USB Token Intro Usage in openvpn, https, ssh By Jianxin Zhong@NetEase ([email protected]) TOC General intro Usage in openvpn Usage in https Usage in ssh Intro(APIs) Microsoft CryptoAPI(MS-CAPI) Public-Key Cryptography IE Standards Google Chrome(windows) (PKCS#11) Secure CRT Firefox OpenVPN(windows) Putty-SC OpenSSH OpenVPN Most USB tokens implement PKCS#11 only on Windows. A few USB tokens get supported by opensc project on other platforms. Openvpn(server config) As usual using pki (http://openvpn.net/howto.html#pki) aport 1194 proto udp dev tun ca ca.crt cert server.crt key server.key # This file should be kept secret dh dh1024.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt keepalive 10 120 comp-lzo persist-key persist-tun status openvpn-sttus.log verb 3 Openvpn(client management) Generate use client key $ ./pkitool --pkcs12 openvpn-client Use existing key pair $ openssl pkcs12 -export -inkey openvpn-client.key -in openvpn-client.crt -certfile ca.crt -out openvpn-client.p12 -nodes Import openvpn-client.p12 using usb token management tool(by admin or user himself/herself) Openvpn(client config) client dev tun proto udp remote server-ip 1194 resolv-retry infinite nobind user nobody group nogroup persist-key persist-tun ca ca.crt #cert client.crt #key client.key cryptoapicert "SUBJ:client" #(windows only) #pkcs11-providers "path to share lib provided by usb token manufacturer" #(for other platforms, pkcs11-* options may needed) comp-lzo verb 3 Openvpn(references and further reading) http://openvpn.net/howto.html man openvpn(8) about --cryptoapicert and --pkcs11-* options HTTPS(apache) Apache config SSLEngine on SSLCertificateFile /etc/ssl/certs/server.pem SSLCertificateKeyFile /etc/ssl/private/server.key SSLCACertificateFile /etc/openvpn/ca.crt SSLUserName SSL_CLIENT_S_DN_CN SSLVerifyClient require Testing code <?php echo "You're logged in as: "; echo $_SERVER['REMOTE_USER']; ?> HTTPS(browser support) IE/Google Chrome(MS-CAPI) IE->Internet Options->Content->Certificates Firefox(PKCS#11) https://developer.mozilla.org/en/PKCS11_Module_Installation Options->Advanced->Encryption->Security Devices HTTPS(references and further reading) http://httpd.apache.org/docs/2.2/ssl/ http://httpd.apache.org/docs/2.2/mod/mod_ssl.html SSH(2 diff methods) Secure CRT + patched OpenSSH server(X.509 auth) http://www.roumenpetrov.info/openssh/ Putty-SC + normal OpenSSH server(pubkey auth) http://www.joebar.ch/puttysc/ SSH(Putty-SC) Load pkcs11 provider libary PuTTY-SC -> Connection -> SSH -> Pkcs11 Get pubkey pprint -l pkcs11-provider.dll SSH(Secure CRT) Apply patch sshd_config: CACertificateFile /etc/openvpn/ca.crt Get pubkey from *.p12(will get the some key as using pprint) $ openssl pkcs12 -in FILE.p12 -clcerts > id_x509 $ chmod 600 id_x509 $ ssh-keygen -f -y id_x509 > id_x509.pub Agent forwarding According to Changelog, SecureCRT 5.1 (Beta 1) support X. 509 agent forwarding, but not confirmed and tested. SSH(references and further reading) http://www.joebar.ch/puttysc/ http://www.roumenpetrov.info/openssh/x509-6.2.3 /README.x509v3 http://wiki.cacert.org/Pkcs11TaskForce http://www.freeotfe.org/docs/Main/pkcs11_drivers.htm Trouble shooting Appendix(pkcs11 provider of known usb tokens) RSA Securid800 C:\Program Files\Common Files\RSA Shared\RSA P11\PKCS11.dll Feitian ePass3003 C:\windows\system32\ShuttleCsp11_3003.dll J&D SCR2000 C:\windows\system32\aetpkss1.dll.