# driver for aladdins etoken

## georgkostner

Hello,

can some one help to bring my aladdin etoken to work. 

I'm looking for driver for the aladdins etoken.

thank you

georg

----------

## d33d0

Did you find something meanwhile?

You may want to look at http://www.opensc.org/.

I'm trying to use an etoken for login (pam + ssh) but I'm still not finished..

cu

----------

## georgkostner

I emerged the package opensc of Gentoo.

The package was able to discover the etoken. But my aladin etoken was created by Aladin software on Windows. It seems that the Windows software create a different format on the etoken as opensc software expect. Unfortunately for this reason I was not able to use the etoken with firefox.

I wrote to the newsgroup of opensc. They wrote me back that the opensc software follow the pck15 standart and aladins windows software doesn't follow this standard. As I understant to use the aladin etoken on Linux you must create a certified etoken with the opensc software then it should work. I have not time to try this out.

Georg

----------

## d33d0

Well I got my Aladdin eToken PRO to work.   :Very Happy: 

First you have to erase and initialize your eToken (pkcs15-init -EC).

After that you have to create a user pin (pkcs15-init -P -a 0).

Finally you may upload a certificate (as .p12-file) from thawte to your eToken or generate it by yourself.

See: http://www.opensc.org/talks/linux-kongress03/linux-kongress03.pdf

To use eToken in Mozilla and for login etc. see the opensc manual: http://www.opensc.org/files/doc/opensc.html.

To lock the screen via xscreensaver after removing eToken I use hotplug and the following script (/etc/hotplug/usb/opensc):

```

#!/bin/bash

echo -e '#!/bin/sh\n/usr/bin/xscreensaver-command -lock' > $REMOVER

chmod a+x $REMOVER

/usr/sbin/openct-control attach $DEVICE usb:$PRODUCT

```

Please note that this is not very nice, because you have to allow "root" to access your xwindow-session and I did this via "xhost +localhost" at startup..

I am open for a better solution  :Wink: 

PS: My eToken runs with Windows for Logon as well! Just install eTLogonClient.msi on Windows and create a Logonprofile. The opensc-profile will not be touched.

Hope this helps..

Falko

----------

## chiko

Strange problem with PAM. (maybe PAM, IMHO)

I wrote about it in this place: http://www.opensc.org/pipermail/opensc-devel/2004-October/004747.html

(No PIN prompt after login: username, and 60 seconds timeout)

After examine 

http://www.opensc.org/pipermail/opensc-devel/2003-August/002301.html, 

http://www.opensc.org/pipermail/opensc-devel/2003-August/002056.html and 

http://www.opensc.org/pipermail/opensc-devel/2003-August/002166.html

I think, what troubles with no PIN prompt into a PAM, but can't find solution :(

My /etc/pam.d/login looks like this:

```
auth       required     /usr/lib/security/pam_opensc.so use_first_pass 
```

In /ets/shadow all passhashes was changed to '!'

And after <censored> timeout again booting from LiveCD, mount /dev/hdaX /mnt/gentoo, cp /mnt/gentoo/etc/pam.d/login.ORIG /mnt/gentoo/etc/pam.d/login, /mnt/gentoo/etc/shadow.BACKUP /mnt/gentoo/etc/shadow ... Boooored :(

In openct-maillist guys says what this trouble is Gentoo-specific, what can I do?

Help me please, thanks.

Good luck!

----------

## d33d0

Hi chiko.

I didn't change /etc/pam.d/login.

/etc/pam.d/system-auth is included by every pam file in gentoo (I think), so I changed it like this (changed only 3rd line):

```

#%PAM-1.0

auth       sufficient   /lib/security/pam_opensc.so

auth       required     /lib/security/pam_env.so

auth       sufficient   /lib/security/pam_unix.so likeauth nullok

auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so

password   required     /lib/security/pam_cracklib.so retry=3

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok

password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so

session    required     /lib/security/pam_unix.so

```

Therefor opcnsc is used for every authentification via pam (like login, xdm, screensaver etc.) but login via password is even possible (well not in your case, because of the "!" in /etc/shadow).

Greetings from germany  :Wink: 

----------

## chiko

Good day d33d0.

I follow Your words, return originally /etc/pam.d/login and added row auth       sufficient   /lib/security/pam_opensc.so to /etc/pam.d/system-auth. Now /etc/pam.d/system-auth full copy of Yours. From /dev/pts/2 I do:

```
chiko@grayhat chiko $ su chiko

Using card reader Aladdin eToken PRO

Enter PIN1 [Chiko PIN]:
```

The PIN prompt! I was satisfyed :) But after enter a correctly My PIN /bin/bash doesn't start :( chiko sit and stupidly looking on the empty string.

