Jeff Krebs wrote, On 12/04/2007 08:00 PM:
- Todd Denniston (Todd.Denniston@ssa.crane.navy.mil) wrote:
From what I understood, the change to openssh listed in: rpm -q --changelog openssh |less as: "* Wed Jun 20 2007 Tomas Mraz tmraz@redhat.com - 4.5p1-7
- experimental NSS keys support
- correctly setup context when empty level requested (#234951)
" was supposed to allow the Common Access Card (CAC) to work with the shipped Fedora 8 ssh.
As per NSS usual, everything is undocumented, i.e., `ssh-add --help` does not help at all, and `man ssh-add` points to `ssh-add -s reader` # ssh-add -s 0 Enter passphrase for smartcard: SSH_AGENT_FAILURE Could not add card: 0 # ssh-add -s 1 Enter passphrase for smartcard: SSH_AGENT_FAILURE Could not add card: 1
So does anyone know how to use the possible functionality, or are we reduced to reading the source?
There is a link:
Look at the next to the last email in that thread... yep that's me.
with some information.
You have the SmartCard setup working under Linux?
Yes, well _had_ in FC[1457]. https://bugzilla.redhat.com/show_bug.cgi?id=186469#c8
But Red Hat believes that known to be working (and documented) solutions are bad: https://bugzilla.redhat.com/show_bug.cgi?id=186469#c11 so they tried to put their buggered up (my opinion) NSS solution in FC8 ssh instead. (I will comment more on this when I get done doing minimal testing on Alon's patches to http://www.openvpn.net http://gnupg-pkcs11.sourceforge.net/ As we (DoD) need all of these to work, and apparently Alon has had them working for over a year now, considering the date on the mail you pointed to. At least the twists they did to pam_pkcs11 worked, even if they did not update the documentation to explain how to make it work. I was fortunately on another mailing list where someone had posted a quick how to get it to sort of work.)
My real problem here is that I am trying to work with what the distribution has (RH's NSS), instead of dropping back and punting Alon and my patches into yet another version of the distro which would mean I have to support it each time a new fedora ssh patch is released.
What reader are you using? I've tried the ActiveCard v2.0 USB to no avail. Actually, this is known not to work, but I had to try anyway :)
SCM SCR331 firmware 5.18 there is newer firmware that makes the SCR331 perform full length CCID transfers (needed for the PIV applet), and I intend to update the whole batch we have after I test a few.
BTW IIRC the ActiveCard v2.0 USB can be updated with the SCR firmware to effectively make it act as an SCR, or so I have read, YMMV. I highly suggest researching the change before doing it though, and I think at ~$20 a new SCRx31 or gemplus reader are easier to deal with. (So I suppose if you consider the ActiveCard reader a door stop anyway, you would not loose anything if you burn it out in the attempt to update the firmware).
I should have an Athena USB reader coming my way soon. Hopefully that will allow use with FireFox.
Assuming Athena USB reader is CCID Compliant http://pcsclite.alioth.debian.org/ccid.html#CCID_compliant then at least the CAC, through pcscd and CoolKey can be made to work with pam_pkcs11 and Mozilla products.
Hope this helps you.