Hi Jan,
I have two situations, where I observed the expected conduct when changing from
a simple smart-card reader towards a class-2 or class-3 reader (pinpad with
just a small keyboard and one with keyboard and tiny display)
- The first one is pkcs11-tools -O -l (forcing a login)
I get blinking leds on a DELL-SK3205 combination keyboard/reader. (class-2)
On a Vasco-870 I properly get prompted for my PIN (class-3)
- The other one is the Gnome screen lock, through pam_pkcs11
With simple readers I get an input field, to enter my PIN,
With class-2 and clas-3 reader it only indicated that I should enter the pin on
the reader.
The first example might be debatable (perhaps pkcs11-tools is simply
rearranging things internally.
But the screen-lock is probably the best example that it _can_ work and how it
should work...
I understand that this is extremely difficult to test and analyze without
appropriate readers and cards.
Steffan is also looking into the code, but I was wondering if anybody else
already succeeded in this particular case.
I'm aware that is a very tiny use-case for the community and hence seldom used,
but the option "pkcs11-protected-authentication" dates back to 2.1.x, so
someone must have had a go at it (I hope).
Thanks, Hans
From: Jan Just Keijser [mailto:janj...@nikhef.nl]
Sent: woensdag 1 juni 2016 18:45
To: Witvliet, J, Ing., DMO/OPS/I&S/HIN; openvpn-users@lists.sourceforge.net
Subject: Re: [Openvpn-users] pkcs11-protected-authentication
Hi Hans,
On 31/05/16 11:40, j.witvl...@mindef.nl<mailto:j.witvl...@mindef.nl> wrote:
Retrying, It seems my appended log was too long.
Hi all,
Has anyone positive experience with ${SUBJECT} ?
Just been googling, from the 6190 results, they can be split up into:
A) Countless times the the manpage or howto, simpy saying:
"pkcs11-protected-authentication [0|1]...
Use PKCS#11 protected authentication path, useful for biometric and external
keypad devices. Every provider has its own setting."
B) Snapshots from the cookbook from JJK
C) Mail-exchange from Alon, indicating his problem with this option in
2.1-beta4
D) Likewise remarks..
On a German page (
http://wiki.lug-balista.de/doku.php/balista:archiv:sammlung_agt:smartcardsundlinux
)
I read
...
für die Nutzung von PinPad-Readern muss nur eine Zeile in die conf-Datei
eingefügt werden (nach pkcs11-provider): pkcs11-protected-authentication 1
/usr/lib/onepin-opensc-pkcs11.so
dann wird automatisch das PinPad zur Eingabe benutzt, wenn es in der
opensc.conf aktiviert ist.
....
So it looks like this option needs a third parameter, mainly the
pkcs-provider-lib
Needless to say that in my case:
- The smartcard does work properly in a ordinary cardreader,
- That card and pinpad-reader work as expected with other application
(screenlock and pkcs11-tools)
So did anyone manage to get PINPAD readers working with openvpn? I could not
find any success story so-far...
I've delved into this a bit - and no I don't have a device requiring protected
auth so I cannot say that I have either positive or negative experience with
this.
However, when I read the sources for pkcs11-helper and libp11 then I'm gettting
the feeling that these libraries do not properly support it (whereas opensc
does).
Did you manage to dig up a working example based on pkcs11-helper with your
smartcard?
cheers,
JJK
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet
de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u
verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat
aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband
houdt met risico's verbonden aan het elektronisch verzenden van berichten.
This message may contain information that is not intended for you. If you are
not the addressee or if this message was sent to you by mistake, you are
requested to inform the sender and delete the message. The State accepts no
liability for damage of any kind resulting from the risks inherent in the
electronic transmission of messages.
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Openvpn-users mailing list
Openvpn-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openvpn-users
