The Cryptoflex e-gate is a smart-card which I'm using in the USB key format as a security token both to lock/unlock my workstation and for ssh authentication.
Detailed documentation on and using the cards may be found at http://lair.fifthhorseman.net/~dkg/egate/.
The key may be used for local authentication by using the libpam-opensc PAM module.
So to allow xscreensaver to be unlocked by using the key's PIN as
password, modify /etc/pam.d/xscreensaver
:
auth sufficient pam_opensc.so @include common-auth
and allow the key to authenticate your login:
$ mkdir ~/.eid $ pkcs15-tool -c X.509 Certificate [Certificate] Flags : 2 Authority: no Path : 3F0050154545 ID : 45 $ pkcs15-tool -r 45 >>.eid/authorized_certificates
You can now unlock xscreensaver by entering the key's PIN into the password field.
Using udev, you can catch the hotplug events of the key being inserted and removed.
Create /etc/udev/egate.rules containing:
# Schlumberger Cryptoflex e-gate BUS=="usb", SYSFS{product}=="*Cryptoflex e-gate*", \ RUN+="/usr/local/sbin/hotplug-egate"
This causes
/usr/local/sbin/hotplug-egate
to be invoked whenever
the key is inserted. I expected this also to work for removal
but it seems that SYSFS{product}
is gone at that time
(some suspicious kludgery in the script arranges for hotplug's
usb.agent to call the script).
Create a symlink to the script as
/etc/udev/rules.d/z99_egate.rules
(or anything numbered
after z70_hotplugd.rules
due to the kludge noted above).
The script looks for any instances of xscreensaver
or
ssh-agent
which are indirectly parented by xdm
(you'll need to tweak this if you use gdm or whatever).
When the key is removed, the script flushes stored keys/PINs from any agents found, and locks the screensaver. Replacing the key causes the screensaver to wake up and prompt for password.
Now it would be kind of neat if the authenticating PIN entered into the screensaver could also be stored in the agent...
This patch modifies
the PAM module to do the equivalent of "ssh-add -s 0
"
on successful authentication. The changes use libssh.a
,
from the openssh build; a patch to openssh which adds
--with-opensc
and creates a libssh-dev package is
here.
Note: I found that the PAM module failed an internal assertion when opensc was built with gcc-4.0 (4.0.1-2). Building with gcc-3.4 worked.
Source and binary packages for: openssh and opensc.
July 15, 2005