From 3534e4e7e2f6436e4c21590a242e972b1ec9dbcc Mon Sep 17 00:00:00 2001 From: aj Date: Sun, 25 Jul 2004 12:35:41 +0000 Subject: [PATCH] small configure improvements, documentation updates. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@1873 c6295689-39f2-0310-b995-f0e70906c6a9 --- ANNOUNCE | 21 +++++++++++---------- Makefile.am | 2 +- NEWS | 18 ++++++++++++++++++ PAM_README | 51 +++++++++++++++++++++++++++++++++++++++++++++++++++ QUICKSTART | 8 ++++---- configure.in | 3 +++ 6 files changed, 88 insertions(+), 15 deletions(-) create mode 100644 PAM_README diff --git a/ANNOUNCE b/ANNOUNCE index f27a935a..0d0760d9 100644 --- a/ANNOUNCE +++ b/ANNOUNCE @@ -1,9 +1,9 @@ - - -OpenSC Release 0.8.1 +OpenSC Release 0.9.2 ==================== -We are pleased to announce the availability of OpenSC 0.8.1. +We are pleased to announce the availability of OpenSC 0.9.2. +This is a beta version, intended for testing. Please be careful +and do not use this software on production machines. OpenSC provides a set of libraries and utilities to access smart cards. Its main focus is on cards that support cryptographic operations, @@ -15,7 +15,8 @@ OpenSC can be used with the following applications and libraries: - Netscape Communicator and Mozilla (through its PKCS#11 module), for secure email (S/MIME) and SSL authentication - OpenSSH, for user authentication - - FreeSWAN, for authentication and key management + - FreeSWAN, StrongSWAN and OpenSWAN, + for authentication and key management - OpenSSL, for key and certificate storage, key generation and signing of certificate requests - GNUpg 1.9 (experimental), for key storage @@ -38,16 +39,16 @@ The following card operating systems are supported at the moment (where read-only means that personalized cards can be used, but OpenSC does not provide personalization support for these). - - Gemplus GPK cards (except Gemsafe) - - Schlumberger Cryptoflex - CardOS/M4 (Aladdin eToken PRO, etc) - - Starcos SPK (read-only) - - Micardo (read-only) + - Schlumberger/Axalto Cryptoflex and Cyberflex + - IBM JCOP + - Starcos SPK + - Oberthur AuthentIC v5 + - Estonian ID card (read-only) - MioCOS (read-only) - Setcos (read-only) - TCOS (read-only) -Note that Java cards are not supported at the moment. diff --git a/Makefile.am b/Makefile.am index 15e90794..6d2b2a1c 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2,7 +2,7 @@ SUBDIRS = . aclocal docs etc macos src win32 -EXTRA_DIST = ANNOUNCE CodingStyle QUICKSTART README bootstrap Makefile.mak depcomp +EXTRA_DIST = ANNOUNCE CodingStyle PAM_README QUICKSTART README bootstrap Makefile.mak depcomp MAINTAINERCLEANFILES = \ Makefile.in config.h.in configure \ diff --git a/NEWS b/NEWS index ce4a520b..fc43325a 100644 --- a/NEWS +++ b/NEWS @@ -1,5 +1,23 @@ NEWS for OpenSC -- History of user visible changes +New in 0.9.2; 2004-07-24; Andreas Jellinghaus: +* This is an beta test version. Please be careful. + Do not use in production environments. +* Fix sslengine, link those dynamicaly with libcrypto + for openssl 0.9.7d and later. +* fixed small bug in pkcs11-tool +* link pkcs11-toll and pkcs15-crypt with -lcrypto +* New driver for estonian ID card. +* bumped version number to opensc 0.9.2 +* New card supported: Oberthur AuthentIC v5 +* eid pam module now checks permissions, and supports several + certificates in ~/.eid/authorized_certificates + Thanks to Fritz Elfert +* Upgrade library version to 0.9, since incompatible changes + are very likely somewhere. +* Merged several pkcs15 profiles into one with different + options. + New in 0.8.1; 2003-09-30; Olaf Kirch: * Upgrade libopensc versioning, hasn't been accidently upgraded since 0.6.0 release diff --git a/PAM_README b/PAM_README new file mode 100644 index 00000000..8499090a --- /dev/null +++ b/PAM_README @@ -0,0 +1,51 @@ +Quick start guide to using the pam module +========================================= + +The pam module supports two different flavors: +a) "eid" - store the certificate for a user in that + users home directory in a file called ".eid/authorized_certificates" +b) "ldap" - store the certificate for a user in a central ldap + repository + +This guide only deals with flavor a). If you want to add documentation +on using pam with ldap, please send a patch to the opensc-devel mailing +list. + +First initialize the token, create a user with a pin, create a key +and create a certificate, all as documented in the QUICKSTART file. + + +The first thing is to copy the opensc pam module to the right location. +Pam modules are searched for in the directory /lib/security/. +$ cp /usr/lib/security/pam_opensc.so /lib/security/pam_opensc.so + +Now change one service to use this pam module by default. Keep at least +one xterm and/or virtual console open as root, so you can undo any +configuration change, in case it does not work. + +Edit for example /etc/pam.d/login and replace +auth required pam_unix.so nullok +with +auth required pam_opensc.so + +If you want to use opensc first, and fall back on normal password based +authentication, you could use these two lines: +auth sufficient pam_opensc.so +auth required pam_unix.so nullok + +Note the first line is marked as "sufficient", so successful smart card +authentication will let a user in. If both lines read "required", a user +would have to use a smart card with the right key and certificate on it, +enter the right pin *AND* have the right passwort for the normal login +procedure. + +Now every user needs to create a directory ".eid" in his or her home +directory and put the certificate in a file called "authorized_certificates". +To do this, enter the command +$ pkcs15-tool -r 45 -o ~/.eid/authorized_certificates + +Now try to login using the smart card. Remember to first insert your +smart card into the reader, then enter your username, and then the +pin on your key. + + diff --git a/QUICKSTART b/QUICKSTART index f9082435..5c11f9d0 100644 --- a/QUICKSTART +++ b/QUICKSTART @@ -3,9 +3,9 @@ A quick installation guide to opensc To install opensc, please do as user, -$ wget http://www.opensc.org/files/opensc-0.9.1.tar.gz -$ tar xfvz opensc-0.9.1.tar.gz -$ cd opensc-0.9.1 +$ wget http://www.opensc.org/files/opensc-0.9.2.tar.gz +$ tar xfvz opensc-0.9.2.tar.gz +$ cd opensc-0.9.2 nothing special so far. @@ -212,7 +212,7 @@ line. I usualy copy&paste the command, to make sure I don't mistype anything. This command loads the opensc engine, so openssl can delegate some work from your computers cpu to the smart card. -OpenSSL> req -engine pkcs11 -new -key slot_1-id_45 -keyform engine -out req.pem -text -x509 +OpenSSL> req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509 SmartCard PIN: You are about to be asked to enter information that will be incorporated into your certificate request. diff --git a/configure.in b/configure.in index f5b2592d..abeeba65 100644 --- a/configure.in +++ b/configure.in @@ -294,6 +294,7 @@ int main(void) # latest openssl version with engine # properly integrated? + AC_MSG_CHECKING([for openssl version]) AC_TRY_RUN( [ #include @@ -311,9 +312,11 @@ int main(void) } ], [ + AC_MSG_RESULT("good, 0.9.7d or later") GOOD_OPENSSL=yes ], [ + AC_MSG_RESULT("not so good, 0.9.7d or later woudl be better") GOOD_OPENSSL=no ] )