Authentication in ThinLinc with PKCS15 smart cards | ThinLinc by Cendio

Authentication in ThinLinc with PKCS #15 smart cards

This tutorial uses Fedora 23 and assumes that you have ThinLinc server and a ThinLinc client installed.

Read more section 9.4 (ThinLinc Administrator's Guide for ThinLinc - Using Smart Card Public Key Authentication)

1. Install the necessary drivers for smart card readers on your client machine, as well as the machine you want to use for step 2-5:

$ sudo dnf install pcsc-lite
$ sudo dnf install pcsc-lite-ccid
$ sudo service pcscd start

2. Install OpenSC to get tools for extracting information from the smart cards:

$ sudo dnf install opensc

3. Plug in the smart card reader and insert the card in the reader.

4. List the certificate on your Smart Card to find the ID:

$ pkcs15-tool --list-certificates

5. Use the ID to read the ssh key:

$ pkcs15-tool --read-ssh-key <id> > my_smartcard.key

6. Make sure that your authorized_keys file has the correct permissions on your agent server(s):

$ mkdir -p /home/<username>/.ssh
$ chmod 700 /home/<username>/.ssh
$ touch /home/<username>/.ssh/authorized_keys
$ chmod 600 /home/<username>/.ssh/authorized_keys

7. Place the ssh key in your user's home directory on your server on your agent server(s):

$ cat my_smartcard.key >> /home/<username>/.ssh/authorized_keys

8. Configure your ThinLinc client to authenticate using smart card. This is found under client Options->Security->Details. You can now login via smart cards:

 

Automatically login when inserting a smart card (OPTIONAL)

Read more section 9.4.6 (ThinLinc Administrator's Guide for ThinLinc - Automatic Connection)

9. Extract the certificate in DER format from the smart card:

$ pkcs15-tool --read-certificate <id> | openssl x509 -outform DER > smartcard_cert.der

10. If the DER file was created on another machine, copy this DER file to your agent server(s):

$ scp smartcard_cert.der <user>@<server>:~/

10.1. Continue the following steps on your agent server(s). Connect to your  server using ssh if needed:

$ ssh <user>@<server>

11. On your agent server(s), extract the subject name from the DER file:

$ cat smartcard_cert.der | /opt/thinlinc/libexec/tl-certtool --subject

12. Find the user id for the user you want to login with on your agent server(s):

$ id -u <username>

13. Associate the subject name with the user id in the passwdaliases file on your server:

$ sudo vi /etc/passwdaliases

It should be in the format <subject-name>:<uid> and can look something like this:

# Sample /etc/passwdaliases
# A few invalid lines, for testing
#orange
#banana:
#apple:wrong

# A valid line
#root2:0

# Example of RFC4514 DN - a username derived from a Smart Card certificate
#serialNumber=197703012570,givenName=Peter Alf G\c3\b6ran,sn=\c3\85strand,cn=Peter \c3\85strand,c=SE:4711

# This is your new line:
organizationalUnitName=temp,cn=Jan Andersson:1000

14. Activate the passwdaliases module in NSS on your agent server(s) by adding 'passwdaliases' to the list of modules for the passwd database:

$ sudo vi /etc/nsswitch.conf

 It should look something like this:

passwd:     files sss passwdaliases
shadow:     files sss
group:      files sss

 

NOTE THAT IF YOU CONTINUE WITH THE FOLLOWING STEP (NR 15) YOU WILL COMPLETELY DISABLE THE ACCOUNT STEP OF PAM FOR SSH CONNECTIONS. EXAMPLE: LOCKED USER CAN STILL LOG IN  

15. Disable the 'account'-step in PAM for sshd by adding "account sufficient pam_permit.so" on your agent server(s). Note that this new line needs to be the first account step:

$ sudo vi /etc/pam.d/sshd

 It should look something like this:

auth       required     pam_sepermit.so
auth       substack     password-auth
auth       include      postlogin
# Used with polkit to reauthorize users in remote sessions
-auth      optional     pam_reauthorize.so prepare
account    sufficient   pam_permit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth

16. Restart sshd.

$ sudo service sshd restart

17. Configure your ThinLinc client to login using the subject name on your card. This is found under client Options->Security->Details (for Smart card).

 

18. If you want to, you can automatically connect when inserting the card. Note that if your smart card has multiple certificates, the user will have to select a certificate. If you want to, you can add a filter for the certificates. The default filter works for most smart cards. Also, you can also disconnect when removing the card. The setting for this is found at the same place as the one described in step 17.

19. You can now log in by simply inserting the smart card (and entering the PIN for the card), you don't have to specify a username.