From /dev/pts/3 (I'm using fluxbox and aterm) I do $ ps auxf:

```
<skipped>

root      1921  0.0  0.4  2156 1172 ?        S    08:56   0:00 login -- chiko     

chiko     2005  0.0  0.5  4580 1420 vc/1     S    08:56   0:00  \_ -bash

chiko     2013  0.0  0.4  4360 1088 vc/1     S    08:56   0:00      \_ /bin/sh /usr/X11R6/bin/startx

chiko     2024  0.0  0.2  2796  744 vc/1     S    08:56   0:00          \_ xinit /home/chiko/.xinitrc -- -deferglyphs 16

root      2025  1.7 13.2 53068 34004 ?       SL   08:56   1:55              \_ /etc/X11/X :0 -deferglyphs 16

chiko     2031  0.0  1.3  8364 3380 vc/1     S    08:56   0:02              \_ fluxbox

chiko     2048  0.0  0.4  4424 1164 ?        S    08:56   0:00                  \_ /bin/bash /usr/bin/firefox

chiko     2055  1.6 12.6 55160 32464 ?       S    08:56   1:47                  |   \_ /opt/firefox/firefox-bin

chiko     2064  0.0 12.6 55160 32464 ?       S    08:56   0:00                  |       \_ /opt/firefox/firefox-bin

chiko     2065  0.0 12.6 55160 32464 ?       S    08:56   0:00                  |           \_ /opt/firefox/firefox-bin

chiko     2069  0.0 12.6 55160 32464 ?       S    08:56   0:00                  |           \_ /opt/firefox/firefox-bin

chiko     2056  0.0  1.3  7228 3456 ?        S    08:56   0:00                  \_ aterm

chiko     2057  0.0  0.5  4596 1460 pts/0    S    08:56   0:00                  |   \_ -bash

root     31032  0.0  0.3  4336 1020 pts/0    S    10:01   0:00                  |       \_ su

root     31035  0.0  0.5  4592 1424 pts/0    S    10:01   0:00                  |           \_ bash

chiko     2502  0.2  7.8 95076 20196 ?       S    08:59   0:14                  \_ evolution

chiko     2752  0.0  7.8 95076 20196 ?       S    09:00   0:00                  |   \_ evolution

chiko     2753  0.0  7.8 95076 20196 ?       S    09:00   0:00                  |       \_ evolution

chiko     2777  0.0  7.8 95076 20196 ?       S    09:00   0:00                  |       \_ evolution

chiko     4950  0.0  7.8 95076 20196 ?       S    09:00   0:00                  |       \_ evolution

chiko     4951  0.0  7.8 95076 20196 ?       S    09:00   0:00                  |       \_ evolution

chiko     4952  0.0  7.8 95076 20196 ?       S    09:00   0:00                  |       \_ evolution

chiko     4953  0.0  7.8 95076 20196 ?       S    09:00   0:00                  |       \_ evolution

chiko    24980  0.0  7.8 95076 20196 ?       S    09:10   0:00                  |       \_ evolution

chiko    17659  0.0  0.6  5460 1672 ?        S    09:18   0:00                  \_ aterm -e /usr/bin/irssi

chiko    17660  0.0  1.8 10236 4732 pts/1    S    09:18   0:00                  |   \_ /usr/bin/irssi

chiko    31039  0.0  0.7  5692 1924 ?        S    10:03   0:00                  \_ aterm

chiko    31040  0.0  0.5  4600 1472 pts/2    S    10:03   0:00                  |   \_ -bash

root     31189  0.0  0.7  6124 1908 pts/2    S    10:48   0:00                  |       \_ su chiko

chiko    31176  0.0  0.6  5552 1772 ?        S    10:45   0:00                  \_ aterm

chiko    31177  0.0  0.5  4592 1432 pts/3    S    10:45   0:00                      \_ -bash

chiko    31190  0.0  0.3  2676  784 pts/3    R    10:48   0:00                          \_ ps auxf

<skipped>

```

Note: pid's 31032 and 31035 was created before /etc/pam.d/system-auth change (don't want to reboot, booting from LiveCD... etc.,). Very interesting a freeze after pid 31189 - /bin/bash doesn't started after su, PIN was prompted.

