Using OpenPGP Card to unlock KDE desktop

Joe Nosay superbisquit at gmail.com
Fri Dec 29 15:54:32 UTC 2017 

Thank you.

On Fri, Dec 29, 2017 at 12:59 AM, Matthias Apitz <guru at unixarea.de> wrote:

>
> How to use the OpenPGP Card to unlock the KDE desktop
>              Matthias Apitz <guru at unixarea.de>
>                Thu Dec 28 20:07:19 CET 2017
>
> Based on: gpg (GnuPG) 2.1.19 and poldi VERSION 0.4.2.git
>
>
> I'm using the OpenPGP Card (among other things) to lock my KDE desktop
> when the card is withdrawn. This is easy to be done from the script
> ${GNUPGHOME}/scd-event which fires up the KDE proc
>
> ...
>    nohup /usr/local/lib/kde4/libexec/kscreenlocker_greet --immediateLock &
> ...
>
> to lock the desktop until the correct password is provided.
> 'kscreenlocker_greet'
> uses /usr/local/lib/kde4/libexec/kcheckpass to check the credentials
> with PAM using the rules file /usr/local/etc/pam.d/kde which has the
> pointer
> to the shared lib to use for this:
>
> $ grep auth /usr/local/etc/pam.d/kde
> auth            required        pam_unix.so             no_warn
> try_first_pass
>
> What I do want here is, that the authentication is not done against the
> UNIX
> (FreeBSD) password database, but against the OpenPGP Card's key, i.e.
> requires the
> correct PIN of the card to be entered as password in 'kscreenlocker_greet'.
>
> Here are the details of installation and configuration.
>
>
> Installation:
>
> $ git clone  https://github.com/gpg/poldi.git
> $ cd poldi
> $ ./autogen.sh
> $ ./configure --enable-maintainer-mode
> $ gmake
> # gmake install
>
> There are some issues/bugs in poldi's sources on FreeBSD:
>
> 1)  in subdir tests/
>
>     $ diff pam-test.c.orig pam-test.c
>     23c23
>     < #include <security/pam_misc.h>
>     ---
>     > #include <security/openpam.h>
>     38c38
>     <     misc_conv,
>     ---
>     >     openpam_ttyconv,
>
>     and remove '-lpam_misc' from Makefile
>
> 2)  in src/assuan/ add funopen.c and funopen.o to the Makefile
>
>     $ grep -n funopen src/assuan/Makefile
>     144:        assuan-socket.$(OBJEXT) funopen.$(OBJEXT)
>     343:        assuan-buffer.c funopen.c \
>
>
> 3)  in conf/Makefile the calls to hard 'install' must be changed to:
>
>     INSTALL = $(install_sh) -c    (line 8)
>     and called as $(INSTALL) (line 465 ff)
>     after this, the 'gmake install-conf-skeleton' installs the files into
>     /usr/local/etc/poldi/...
>
> 4)  the pam_poldi.so is search in /usr/local/lib and not in
> /usr/local/lib/security
>     we make a sym link:
>
>     # ln -s /usr/local/lib/security/pam_poldi.so
> /usr/local/lib/pam_poldi.so
>
> 5)  the log file will be written as normal user, use chown or chmod 0666
>
>     # touch /var/log/poldi
>     # chown guru /var/log/poldi
>
>
> Configuration details:
>
> # vim /usr/local/etc/poldi/poldi.conf
>
>     auth-method localdb
>     log-file /var/log/poldi
>     debug
>     # Specify SCDaemon executable
>     scdaemon-program /usr/local/libexec/scdaemon
>
> $ gpg --card-status | grep 'Application ID'
>
> Application ID ...: D27600012401020100050000532B0000
>
> # vim /usr/local/etc/poldi/localdb/users
>
>     D27600012401020100050000532B0000 guru
>
> # touch /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000
> # chown guru /usr/local/etc/poldi/localdb/keys/
> D27600012401020100050000532B0000
>
