AuthenticatingLinuxwithyourUSBActiveKey

As I started working for my new employer, I got a new laptop. Linux is allowed here (thank goodness for that!) so I decided to go for a Debian install. I also got this nifty USB ActiveKey token, which can be used to authenticate to a plethora of services - Windows domain login, SAP login, ... fun stuff. But what about Linux? It turns out you can make good use of this key for Linux authentication too. For simplicity's sake I'll assume here that the ActiveKey you have has already been initialized and you have stored your certificate on it using the standard (Windows) tooling. First thing you'll need is a set of tools to read the ActiveKey itself. apt-get install coolkey pcscd pcsc-tools libpam-pkcs11 Start the pcscd daemon and insert your ActiveKey. You'll notice that the light goes from red to green. Check if everything is detected properly: [alver@Talisker ~]$ pcsc_scan PC/SC device scanner V 1.4.16 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@free.fr> Compiled with PC/SC lite version: 1.5.5 Scanning present readers... 0: Activkey Sim 00 00

Thu Jan 14 12:00:25 2010 Reader 0: Activkey Sim 00 00 Card state: Card inserted, Shared Mode, ... and so on. Good, the reader is found, and it knows there's a card inserted. The command will stop without returning to shell because it doesn't know anything about the reader or card - that's okay. Just ctrl-c back to shell. Now it's time to setup pam_pkcs11. Just installing the package above won't do much; you'll have to manually create the necessary directories and create a config file. mkdir -p /etc/pam_pkcs11/cacerts zcat /usr/share/doc/libpampkcs11/examples/pam_pkcs11.conf.example.example.gz > /etc/pam_pkcs11/pam_pkcs11.conf