Using an Aladdin eToken to store your SSH keys.
The past week I have tried using an Aladdin eToken on my Ubuntu desktop. They are used at Nikhef to store x509 certificates with Grid credentials, and make proxy certificates from those. (A proxy certificate is a more temporary certificate, signed by the original.) The ultimate goal (for me) was to use it to store the private keys I use most, my SSH keys.
After peeking around the Nikhef Gridwiki and downloading the eToken PKI Client 4.55 from aladdin.ru, the pkcs11-tool confirmed the token was loaded and recognized by the system. I was also able to store my grid certificate on it with the instructions provided, and loaded the /usr/lib/libeToken.so file into Firefox as a security device. After restarting firefox things took a turn for the worse...
It appears the Aladdin client ships with some of its own binaries, which appear to do something to firefox (like overwriting the LD_LIBRARY_PATH environment variable) and shipping an old version of libnss3 that's needed by firefox. This sends firefox crashing with a "could not initialize XPCOM" message. A colleague helped me to locate (using strace) and fix the offending libraries in /usr/lib/eToken/nss_tools. The shipped files should be removed, and replaced by symlinks to the system certutil and modutil binaries. This fixes the problem! (Thanks again, Willem)
After alleviating this puzzling error, I was free to play around with the token some more. Concerning Openssh, it appears the shipped Ubuntu version doesn't enable the use of a smartcard (which is what the token pretends to be). This can be alleviated in two ways. Either by recompiling openssh with the --with-opensc flag, or applying a PKCS11 patch to openssh. The opensc option seemed to be the easier route. Getting the source packages built on Ubuntu was as simple as:
aczid@maggie:~$ apt-get source openssh; apt-get build-dep openssh
If you get errors about public keys that are missing, look them up using gpg --keyserver keyserver.ubuntu.com --search-keys <name of maintainer> This implies you trust this person and his or her public key!
aczid@maggie:~$ cd openssh-5.1p1/ aczid@maggie:~/openssh-5.1p1$ vi debian/rules
Add the line: confflags += --with-opensc=/usr/ and build the package with dpkg-buildpackage. Now your SSH will understand opensc which relies on PKCS15, but the card is still formatted as PKCS11. Luckily, the token can hold files to facilitate both API's simultaneously. Detailed instructions to accomplish this with a different kind of token Worked For Me (TM). I suppose once you have the pkcs#-tools working, they're all more or less the same.
Now that you know how to put your certificate on the token using both API's, we can finally use openssh! Extract the public key from you certificate and place it in a remote server's authorized_keys file, and launch your newly built ssh with:
aczid@maggie:~/openssh-5.1p1$ ./debian/openssh-client/usr/bin/ssh -I0 <some host>
If you would like to use your existing keys (like the ones generated by ssh-keygen) you need to generate a self-signed certificate from them and put it on the token. Now you can use ssh without even needing a .ssh directory to store your private key! Unfortunately I was still unable to use the token to generate grid proxy certificates on Ubuntu.
Started my internship at Nikhef
About two weeks ago I started my internship at Nikhef, the Dutch institute for subatomic physics. Up until now it has mostly been a dizzying experience. I'm learning to cope with a whole new world, namely that of Grid computing. That wiki page is actually not very specific as to scale, so perhaps the GridPP introduction page can convey it better. Nikhef (together with SARA) has a Tier-1 site, which means they can provide computing power and storage for one tenth of the data generated by the LHC experiments. If nothing else, this map showing the grid sites should impress you.
But you still know nothing of my tiny, (so far) insignificant role in all this. It's to design and develop the EES. It involves the redesign of existing (sudo-like) pluggable software library that should be backwards-compatible. And oh yeah, it's in C. I hope now you'll understand why I feel like my head is spinning. I've just about given up on reading all the related articles linked from the LHC wikipedia entry in my first week. I feel right in my place, but not very useful yet. The Grid infrastructure is so huge I only have a vague, high level idea of how it's all supposed to work. I have heard new acronyms every day for the past two weeks, most of which are still kind of lacking a real definition for me. In the mean time I've been coding several prototypes (more like examples, or exercises) of how parts of the project should work.
Blogging everything I learn there would be impossible, but you can follow me on twitter to keep up with my progress. My direct supervisor / boss is also on there. I hope to get out a blogpost again every week or so.
