minor docu update
thanks to Ville Skytt� git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@1881 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
parent
2ba6ad3954
commit
5044b0e133
11
PAM_README
11
PAM_README
|
@ -9,7 +9,7 @@ b) "ldap" - store the certificate for a user in a central ldap
|
|||
|
||||
This guide only deals with flavor a). If you want to add documentation
|
||||
on using pam with ldap, please send a patch to the opensc-devel mailing
|
||||
list.
|
||||
list. See also the PAM section in the OpenSC HTML docs.
|
||||
|
||||
First initialize the token, create a user with a pin, create a key
|
||||
and create a certificate, all as documented in the QUICKSTART file.
|
||||
|
@ -36,16 +36,19 @@ auth required pam_unix.so nullok
|
|||
Note the first line is marked as "sufficient", so successful smart card
|
||||
authentication will let a user in. If both lines read "required", a user
|
||||
would have to use a smart card with the right key and certificate on it,
|
||||
enter the right pin *AND* have the right passwort for the normal login
|
||||
enter the right pin *AND* have the right password for the normal login
|
||||
procedure.
|
||||
|
||||
Now every user needs to create a directory ".eid" in his or her home
|
||||
directory and put the certificate in a file called "authorized_certificates".
|
||||
To do this, enter the command
|
||||
To do this, enter the command (beware, this will overwrite the file):
|
||||
$ pkcs15-tool -r 45 -o ~/.eid/authorized_certificates
|
||||
|
||||
Now try to login using the smart card. Remember to first insert your
|
||||
smart card into the reader, then enter your username, and then the
|
||||
pin on your key.
|
||||
|
||||
|
||||
As of OpenSC version 0.9.2, ~/.eid/authorized_certificates can contain
|
||||
multiple certificates. To use multiple certificates there, simply
|
||||
concatenate them, for example like
|
||||
$ pkcs15-tool -r 45 >> ~/.eid/authorized_certificates
|
||||
|
|
|
@ -27,7 +27,7 @@ Use the given card driver. The default is auto-detected.
|
|||
Causes \*(nm to be more verbose. Specify this flag several times
|
||||
to enable debug output in the opensc library.
|
||||
.SH COMMANDS
|
||||
The following commands are suported at the \*(nm interactive prompt.
|
||||
The following commands are supported at the \*(nm interactive prompt.
|
||||
.PP
|
||||
.TP
|
||||
.BR ls
|
||||
|
|
|
@ -9,7 +9,7 @@ pkcs15-crypt \- perform crypto operations using pkcs15 smart card
|
|||
.SH DESCRIPTION
|
||||
The \*(nm utility can be used from the command line to perform
|
||||
cryptographic operations such as computing digital signatures or
|
||||
decrypting data, using keys stored on a PKCS#15 compliant smart
|
||||
decrypting data, using keys stored on a PKCS #15 compliant smart
|
||||
card.
|
||||
.SH OPTIONS
|
||||
.TP
|
||||
|
@ -21,7 +21,7 @@ option. By default, the contents of the file are assumed to
|
|||
be the result of an MD5 hash operation. Note that \*(nm
|
||||
expects the data in binary representation, not ASCII.
|
||||
.IP
|
||||
The digitial signature is stored, in binary representation,
|
||||
The digital signature is stored, in binary representation,
|
||||
in the file specified by the
|
||||
.B \-\-output
|
||||
option. If this option is not given, the signature
|
||||
|
@ -36,7 +36,7 @@ a 1024 bit key, the input must be padded to 128 bytes to match
|
|||
the modulus length). When giving the
|
||||
.B \-\-pkcs1
|
||||
option, however, \*(nm will perform the required padding
|
||||
using the algorithm outlined in the PCKS#1 v1.5 standard.
|
||||
using the algorithm outlined in the PKCS #1 standard version 1.5.
|
||||
.TP
|
||||
.B \-\-sha1
|
||||
This option tells \(*nm that the input file is the result
|
||||
|
|
|
@ -13,7 +13,7 @@ The profile used by default is \fBpkcs15\fR. Alternative
|
|||
profiles can be specified via the \fB-p\fR switch.
|
||||
.SH PIN Usage
|
||||
.B pkcs15-init
|
||||
can be used to create a PKCS#15 structure on your smart card,
|
||||
can be used to create a PKCS #15 structure on your smart card,
|
||||
create PINs, and install keys and certificates on the card.
|
||||
This process is also called \fIpersonalization\fP.
|
||||
.PP
|
||||
|
@ -30,7 +30,7 @@ characters other than digits will make the card unusable with PIN pad
|
|||
readers, because those usually have keys for entering digits only.
