Hi all,
this is more a "fyi notice" than anything else:
Thanks to the efforts of Werner Koch, Harald Welte, Nils Färber and myself, last week I finally managed to solve two major problems for my personal use of smart cards / OpenPGP crypto cards, such as the Fellowship crypto card [1], that might be bothering others as well.
* 100% Free Software PCMCIA smart card reader
Problem one was to find a PCMCIA smart card reader that could be used under GNU/Linux with 100% Free Software.
Most PCMCIA readers under GNU/Linux seem to use proprietary libraries, which is unacceptable. From a security viewpoint, I also consider it self-defeating: Obviously the security of the system is only as strong as the security of the non-freelayer and all its maintaining infrastructure at the producing company, which the user has no control over.
Thanks to Werner, Harald and Nils, it is now possible to use the Omnikey CardMan 4040 exclusively with Free Software under GNU/Linux. You will find more information here:
http://www.fsfe.org/fellows/greve/freedom_bits/fellowship_crypto_card_the_co...
* Remote SSH logins with crypto card authentication
Problem two was to do remote logins via SSH with authentication through the smart card. There was a problem with the gpg-agent that did not do PIN caching, and thus was somewhat annoying to use in real life. Werner just addressed this problem, and now it works rather flawlessly.
The gpg-agent replaces the ssh-agent for authentication, and it is possible to do remote securely authenticated OpenSSH logins. You can find information here:
http://www.fsfe.org/fellows/greve/freedom_bits/authenticating_ssh_logins_wit...
So I hope this will help others with similar problems to solve them.
If anyone feels like playing with it, adding to it, making it easier to use, or GUIfying it, that would be great. It would be good to see the technology improve and spread.
Also, if people were to join the Fellowship (and such contribute to the work of FSFE) in order to have play with the cards and find more applications of it that are both fun and useful, that would be great.
Regards, Georg
On Sun, 2006-02-12 at 12:06 +0100, Georg C. F. Greve wrote:
this is more a "fyi notice" than anything else
Hehe, well, I think it's great news :D
- 100% Free Software PCMCIA smart card reader
I'm guessing that it's too expensive for the FSFE to buy and supply these, but would it be possible for Fellowship members to club together through the FSFE and buy in bulk?
If I buy one of these devices, it's £68 (100 Euros) including delivery, which is quite a lot for what is basically a serial port. However, if a group of 20/30/40 fellows joined together, we could get a nice discount - although, obviously, it would take some organisation.
I guess the alternative is to look at the USB devices, which seem cheaper but are bulkier.
Cheers,
Alex.
Alex Hudson schrieb:
If I buy one of these devices, it's £68 (100 Euros) including delivery, which is quite a lot for what is basically a serial port. However, if a group of 20/30/40 fellows joined together, we could get a nice discount
- although, obviously, it would take some organisation.
Maybe the FSFE could buy a bulk of them, maybe even branded, or they but a plussy sticker on them and sell them to the fellows.
Another possibility could be to contact the producer and ask for a special prizeing for FSFE fellowers.
In any case I would be very interested in buying one!
Happy hacking! Patrick
|| On Sun, 12 Feb 2006 17:28:48 +0100 || Patrick Ohnewein patrick.ohnewein@lugbz.org wrote:
po> Maybe the FSFE could buy a bulk of them, maybe even branded, or po> they but a plussy sticker on them and sell them to the fellows.
The question is how useful branding is for a device that disappears entirely in the computer.
How many transparent laptops are out there? ;)
We did consider this for the USB readers, but the final price would have been rather high -- and it did not seem useful to bind that much money in stock that you might never sell.
That is why we currently don't have branded readers and why I don't expect us to have them very soon -- although the idea admittedly is nice and it would be cool to have Fellowship readers.
Regards, Georg
|| On Sun, 12 Feb 2006 14:59:08 +0000 || Alex Hudson home@alexhudson.com wrote:
- 100% Free Software PCMCIA smart card reader
ah> I'm guessing that it's too expensive for the FSFE to buy and ah> supply these, but would it be possible for Fellowship members to ah> club together through the FSFE and buy in bulk?
The price at www.kernelconcepts.de right now is 59 EUR.
I am not sure how much more or less expensive they would be elsewhere.
As to buying them in bulk, that might be possible, although I am not sure how much the price would go down. Someone would have to organise that. Maybe you could ask who would like to team up with you? We could then try to find <n> readers cheaper...
ah> I guess the alternative is to look at the USB devices, which seem ah> cheaper but are bulkier.
True. The small USB devices are around 29 EUR, I think.
