Using OpenPGP Card to unlock KDE desktop
Matthias Apitz
guru at unixarea.de
Fri Dec 29 05:59:29 UTC 2017
How to use the OpenPGP Card to unlock the KDE desktop
Matthias Apitz <guru at unixarea.de>
Thu Dec 28 20:07:19 CET 2017
Based on: gpg (GnuPG) 2.1.19 and poldi VERSION 0.4.2.git
I'm using the OpenPGP Card (among other things) to lock my KDE desktop
when the card is withdrawn. This is easy to be done from the script
${GNUPGHOME}/scd-event which fires up the KDE proc
...
nohup /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock &
...
to lock the desktop until the correct password is provided. 'kscreenlocker_greet'
uses /usr/local/lib/kde4/libexec/kcheckpass to check the credentials
with PAM using the rules file /usr/local/etc/pam.d/kde which has the pointer
to the shared lib to use for this:
$ grep auth /usr/local/etc/pam.d/kde
auth required pam_unix.so no_warn try_first_pass
What I do want here is, that the authentication is not done against the UNIX
(FreeBSD) password database, but against the OpenPGP Card's key, i.e. requires the
correct PIN of the card to be entered as password in 'kscreenlocker_greet'.
Here are the details of installation and configuration.
Installation:
$ git clone https://github.com/gpg/poldi.git
$ cd poldi
$ ./autogen.sh
$ ./configure --enable-maintainer-mode
$ gmake
# gmake install
There are some issues/bugs in poldi's sources on FreeBSD:
1) in subdir tests/
$ diff pam-test.c.orig pam-test.c
23c23
< #include <security/pam_misc.h>
---
> #include <security/openpam.h>
38c38
< misc_conv,
---
> openpam_ttyconv,
and remove '-lpam_misc' from Makefile
2) in src/assuan/ add funopen.c and funopen.o to the Makefile
$ grep -n funopen src/assuan/Makefile
144: assuan-socket.$(OBJEXT) funopen.$(OBJEXT)
343: assuan-buffer.c funopen.c \
3) in conf/Makefile the calls to hard 'install' must be changed to:
INSTALL = $(install_sh) -c (line 8)
and called as $(INSTALL) (line 465 ff)
after this, the 'gmake install-conf-skeleton' installs the files into
/usr/local/etc/poldi/...
4) the pam_poldi.so is search in /usr/local/lib and not in /usr/local/lib/security
we make a sym link:
# ln -s /usr/local/lib/security/pam_poldi.so /usr/local/lib/pam_poldi.so
5) the log file will be written as normal user, use chown or chmod 0666
# touch /var/log/poldi
# chown guru /var/log/poldi
Configuration details:
# vim /usr/local/etc/poldi/poldi.conf
auth-method localdb
log-file /var/log/poldi
debug
# Specify SCDaemon executable
scdaemon-program /usr/local/libexec/scdaemon
$ gpg --card-status | grep 'Application ID'
Application ID ...: D27600012401020100050000532B0000
# vim /usr/local/etc/poldi/localdb/users
D27600012401020100050000532B0000 guru
# touch /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000
# chown guru /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000
For tests we create our own file 'myked' in /usr/local/etc/pam.d/:
# cp /usr/local/etc/pam.d/kde /usr/local/etc/pam.d/mykde
# grep auth /usr/local/etc/pam.d/mykde
auth required pam_poldi.so
(note: additional args to 'pam_poldi.so' gives PAM parse error)
Now we insert the key in the local key database as user 'guru' with:
$ gpg-connect-agent "/datafile /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000" "SCD READKEY --advanced OPENPGP.3" /bye
OK
$ ls -l /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000
-rw-r--r-- 1 guru wheel 1077 28 dic. 09:48 /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000
$ file /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000
/usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000: ASCII text, with very long lines
For some first tests we run:
(re-insert the card first)
$ tests/pam-test mykde -u guru
Insert authentication card for user `guru'
Trying authentication as user `guru'...
Please unlock the card
Number: 0005 0000532B
Holder: Matthias Apitz (<< here it asks for the PIN of the Card)
Authentication succeeded
Authenticated as user `guru'
# tail -f /var/log/poldi
Poldi 2017-12-28 10:51:35 [10785] debug: using authentication method `localdb'
Poldi 2017-12-28 10:51:35 [10785] debug: got scdaemon socket name from gpg-agent, connected to socket '/home/guru/.gnupg-ccid/S.scdaemon'
Poldi 2017-12-28 10:51:35 [10785] debug: Waiting for card for user `guru'...
Poldi 2017-12-28 10:51:35 [10785] debug: connected to card; serial number is: D27600012401020100050000532B0000
Poldi 2017-12-28 10:51:35 [10785] debug: Trying authentication as user `guru'...
Poldi 2017-12-28 10:51:48 [10785] debug: authentication succeeded
In case of errors check also /var/log/messages
Now the changes for "real world" KDE:
# cp -p /usr/local/etc/pam.d/kde /usr/local/etc/pam.d/kde.orig
# vim /usr/local/etc/pam.d/kde
auth required pam_poldi.so
(note: additional args to 'pam_poldi.so' gives PAM parse error)
set the environment in ~/.xinitrc as
$ cat ~/.xinitrc
. ~/ccid.sh
setxkbmap -option terminate:ctrl_alt_bksp
xmodmap -e "keycode 174 = F21" # volume down
xmodmap -e "keycode 176 = F22" # volume up
xmodmap -e "keycode 140 = F23" # volume mute
exec /usr/local/bin/startkde
$ cat ~/ccid.sh
# kill the ssh-agent
#
ssh-agent -k 2> /dev/null
# set GNUPGHOME
#
GNUPGHOME=/home/guru/.gnupg-ccid
export GNUPGHOME
# set SSH_AUTH_SOCK
#
unset SSH_AGENT_PID
unset SSH_AUTH_SOCK
SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)";
export SSH_AUTH_SOCK
# start the gpg-agent
#
gpg-connect-agent /bye
Restart KDE.
Now withdrawing the card locks the screen by firing up from ${GNUPGHOME}/scd-event
the screen locker.
And I can unlock the screen only by inserting the OpenPGP card and
entering the correct PIN.
--
Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/ 📱 +49-176-38902045
Public GnuPG key: http://www.unixarea.de/key.pub
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://mail.kde.org/pipermail/kde-freebsd/attachments/20171229/a893b274/attachment.sig>
More information about the kde-freebsd
mailing list