|
||||
.PP
|
||||
The security officer (SO) PIN is special; it is used to protect
|
||||
meta data information on the card, such as the PKCS#15 structure
|
||||
meta data information on the card, such as the PKCS #15 structure
|
||||
itself. Setting the SO PIN is optional, because the worst that can
|
||||
usually happen is that someone finding your card can mess it up.
|
||||
To extract any of your secret keys stored on the card, an attacker
|
||||
|
@ -63,7 +63,7 @@ at least one PIN to protect these objects. you can do this using
|
|||
.PP
|
||||
.BI " pkcs15-init --store-pin --auth-id " nn
|
||||
.PP
|
||||
where \fInn\fP is a PKCS#15 ID in hexadecimal notation. Common values
|
||||
where \fInn\fP is a PKCS #15 ID in hexadecimal notation. Common values
|
||||
are \fB01\fP, \fB02\fP, etc.
|
||||
.PP
|
||||
Entering the command above will ask you for the user's PIN and PUK.
|
||||
|
@ -150,8 +150,8 @@ You can download certificates to the card using the
|
|||
.B \-\-store-certificate
|
||||
option, which takes a filename as an argument. This file is supposed
|
||||
to contain the DER encoded X.509 certificate.
|
||||
.SS Downloading PKCS#12 bags
|
||||
Most browsers nowadays use PKCS#12 format files when you ask them to
|
||||
.SS Downloading PKCS #12 bags
|
||||
Most browsers nowadays use PKCS #12 format files when you ask them to
|
||||
export your key and certificate to a file. \*(nm is capable of parsing
|
||||
these files, and storing their contents on the card in a single operation.
|
||||
This works just like storing a private key, except that you need to
|
||||
|
|
|
@ -22,10 +22,10 @@ key is generated and stored on the token), the cache should
|
|||
be updated or operations may show stale results.
|
||||
.TP
|
||||
.BR "\-\-read\-certificate " \fIcert\fP ", \-r " \fIcert\fP
|
||||
Read the certificate with the given id
|
||||
Reads the certificate with the given id.
|
||||
.TP
|
||||
.BR \-\-list\-certificates ", " \-c
|
||||
Lists all certificates stored on the token
|
||||
Lists all certificates stored on the token.
|
||||
.TP
|
||||
.BR \-\-list\-pins
|
||||
Lists all PINs stored on the token. General information about
|
||||
|
@ -49,11 +49,12 @@ Reads the public key with id \fIid\fP, allowing the user to
|
|||
extract and store or use the public key.
|
||||
.TP
|
||||
.BR "\-\-output " \fIfilename\fP ", \-o " \fIfilename\fP
|
||||
Specifies where key output should be written. If this option is not
|
||||
given, keys will be printed to standard output.
|
||||
Specifies where key output should be written. If \fIfilename\fP already
|
||||
exists, it will be overwritten. If this option is not given, keys will
|
||||
be printed to standard output.
|
||||
.TP
|
||||
.BR \-\-no\-cache
|
||||
Disable token data caching.
|
||||
Disables token data caching.
|
||||
.TP
|
||||
.BR "\-\-pin\-id " \fIpin\fP ", \-a " \fIpin\fP
|
||||
Specifies the auth id of the PIN to use for the operation. This
|
||||
|
|
|
@ -37,10 +37,10 @@ of the key.
|
|||
.B SC_ALGORITHM_RSA_PAD_PKCS1
|
||||
requests that the card should sign the provided data,
|
||||
padding it according to the padding algorithm specified
|
||||
in PKCS#1.
|
||||
in PKCS #1.
|
||||
.IP
|
||||
The input data must be the output of a digest (hash) function.
|
||||
As PKCS#1 padding includes an identifier of the hash algorithm
|
||||
As PKCS #1 padding includes an identifier of the hash algorithm
|
||||
used, the
|
||||
.B flags
|
||||
argument must indicate the hash algorithm used,
|
||||
|
@ -76,7 +76,7 @@ suitable for the card. For instance, if a smart card supports
|
|||
raw RSA only, the function will have to add the required
|
||||
padding before passing it to the card driver.
|
||||
Conversely, an error should be returned if the card supports
|
||||
only PKCS#1 padding with a specific set of hash algorithms.
|
||||
only PKCS #1 padding with a specific set of hash algorithms.
|
||||
.PP
|
||||
...
|
||||
.SH RETURN VALUE
|
||||
|
|
Loading…
Reference in New Issue