minor docu update
thanks to Ville Skytt� git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@1881 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
2ba6ad3954
commit
5044b0e133
11
PAM_README
11
PAM_README
|
@ -9,7 +9,7 @@ b) "ldap" - store the certificate for a user in a central ldap
|
||||||
|
|
||||||
This guide only deals with flavor a). If you want to add documentation
|
This guide only deals with flavor a). If you want to add documentation
|
||||||
on using pam with ldap, please send a patch to the opensc-devel mailing
|
on using pam with ldap, please send a patch to the opensc-devel mailing
|
||||||
list.
|
list. See also the PAM section in the OpenSC HTML docs.
|
||||||
|
|
||||||
First initialize the token, create a user with a pin, create a key
|
First initialize the token, create a user with a pin, create a key
|
||||||
and create a certificate, all as documented in the QUICKSTART file.
|
and create a certificate, all as documented in the QUICKSTART file.
|
||||||
|
@ -36,16 +36,19 @@ auth required pam_unix.so nullok
|
||||||
Note the first line is marked as "sufficient", so successful smart card
|
Note the first line is marked as "sufficient", so successful smart card
|
||||||
authentication will let a user in. If both lines read "required", a user
|
authentication will let a user in. If both lines read "required", a user
|
||||||
would have to use a smart card with the right key and certificate on it,
|
would have to use a smart card with the right key and certificate on it,
|
||||||
enter the right pin *AND* have the right passwort for the normal login
|
enter the right pin *AND* have the right password for the normal login
|
||||||
procedure.
|
procedure.
|
||||||
|
|
||||||
Now every user needs to create a directory ".eid" in his or her home
|
Now every user needs to create a directory ".eid" in his or her home
|
||||||
directory and put the certificate in a file called "authorized_certificates".
|
directory and put the certificate in a file called "authorized_certificates".
|
||||||
To do this, enter the command
|
To do this, enter the command (beware, this will overwrite the file):
|
||||||
$ pkcs15-tool -r 45 -o ~/.eid/authorized_certificates
|
$ pkcs15-tool -r 45 -o ~/.eid/authorized_certificates
|
||||||
|
|
||||||
Now try to login using the smart card. Remember to first insert your
|
Now try to login using the smart card. Remember to first insert your
|
||||||
smart card into the reader, then enter your username, and then the
|
smart card into the reader, then enter your username, and then the
|
||||||
pin on your key.
|
pin on your key.
|
||||||
|
|
||||||
|
As of OpenSC version 0.9.2, ~/.eid/authorized_certificates can contain
|
||||||
|
multiple certificates. To use multiple certificates there, simply
|
||||||
|
concatenate them, for example like
|
||||||
|
$ pkcs15-tool -r 45 >> ~/.eid/authorized_certificates
|
||||||
|
|
|
@ -27,7 +27,7 @@ Use the given card driver. The default is auto-detected.
|
||||||
Causes \*(nm to be more verbose. Specify this flag several times
|
Causes \*(nm to be more verbose. Specify this flag several times
|
||||||
to enable debug output in the opensc library.
|
to enable debug output in the opensc library.
|
||||||
.SH COMMANDS
|
.SH COMMANDS
|
||||||
The following commands are suported at the \*(nm interactive prompt.
|
The following commands are supported at the \*(nm interactive prompt.
|
||||||
.PP
|
.PP
|
||||||
.TP
|
.TP
|
||||||
.BR ls
|
.BR ls
|
||||||
|
|
|
@ -9,7 +9,7 @@ pkcs15-crypt \- perform crypto operations using pkcs15 smart card
|
||||||
.SH DESCRIPTION
|
.SH DESCRIPTION
|
||||||
The \*(nm utility can be used from the command line to perform
|
The \*(nm utility can be used from the command line to perform
|
||||||
cryptographic operations such as computing digital signatures or
|
cryptographic operations such as computing digital signatures or
|
||||||
decrypting data, using keys stored on a PKCS#15 compliant smart
|
decrypting data, using keys stored on a PKCS #15 compliant smart
|
||||||
card.
|
card.
|
||||||
.SH OPTIONS
|
.SH OPTIONS
|
||||||
.TP
|
.TP
|
||||||
|
@ -21,7 +21,7 @@ option. By default, the contents of the file are assumed to
|
||||||
be the result of an MD5 hash operation. Note that \*(nm
|
be the result of an MD5 hash operation. Note that \*(nm
|
||||||
expects the data in binary representation, not ASCII.