If I enter a wrong PIN:

```

chiko@grayhat chiko $ su chiko

Using card reader Aladdin eToken PRO

Enter PIN1 [Chiko PIN]: 

sec.c:204:sc_pin_cmd: returning with: PIN code or key incorrect

sc_pkcs15_verify_pin: PIN code or key incorrect

```

and silence again :( Ctrl+C - My helper :)

Versions:

```

$ qpkg -I -v | grep pam

mail-filter/Mail-SpamAssassin-2.63 *

sys-apps/pam-login-3.14 *

sys-libs/pam-0.77 *

sys-libs/pam_mysql-0.5 *

sys-libs/pam_mount-0.9.9-r1 *

sys-libs/pam_usb-0.3.0 *

$ qpkg -I -v | grep open

<skipped>

dev-libs/opensc-0.9.2 *

dev-libs/openssl-0.9.7d-r1 *

dev-libs/openct-0.6.1 *
```

```
chiko@grayhat chiko $ ls -l ~/.eid

total 4

-rw-r--r--    1 chiko    users        1322 2004-10-19 10:19 authorized_certificates

chiko@grayhat chiko $ pkcs15-tool -c

X.509 Certificate [Certificate]

        Flags    : 2

        Authority: no

        Path     : 3F0050153049

        ID       : 45

chiko@grayhat chiko $ pkcs15-tool -k

Private RSA Key [Private Key]

        Com. Flags  : 3

        Usage       : [0x22], decrypt, unwrap

        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local

        ModLength   : 1024

        Key ref     : 16

        Native      : yes

        Path        : 3F005015

        Auth ID     : 01

        ID          : 45

Private RSA Key [Private Key]

        Com. Flags  : 3

        Usage       : [0x20C], sign, signRecover, nonRepudiation

        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local

        ModLength   : 1024

        Key ref     : 17

        Native      : yes

        Path        : 3F005015

        Auth ID     : 01

        ID          : 45

chiko@grayhat chiko $ pkcs15-tool --list-public-keys

Public RSA Key [Public Key]

        Com. Flags  : 2

        Usage       : [0x4], sign

        Access Flags: [0x0]

        ModLength   : 1024

        Key ref     : 0

        Native      : no

        Path        : 3F0050153048

        Auth ID     : 

        ID          : 45
```

Certs and keys are present.

Any ideas? On Your PC all is working?

Thanks for hint with /etc/pam.d/system-auth - You save My time :)

Greetings from Russia ;)

----------

## d33d0

Hmm... 

Well it works on all my computer straight away.. Installing opensc, integrating into pam and copying .eid into users-home => Works!

The only thing you might check is if /var/log/messages has an entry like 

 *Quote:*   

> 
> 
> su(pam_opensc)[19093]: Authentication successful for root at pts/1.
> 
> 

 

If not, pam_opensc didn't finished. This may be a certificate issue. I had Problems with my self created certificates an now I'm using a free thawte email-certificate  :Wink: 

May be opensc is trying to validate your certificate but with no succes (looong timeout?). Just guessing... :-/

Hope this helps!

----------

## chiko

Very strange... With self-created certificate no one word in /var/log/*!!!

```
# grep -ir pam_opensc /var/log
```

 returns nothing!

chiko run to www.thawte.com...

 *Quote:*   

> I had Problems with my self created certificates

 

What problems? Can You tell me about them?

----------

## d33d0

No, sorry. It didn't work so I went to thawte.

That worked, so I never tried any other certification process.

----------

## chiko

Hi d33d0.

Well. Cert from thawte received and correctly woked with mozilla-firefox. Also thawte certificate was backuped into ~/mycert.p12 file. I'm doing again :

```
pkcs15-init -E

pkcs15-init --create-pkcs15 --profile pkcs15

pkcs15-init --auth-id 1 --store-pin --pin "mypin" --puk "mypuk" --label "Chiko PIN"

pkcs15-init -S ~/mycert.p12 --format pkcs12 -a 1 --split-key

rm -rf ~/.eid

mkdir ~/.eid

pkcs15-tool -r 45 -o ~/.eid/authorized_certificates
```

Next : adding a row into /etc/pam.d/system-auth. Listing of My pam-files:

```
# pwd

/etc/pam.d

# cat login

#%PAM-1.0

auth       required     /lib/security/pam_securetty.so

auth       required     /lib/security/pam_stack.so service=system-auth

auth       required     /lib/security/pam_nologin.so

account    required     /lib/security/pam_stack.so service=system-auth

password   required     /lib/security/pam_stack.so service=system-auth

session    required     /lib/security/pam_stack.so service=system-auth

session    optional     /lib/security/pam_console.so
```

```
# cat system-auth

#%PAM-1.0

auth       sufficient   /lib/security/pam_opensc.so 

auth       required     /lib/security/pam_env.so

auth       sufficient   /lib/security/pam_unix.so likeauth nullok

auth       required     /lib/security/pam_deny.so

account    required     /lib/security/pam_unix.so

password   required     /lib/security/pam_cracklib.so retry=3

password   sufficient   /lib/security/pam_unix.so nullok md5 shadow use_authtok

password   required     /lib/security/pam_deny.so

session    required     /lib/security/pam_limits.so

session    required     /lib/security/pam_unix.so
```

But after a PIN prompt and PIN entering from keyboard + press [ENTER] freeze again, yesterday scenario.

