Cryptoflex e-gate Security Tokens

The Cryptoflex e-gate is a smart-card which I'm using in the USB key format as a security token both to lock/unlock my workstation and for ssh authentication.

Detailed documentation on and using the cards may be found at http://lair.fifthhorseman.net/~dkg/egate/.

PAM Module

The key may be used for local authentication by using the libpam-opensc PAM module.

So to allow xscreensaver to be unlocked by using the key's PIN as password, modify /etc/pam.d/xscreensaver:

auth sufficient pam_opensc.so
@include common-auth
      

and allow the key to authenticate your login:

$ mkdir ~/.eid
$ pkcs15-tool -c  
X.509 Certificate [Certificate]
        Flags    : 2
        Authority: no
        Path     : 3F0050154545
        ID       : 45
$ pkcs15-tool -r 45 >>.eid/authorized_certificates
      

You can now unlock xscreensaver by entering the key's PIN into the password field.

Automatic Locking

Using udev, you can catch the hotplug events of the key being inserted and removed.

Create /etc/udev/egate.rules containing:

# Schlumberger Cryptoflex e-gate
BUS=="usb", SYSFS{product}=="*Cryptoflex e-gate*", \
	RUN+="/usr/local/sbin/hotplug-egate"
      

This causes /usr/local/sbin/hotplug-egate to be invoked whenever the key is inserted. I expected this also to work for removal but it seems that SYSFS{product} is gone at that time (some suspicious kludgery in the script arranges for hotplug's usb.agent to call the script).

Create a symlink to the script as /etc/udev/rules.d/z99_egate.rules (or anything numbered after z70_hotplugd.rules due to the kludge noted above).

The script looks for any instances of xscreensaver or ssh-agent which are indirectly parented by xdm (you'll need to tweak this if you use gdm or whatever).

When the key is removed, the script flushes stored keys/PINs from any agents found, and locks the screensaver. Replacing the key causes the screensaver to wake up and prompt for password.

Populating ssh-agent

Now it would be kind of neat if the authenticating PIN entered into the screensaver could also be stored in the agent...

This patch modifies the PAM module to do the equivalent of "ssh-add -s 0" on successful authentication. The changes use libssh.a, from the openssh build; a patch to openssh which adds --with-opensc and creates a libssh-dev package is here.

Note: I found that the PAM module failed an internal assertion when opensc was built with gcc-4.0 (4.0.1-2). Building with gcc-3.4 worked.

Source and binary packages for: openssh and opensc.

July 15, 2005