|
expects the data in binary representation, not ASCII.
|
||||||
.IP
|
.IP
|
||||||
The digitial signature is stored, in binary representation,
|
The digital signature is stored, in binary representation,
|
||||||
in the file specified by the
|
in the file specified by the
|
||||||
.B \-\-output
|
.B \-\-output
|
||||||
option. If this option is not given, the signature
|
option. If this option is not given, the signature
|
||||||
|
@ -36,7 +36,7 @@ a 1024 bit key, the input must be padded to 128 bytes to match
|
||||||
the modulus length). When giving the
|
the modulus length). When giving the
|
||||||
.B \-\-pkcs1
|
.B \-\-pkcs1
|
||||||
option, however, \*(nm will perform the required padding
|
option, however, \*(nm will perform the required padding
|
||||||
using the algorithm outlined in the PCKS#1 v1.5 standard.
|
using the algorithm outlined in the PKCS #1 standard version 1.5.
|
||||||
.TP
|
.TP
|
||||||
.B \-\-sha1
|
.B \-\-sha1
|
||||||
This option tells \(*nm that the input file is the result
|
This option tells \(*nm that the input file is the result
|
||||||
|
|
|
@ -13,7 +13,7 @@ The profile used by default is \fBpkcs15\fR. Alternative
|
||||||
profiles can be specified via the \fB-p\fR switch.
|
profiles can be specified via the \fB-p\fR switch.
|
||||||
.SH PIN Usage
|
.SH PIN Usage
|
||||||
.B pkcs15-init
|
.B pkcs15-init
|
||||||
can be used to create a PKCS#15 structure on your smart card,
|
can be used to create a PKCS #15 structure on your smart card,
|
||||||
create PINs, and install keys and certificates on the card.
|
create PINs, and install keys and certificates on the card.
|
||||||
This process is also called \fIpersonalization\fP.
|
This process is also called \fIpersonalization\fP.
|
||||||
.PP
|
.PP
|
||||||
|
@ -30,7 +30,7 @@ characters other than digits will make the card unusable with PIN pad
|
||||||
readers, because those usually have keys for entering digits only.
|
readers, because those usually have keys for entering digits only.
|
||||||
.PP
|
.PP
|
||||||
The security officer (SO) PIN is special; it is used to protect
|
The security officer (SO) PIN is special; it is used to protect
|
||||||
meta data information on the card, such as the PKCS#15 structure
|
meta data information on the card, such as the PKCS #15 structure
|
||||||
itself. Setting the SO PIN is optional, because the worst that can
|
itself. Setting the SO PIN is optional, because the worst that can
|
||||||
usually happen is that someone finding your card can mess it up.
|
usually happen is that someone finding your card can mess it up.
|
||||||
To extract any of your secret keys stored on the card, an attacker
|
To extract any of your secret keys stored on the card, an attacker
|
||||||
|
@ -63,7 +63,7 @@ at least one PIN to protect these objects. you can do this using
|
||||||
.PP
|
.PP
|
||||||
.BI " pkcs15-init --store-pin --auth-id " nn
|
.BI " pkcs15-init --store-pin --auth-id " nn
|
||||||
.PP
|
.PP
|
||||||
where \fInn\fP is a PKCS#15 ID in hexadecimal notation. Common values
|
where \fInn\fP is a PKCS #15 ID in hexadecimal notation. Common values
|
||||||
are \fB01\fP, \fB02\fP, etc.
|
are \fB01\fP, \fB02\fP, etc.
|
||||||
.PP
|
.PP
|
||||||
Entering the command above will ask you for the user's PIN and PUK.
|
Entering the command above will ask you for the user's PIN and PUK.
|
||||||
|
@ -150,8 +150,8 @@ You can download certificates to the card using the
|
||||||
.B \-\-store-certificate
|
.B \-\-store-certificate
|
||||||
option, which takes a filename as an argument. This file is supposed
|
option, which takes a filename as an argument. This file is supposed
|
||||||
to contain the DER encoded X.509 certificate.
|
to contain the DER encoded X.509 certificate.
|
||||||
.SS Downloading PKCS#12 bags
|
.SS Downloading PKCS #12 bags
|
||||||
Most browsers nowadays use PKCS#12 format files when you ask them to
|
Most browsers nowadays use PKCS #12 format files when you ask them to
|
||||||
export your key and certificate to a file. \*(nm is capable of parsing
|
export your key and certificate to a file. \*(nm is capable of parsing
|
||||||
these files, and storing their contents on the card in a single operation.
