Authenticate with non-writable Smart Card

[bruto]

Hello everyone and happy new year from Italy!
I'm figuring out whether it's possible or not to use an italian government "CNS" smart card in order to login into my VPN.
All the tutorials I've found online assume that you have a "writable" (unlocked?) smart card.

The setup is Ubuntu 14 + OpenVPN 2.3.2 + opensc 0.13.0
Issuing the command:

Code: Select all

openvpn --show-pkcs11-ids /usr/lib/i386-linux-gnu/opensc-pkcs11.so

Correctly shows the "Serialized id".
Anyone can help me with client and server configuration in order to use this ID and start the VPN?
The relevant section of the HOWTO

https://openvpn.net/index.php/open-sour ... ual_factor

is too technical for me.
Many thanks,
FT

[bruto]

Hello everyone!
Does anybody had a similar issue?
Maybe I posted in the wrong forum?

Thank you,
Francesco

[bruto]

Sad that this topic raises little-to-no interest!
Italy gov. deployed a zillion of those tokens which could be used for lots of creative applications!
Anyone would dig this?

Cheers,
F.

[bruto]

Hello. I figured out.
This guide will allow you to bring up the VPN with your TS-CNS ("codice fiscale") card issued by Regione Lazio!!
My server is Centos, client is Ubuntu.
You will need the PIN of your card (you can get it at your "ASL" office...this will be the toughest step!!)

SERVER SIDE:
wget https://gist.github.com/3v1n0/e371f5816 ... v-certs.py
nano parse-gov-certs.py
change this:
DEFAULT_XML_URI = "https://applicazioni.cnipa.gov.it/TSL/IT_TSL_CNS.xml"
to this:
DEFAULT_XML_URI = "https://applicazioni.cnipa.gov.it/TSL/_IT_TSL_CNS.xml"
(note the missing underscore!)
chmod +x parse-gov-certs.py
./parse-gov-certs.py --output-folder /var/tmp/certs
cat /var/tmp/certs/*Lazio* >> /path_to_your_existing/ca.crt
This is my server.conf:

Code: Select all

port 1197
cipher AES-256-CBC
auth SHA256
proto udp4
dev tun
ca /etc/openvpn/ca.crt
cert /etc/openvpn/server.crt
key /etc/openvpn/server.key
dh /etc/openvpn/dh2048.pem
client-config-dir /etc/openvpn/ccd
server 10.4.0.0 255.255.255.0
route 10.8.0.0 255.255.255.0
keepalive 10 120
comp-lzo
persist-key
persist-tun
verb 3

CLIENT SIDE:
[you need to install "opensc"]
Insert your smart card.
openvpn --show-pkcs11-ids /usr/lib/i386-linux-gnu/opensc-pkcs11.so | cut -d',' -f4 | grep CN | head -n1 | cut -d'=' -f2,3 | tr '/' '_'
copy the result #1 in a notepad file
openvpn --show-pkcs11-ids /usr/lib/i386-linux-gnu/opensc-pkcs11.so | grep Serialized | cut -d' ' -f11
copy the result #2 in a notepad file

SERVER SIDE:
nano /etc/openvpn/ccd/[PASTED_RESULT#1_FROM_NOTEPAD]
insert your custom client directives, this alone will be ok:
ifconfig-push 10.8.0.8 10.8.0.9

CLIENT SIDE CONFIG:

Code: Select all

client
cipher AES-256-CBC
auth SHA256
auth-nocache
dev tun
ca /path_to/ca.crt [the very same file hosted on the server]
proto udp
remote your.server.ip.address 1197
resolv-retry infinite
nobind
persist-key
persist-tun
comp-lzo
verb 3
pkcs11-providers '/usr/lib/i386-linux-gnu/opensc-pkcs11.so'
pkcs11-id '[PASTED_RESULT#2_FROM_NOTEPAD_BETWEEN_SINGLE_QUOTES]'

DONE!!!
What could possibly go wrong?
Everything! From missing dependencies on your server and/or client, missing smart card support in your OpenVPN release, incorrect opensc-pkcs11.so path, connectivity issues, you haven't paid electricity bill, you are under the influence of drugs, etc.

[kwinz]

Hey Bruto, thanks for documenting your configuration, despite not getting any feedback. Very helpful!

[TinCanTech]

Use of smart cards is quite niche and the OpenVPN community has very little experience of them.

Generally, they are used by corporations who do not provide any meaningful resources or feedback to open source projects (unless and until it suits their own financial agenda).

opensc-pkcs likewise receives very little support from anyone at all and is known to be a source of many unnecessary headaches.

We have no way to verify the details in this thread and so chose not to comment.

Thanks to bruto for persevering and providing this write up ..

However, your mileage may vary ..