> For tests we create our own file 'myked' in /usr/local/etc/pam.d/:
>
> # cp /usr/local/etc/pam.d/kde /usr/local/etc/pam.d/mykde
> # grep auth /usr/local/etc/pam.d/mykde
> auth            required        pam_poldi.so
> (note: additional args to 'pam_poldi.so' gives PAM parse error)
>
>
> Now we insert the key in the local key database as user 'guru' with:
>
> $ gpg-connect-agent "/datafile /usr/local/etc/poldi/localdb/keys/
> D27600012401020100050000532B0000" "SCD READKEY --advanced OPENPGP.3" /bye
> OK
> $ ls -l /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000
> -rw-r--r--  1 guru  wheel  1077 28 dic.  09:48
> /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000
> $ file /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000
> /usr/local/etc/poldi/localdb/keys/D27600012401020100050000532B0000: ASCII
> text, with very long lines
>
> For some first tests we run:
>
> (re-insert the card first)
>
> $ tests/pam-test mykde -u guru
> Insert authentication card for user `guru'
> Trying authentication as user `guru'...
> Please unlock the card
>
> Number: 0005 0000532B
> Holder: Matthias Apitz  (<< here it asks for the PIN of the Card)
> Authentication succeeded
> Authenticated as user `guru'
>
> # tail -f /var/log/poldi
> Poldi 2017-12-28 10:51:35 [10785] debug: using authentication method
> `localdb'
> Poldi 2017-12-28 10:51:35 [10785] debug: got scdaemon socket name from
> gpg-agent, connected to socket '/home/guru/.gnupg-ccid/S.scdaemon'
> Poldi 2017-12-28 10:51:35 [10785] debug: Waiting for card for user
> `guru'...
> Poldi 2017-12-28 10:51:35 [10785] debug: connected to card; serial number
> is: D27600012401020100050000532B0000
> Poldi 2017-12-28 10:51:35 [10785] debug: Trying authentication as user
> `guru'...
> Poldi 2017-12-28 10:51:48 [10785] debug: authentication succeeded
>
> In case of errors check also /var/log/messages
>
>
> Now the changes for "real world" KDE:
>
> # cp -p /usr/local/etc/pam.d/kde /usr/local/etc/pam.d/kde.orig
> # vim /usr/local/etc/pam.d/kde
>
>     auth                required        pam_poldi.so
>     (note: additional args to 'pam_poldi.so' gives PAM parse error)
>
> set the environment in ~/.xinitrc as
>
> $ cat ~/.xinitrc
> . ~/ccid.sh
> setxkbmap -option terminate:ctrl_alt_bksp
> xmodmap -e "keycode 174 = F21"    # volume down
> xmodmap -e "keycode 176 = F22"    # volume up
> xmodmap -e "keycode 140 = F23"    # volume mute
> exec /usr/local/bin/startkde
>
> $ cat ~/ccid.sh
> # kill the ssh-agent
> #
> ssh-agent -k 2> /dev/null
> # set GNUPGHOME
> #
> GNUPGHOME=/home/guru/.gnupg-ccid
> export GNUPGHOME
> # set SSH_AUTH_SOCK
> #
> unset SSH_AGENT_PID
> unset SSH_AUTH_SOCK
> SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)";
> export SSH_AUTH_SOCK
>
> # start the gpg-agent
> #
> gpg-connect-agent /bye
>
>
> Restart KDE.
>
> Now withdrawing the card locks the screen by firing up from
> ${GNUPGHOME}/scd-event
> the screen locker.
>
> And I can unlock the screen only by inserting the OpenPGP card and
> entering the correct PIN.
>
>
> --
> Matthias Apitz, ✉ guru at unixarea.de, ⌂ http://www.unixarea.de/  📱
> +49-176-38902045
> Public GnuPG key: http://www.unixarea.de/key.pub
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.kde.org/pipermail/kde-freebsd/attachments/20171229/d94fcfee/attachment.html>

More information about the kde-freebsd mailing list