Regards, Georg
On Sun, Feb 12, 2006 at 02:59:08PM +0000, Alex Hudson wrote:
On Sun, 2006-02-12 at 12:06 +0100, Georg C. F. Greve wrote:
this is more a "fyi notice" than anything else
Hehe, well, I think it's great news :D
- 100% Free Software PCMCIA smart card reader
I'm guessing that it's too expensive for the FSFE to buy and supply these, but would it be possible for Fellowship members to club together through the FSFE and buy in bulk?
JFYI: The predecessor CardMan 4000 is available for very little money (immediate purchase for ~ 12 EUR). from various eBay sellers. One Vendor in particular (comcurrent, alles4pc) has told me in personal mails that he can deliver huge quantities of this end-of-life product.
Together with the cm4040 driver, I've also added a kernel driver for the cm4000.
However, the cm4000 (unlike the cm4040) is not a CCID device, and therfore Werners' quick hack for adding pcmcia support to his CCID driver will not work.
I'm not sure how well gnupg integrates with PC/SC, CT-API or OpenCT readers. Those three API's are supported by a correspodning OpenCT backend driver that I wrote. (OpenCT 100% free software).
So maybe if gnupg works (or can be made work) with PC/SC,CT-API/OpenCT, it's worth asking Comcurrent/alles4pc how much you would have to pay for their remaining stock, and how much readers they really have left over.
It's very unlikely that you will get smartcard pcmcia readers that cheap anytime soon again.
Cheers, Harald
Harald,
On Tue, 2006-02-14 at 08:50 +0100, Harald Welte wrote:
JFYI: The predecessor CardMan 4000 is available for very little money (immediate purchase for ~ 12 EUR). from various eBay sellers. One Vendor in particular (comcurrent, alles4pc) has told me in personal mails that he can deliver huge quantities of this end-of-life product.
That's very cheap.
However, the cm4000 (unlike the cm4040) is not a CCID device, and therfore Werners' quick hack for adding pcmcia support to his CCID driver will not work.
Ok, assume I don't know anything about smart cards :D
CCID == the interface?
If the cm4000 uses a different style of interface, does that mean that GnuPG cannot use the keys on the card without someone hacking in support?
Or is it a different problem?
Cheers,
Alex.
On Tue, 14 Feb 2006 09:25:38 +0000, Alex Hudson said:
CCID == the interface?
and an USB device class. It is a modern interface and I tend to support only those readers.
If the cm4000 uses a different style of interface, does that mean that GnuPG cannot use the keys on the card without someone hacking in support?
They work using pcsclite and maybe even with CTAPI (use --ctapi-driver FILE). However I encountered numerous problems with pcsclite in particular with key generation. Long running card operaion tend to fail because some ifd handlers seem not to correctly implement the T=1 wait extensions.
Shalom-Salam,
Werner
Hi Georg,
that's a good news!
I would like to communicate you another driver which was realeased as Free Software.
Time ago I used an Acer Travelmate 660 with an incorporated card reader. The driver was closed source. On request, it was possible to get a binary driver for the Linux 2.4 kernel. I was already switched to Linux 2.6 and therefore I requested the drivers for 2.6 and of course I asked to free the drivers. One of the developers ansered me, they don't have the resources to port the drivers, but they are planing to release them as free software. So I asked Alessandro, if he would be willing to port the drivers after the release as free software. Alessandro of course sayed yes :)
At the end we did't have to do the porting, because they released the drivers already ported for the Linux 2.6 kernel. Here follows the communication:
Hello Patrick,
We have released our latest Smartcardbus PCMCIA Smartcard Reader Linux kernel 2.6 Driver. You may find it on www.musclecard.com in the drivers section.
Here is the link to the drivers section of the website. http://www.musclecard.com/sourcedrivers.html
Please be aware that O2Micro is an IHV (Independant Hardware Vendor) and does not provide Smartcard applications or application support. The open-source driver is provided on an "as is" basis with no implied warranty or support.
BR, Eric Still Application Manager, O2Micro Int'l. eric.still@o2micro.com
I didn't test the drivers, because I don't use the Acer anymore, I switched to a Sony VAIO sub-notebook. Maybe someone with an Acer can test the drivers.
I think the O2Micro shouldn't be ignored, they deserve the credit for having recognised the advantages of freeing there drivers.
Happy hacking! Patrick
|| On Sun, 12 Feb 2006 17:24:04 +0100 || Patrick Ohnewein patrick.ohnewein@lugbz.org wrote:
po> At the end we did't have to do the porting, because they released po> the drivers already ported for the Linux 2.6 kernel. Here follows po> the communication:
That is excellent. Maybe you can post a followup to the entry to inform people about this possibility, as well?
Regards, Georg