Next :  *Quote:*   

> Therefor opcnsc is used for every authentification via pam (like login, xdm, screensaver etc.) but login via password is even possible (well not in your case, because of the "!" in /etc/shadow)

 

This step give error, I removed from USB My eToken and try to $ su chiko:

```
chiko@grayhat chiko $ su chiko

Debug: connect() failed: Connection refused

Debug: connect() failed: No such file or directory

Debug: connect() failed: No such file or directory

Debug: connect() failed: No such file or directory

Debug: connect() failed: No such file or directory

No smart card present

Password: 

```

Freeze again after enter a password! /etc/shadow contains all passhashes (no '!' in the passhashes places, backups rulez :) ). What tell me on another console ps auxf :

```
<skipped>

chiko     2123  0.0  0.6  5552 1780 ?        S    11:22   0:00                  \_ aterm

chiko     2124  0.0  0.5  4584 1420 pts/0    S    11:22   0:00                  |   \_ -bash

root      2131  0.0  0.3  4336 1020 pts/0    S    11:22   0:00                  |       \_ su

root      2134  0.0  0.5  4588 1420 pts/0    S    11:22   0:00                  |           \_ bash

root      2211  0.0  0.3  2668  776 pts/0    R    11:49   0:00                  |               \_ ps auxf

chiko     2180  0.0  0.6  5460 1660 ?        S    11:47   0:00                  \_ aterm

chiko     2181  0.0  0.5  4592 1436 pts/1    S    11:47   0:00                      \_ -bash

root      2209  0.0  0.6  6108 1584 pts/1    S    11:48   0:00                          \_ su chiko

root      1923  0.0  0.2  1380  580 vc/2     S    11:18   0:00 /sbin/agetty 38400 tty2 linux

<skipped>
```

pid 2209... I'm not understand where a problem :( Ctrl+C ... In the /var/log/* no one word about pam_opensc.

I'm again remove or comment in /etc/pam.d/system-auth a row, contains pam_opensc.so - then classical login/su (w/o eToken) works nice.

If eToken with thawte cert works correctly with My browser, then problem in pam-settings, isn't it? How I emerged opensc? USE='pam X -ldap' emerge /usr/portage/dev-libs/opensc/opensc-0.9.2.ebuild.

```
# cat /etc/ld.so.conf | grep sec

/lib/security
```

Thinking, it's a pam. Can You show me Yours pam-configs? Or I need to ask about PAM another topics? Peppers from OpenSC-devel mailing list says what it's a gentoo-spec. problem.

----------

## d33d0

Sorry, for the late answer. I watch this topic, but just began to work  :Wink:  Localtime is now 09:30h.

My /etc/opensc.conf

```

# Set debug level

debug   = 0;

#

# Enable hot plugging

hotplug = yes;

#

# Path to ifdhandler

ifdhandler = /usr/sbin/ifdhandler;

# Configure static, non-hotplug aware readers here

#

# For a list of drivers try command 'ifdhandler -i', please

# notice that not all drivers have serial device capability.

#reader towitoko {

#       driver = towitoko;

#       device = serial:/dev/ttyS0;

#};

#

# Hotplug IDs

driver  egate {

        ids = {

                usb:0973/0001,

        };

};

driver  etoken {

        ids = {

                usb:0529/050c,

                usb:0529/0514,

        };

};

driver  eutron {

        ids = {

                usb:073d/0005,

        };

};

driver  ikey2k {

        ids = {

                usb:04b9/1202,

        };

};

driver  ikey3k {

        ids = {

                usb:04b9/1300,

        };

};

#driver cardman {

#       ids = {

#               usb:076b/0596,

#       };

#};

```

The only thing in my pam config changed was the added line...

How about the permissions of your usb-device and .eid dir + files?

I emerged opensc with ldap. Maybe some subfunction used? I don't know... 

Re-emerge opensc & pam?

----------