|
these files, and storing their contents on the card in a single operation.
|
||||||
This works just like storing a private key, except that you need to
|
This works just like storing a private key, except that you need to
|
||||||
|
|
|
@ -22,10 +22,10 @@ key is generated and stored on the token), the cache should
|
||||||
be updated or operations may show stale results.
|
be updated or operations may show stale results.
|
||||||
.TP
|
.TP
|
||||||
.BR "\-\-read\-certificate " \fIcert\fP ", \-r " \fIcert\fP
|
.BR "\-\-read\-certificate " \fIcert\fP ", \-r " \fIcert\fP
|
||||||
Read the certificate with the given id
|
Reads the certificate with the given id.
|
||||||
.TP
|
.TP
|
||||||
.BR \-\-list\-certificates ", " \-c
|
.BR \-\-list\-certificates ", " \-c
|
||||||
Lists all certificates stored on the token
|
Lists all certificates stored on the token.
|
||||||
.TP
|
.TP
|
||||||
.BR \-\-list\-pins
|
.BR \-\-list\-pins
|
||||||
Lists all PINs stored on the token. General information about
|
Lists all PINs stored on the token. General information about
|
||||||
|
@ -49,11 +49,12 @@ Reads the public key with id \fIid\fP, allowing the user to
|
||||||
extract and store or use the public key.
|
extract and store or use the public key.
|
||||||
.TP
|
.TP
|
||||||
.BR "\-\-output " \fIfilename\fP ", \-o " \fIfilename\fP
|
.BR "\-\-output " \fIfilename\fP ", \-o " \fIfilename\fP
|
||||||
Specifies where key output should be written. If this option is not
|
Specifies where key output should be written. If \fIfilename\fP already
|
||||||
given, keys will be printed to standard output.
|
exists, it will be overwritten. If this option is not given, keys will
|
||||||
|
be printed to standard output.
|
||||||
.TP
|
.TP
|
||||||
.BR \-\-no\-cache
|
.BR \-\-no\-cache
|
||||||
Disable token data caching.
|
Disables token data caching.
|
||||||
.TP
|
.TP
|
||||||
.BR "\-\-pin\-id " \fIpin\fP ", \-a " \fIpin\fP
|
.BR "\-\-pin\-id " \fIpin\fP ", \-a " \fIpin\fP
|
||||||
Specifies the auth id of the PIN to use for the operation. This
|
Specifies the auth id of the PIN to use for the operation. This
|
||||||
|
|
|
@ -37,10 +37,10 @@ of the key.
|
||||||
.B SC_ALGORITHM_RSA_PAD_PKCS1
|
.B SC_ALGORITHM_RSA_PAD_PKCS1
|
||||||
requests that the card should sign the provided data,
|
requests that the card should sign the provided data,
|
||||||
padding it according to the padding algorithm specified
|
padding it according to the padding algorithm specified
|
||||||
in PKCS#1.
|
in PKCS #1.
|
||||||
.IP
|
.IP
|
||||||
The input data must be the output of a digest (hash) function.
|
The input data must be the output of a digest (hash) function.
|
||||||
As PKCS#1 padding includes an identifier of the hash algorithm
|
As PKCS #1 padding includes an identifier of the hash algorithm
|
||||||
used, the
|
used, the
|
||||||
.B flags
|
.B flags
|
||||||
argument must indicate the hash algorithm used,
|
argument must indicate the hash algorithm used,
|
||||||
|
@ -76,7 +76,7 @@ suitable for the card. For instance, if a smart card supports
|
||||||
raw RSA only, the function will have to add the required
|
raw RSA only, the function will have to add the required
|
||||||
padding before passing it to the card driver.
|
padding before passing it to the card driver.
|
||||||
Conversely, an error should be returned if the card supports
|
Conversely, an error should be returned if the card supports
|
||||||
only PKCS#1 padding with a specific set of hash algorithms.
|
only PKCS #1 padding with a specific set of hash algorithms.
|
||||||
.PP
|
.PP
|
||||||
...
|
...
|
||||||
.SH RETURN VALUE
|
.SH RETURN VALUE
|
||||||
|
|
Loading…
Reference in New Issue