Bug 2737 - Ship script to make it easier to extra smart card key to authorized_keys
Summary: Ship script to make it easier to extra smart card key to authorized_keys
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: Smart card (show other bugs)
Version: 2.0.0
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.15.0
Assignee: Bugzilla mail exporter
Keywords: interesting_210
Depends on:
Reported: 2008-03-25 13:14 CET by Peter Åstrand
Modified: 2022-06-14 12:59 CEST (History)
0 users

See Also:
Acceptance Criteria:

tl-get-cert (1.13 KB, text/plain)
2008-03-25 13:14 CET, Peter Åstrand
Updated tl-get-cert, handles passwdaliases (1.54 KB, text/plain)
2009-06-12 13:15 CEST, Peter Åstrand
Updated tl-get-cert (1.97 KB, text/plain)
2009-10-21 15:14 CEST, Peter Åstrand
tl-get-cert.desktop (243 bytes, text/plain)
2009-10-21 15:15 CEST, Peter Åstrand
Latest tl-get-cert, fetched from eudemo (2.72 KB, application/octet-stream)
2012-03-21 09:56 CET, Peter Åstrand
Code from Pierre that mangles to SSH format. (446 bytes, text/plain)
2012-03-29 09:19 CEST, Peter Åstrand

Description Peter Åstrand cendio 2008-03-25 13:14:06 CET
To login using a smart card, the card key must be extracted and put into ~/.ssh/authorized_keys. This can be done using pkcs15-tool and is described in the TAG, section 9.7.4. However, there are several steps that must be done manually. At Karlstad, I created a script that makes this task easier. The idea is that root logins and executes a command, providing the username. The script then creates the authorized_keys. We should consider shipping this, or a similiar, script.
Comment 1 Peter Åstrand cendio 2008-03-25 13:14:39 CET
Created attachment 272 [details]
Comment 2 Peter Åstrand cendio 2009-06-12 13:15:45 CEST
Created attachment 340 [details]
Updated tl-get-cert, handles passwdaliases
Comment 3 Peter Åstrand cendio 2009-10-21 15:14:10 CEST
Created attachment 345 [details]
Updated tl-get-cert

This script is installed on the demo system. It's in english, has better support for running as ordinary user, plus saves the user DN in ~/.thinlinc/user-dn.
Comment 4 Peter Åstrand cendio 2009-10-21 15:15:04 CEST
Created attachment 346 [details]
Comment 5 Peter Åstrand cendio 2012-03-21 09:56:17 CET
Created attachment 430 [details]
Latest tl-get-cert, fetched from eudemo
Comment 6 Peter Åstrand cendio 2012-03-29 09:18:24 CEST
I think that before shipping such a script, we should rewrite it so that it uses pkcs11-tool instead of pkcs15-tool. Something like:

pkcs11-tool -r --id 45 -y cert 

However, this means that we must also use tl-certtool --pubkey, then mangle it to Python format. While we are at it, we should probably also rewritten the shell script as a Python one.
Comment 7 Peter Åstrand cendio 2012-03-29 09:19:18 CEST
Created attachment 434 [details]
Code from Pierre that mangles to SSH format.
Comment 8 Peter Åstrand cendio 2012-03-29 09:40:51 CEST
Also, we should perhaps support feeding the script with a certificate on file, instead of calling pkcs11-tool. Also check if the code overlaps with tl-ldap-certalias.
Comment 9 Pierre Ossman cendio 2022-06-14 12:59:58 CEST
This is a bit hacky compared to using something like tl-ldap-certalias, so I don't think this method is something we want to recommend. We also haven't seen any interest for something like this in the fourteen years this bug has been open.

Note You need to log in before you can comment on or make changes to this bug.