020100050000532B0000 guru > > # touch /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000 > # chown guru /usr/local/etc/poldi/localdb/keys/ > D27600012401020100050000532B0000 > > For tests we create our own file 'myked' in /usr/local/etc/pam.d/: > > # cp /usr/local/etc/pam.d/kde /usr/local/etc/pam.d/mykde > # grep auth /usr/local/etc/pam.d/mykde > auth required pam_poldi.so > (note: additional args to 'pam_poldi.so' gives PAM parse error) > > > Now we insert the key in the local key database as user 'guru' with: > > $ gpg-connect-agent "/datafile /usr/local/etc/poldi/localdb/keys/ > D27600012401020100050000532B0000" "SCD READKEY --advanced OPENPGP.3" /bye > OK > $ ls -l /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000 > -rw-r--r-- 1 guru wheel 1077 28 dic. 09:48 > /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000 > $ file /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000 > /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000: ASCII > text, with very long lines > > For some first tests we run: > > (re-insert the card first) > > $ tests/pam-test mykde -u guru > Insert authentication card for user `guru' > Trying authentication as user `guru'... > Please unlock the card > > Number: 0005 0000532B > Holder: Matthias Apitz (<< here it asks for the PIN of the Card) > Authentication succeeded > Authenticated as user `guru' > > # tail -f /var/log/poldi > Poldi 2017-12-28 10:51:35 [10785] debug: using authentication method > `localdb' > Poldi 2017-12-28 10:51:35 [10785] debug: got scdaemon socket name from > gpg-agent, connected to socket '/home/guru/.gnupg-ccid/S.scdaemon' > Poldi 2017-12-28 10:51:35 [10785] debug: Waiting for card for user > `guru'... > Poldi 2017-12-28 10:51:35 [10785] debug: connected to card; serial number > is: D27600012401020100050000532B0000 > Poldi 2017-12-28 10:51:35 [10785] debug: Trying authentication as user > `guru'... > Poldi 2017-12-28 10:51:48 [10785] debug: authentication succeeded > > In case of errors check also /var/log/messages > > > Now the changes for "real world" KDE: > > # cp -p /usr/local/etc/pam.d/kde /usr/local/etc/pam.d/kde.orig > # vim /usr/local/etc/pam.d/kde > > auth required pam_poldi.so > (note: additional args to 'pam_poldi.so' gives PAM parse error) > > set the environment in ~/.xinitrc as > > $ cat ~/.xinitrc > . ~/ccid.sh > setxkbmap -option terminate:ctrl_alt_bksp > xmodmap -e "keycode 174 = F21" # volume down > xmodmap -e "keycode 176 = F22" # volume up > xmodmap -e "keycode 140 = F23" # volume mute > exec /usr/local/bin/startkde > > $ cat ~/ccid.sh > # kill the ssh-agent > # > ssh-agent -k 2> /dev/null > # set GNUPGHOME > # > GNUPGHOME=/home/guru/.gnupg-ccid > export GNUPGHOME > # set SSH_AUTH_SOCK > # > unset SSH_AGENT_PID > unset SSH_AUTH_SOCK > SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"; > export SSH_AUTH_SOCK > > # start the gpg-agent > # > gpg-connect-agent /bye > > > Restart KDE. > > Now withdrawing the card locks the screen by firing up from > ${GNUPGHOME}/scd-event > the screen locker. > > And I can unlock the screen only by inserting the OpenPGP card and > entering the correct PIN. > > > -- > Matthias Apitz, ✉ [email protected], ⌂ http://www.unixarea.de/ 📱 > +49-176-38902045 > Public GnuPG key: http://www.unixarea.de/key.pub >
