Tips For Compile And Use Opensc
- # a very nice technical guide to openssl user authentication with apache using certificates and smartcards
- # installing opensc:
TARGETDIR=$HOME
mkdir -p $TARGETDIR
cd $TARGETDIR
cvs -z3 -d :pserver:cvs@cvs.opensc.org:/cvsroot co opensc
cd $TARGETDIR/opensc
./bootstrap
./configure
time sudo make install
- # prepare a pkcs#15 card:
debugLevel=-vvvvvv
pkcs15-init $debugLevel -T --erase-card --create-pkcs15 --profile pkcs15 -a 45 -l 45 --pin 1234 --puk 123456 --so-pin 123456 --so-puk 12345678
pkcs15-init $debugLevel -T -P -a 45 -l 45 --pin 1234 --puk 123456 --so-pin 123456 --so-puk 12345678
|
|
Tips To Use Openssl
- # a very nice technical guide to openssl user authentication with apache using certificates and smartcards
- # a very interesting overview with useful examples of commonly used openssl commands: http://resin.csoft.net/cgi-bin/man.cgi?sektion=1&topic=openssl
- # compute the crypt password as used by many unix systems:
openssl passwd
- # generate and print a 1024-bit rsa key pair:
openssl genrsa -out rsa.key.pair 1024
openssl rsa -in rsa.key.pair -text -noout
- # convert a certificate from DER into PEM format:
openssl x509 -in cert.der -inform DER -outform PEM -out cert.pem
- # verify the validity of a certificate using openssl, given a file cacerts.txt which holds a concatenation of trusted ca certificates in PEM format:
openssl verify -CAfile cacerts.txt -purpose any cert1.pem cert2.pem
- # having a look at the content of a certificate revocation list:
openssl crl -in crl.der -inform DER -text -noout|less
- # compiling a sample engine for openssl 0.9.7x:
TARGETDIR=~/openssl
mkdir -p $TARGETDIR
cd $TARGETDIR
wget http://www.openssl.org/source/openssl-0.9.7d.tar.gz
wget http://sunsite.rediris.es/pub/rediris/cert/crypt/misc/rsaref2.tar.gz
tar -xzvf openssl-0.9.7*
cd openssl*/demos/engines
tar -xzvf ../../../rsaref2.tar.gz
mv rsaref2/* rsaref
rmdir rsaref2
cd rsaref
wget http://godot.studentenweb.org/patches/rsaref/patch.rsaref.makefile
patch -p0 < patch.rsaref.makefile
make gnu
# once the engine has been compiled, you can copy into a directory where you keep your shared libraries, e.g.,
mkdir ~/lib
cp librsaref.so ~/lib
# you can now enjoy using your engine as follows:
openssl engine -vvvv dynamic -pre SO_PATH:$HOME/lib/librsaref.so -pre ID:rsaref -pre LIST_ADD:1 -pre LOAD -t -c
fortune > data.txt
openssl md5 -engine rsaref data.txt
# note that it is important to specify the absolute path to the shared library...
|
|
|
Tips To Use Pgp
|
Installation Guidelines To Enable S/MIME In Pine
|
pine with s/mime, patches for pine4.61 and pine4.60 (produced by myself, based on the ``original'' pine4.58 produced by Jonathan Paisley and Martin Kouril)
- # the following steps prepare the pine configuration files so that you can validate signatures from smiming people using a Belgian eID card :))
mkdir -p ~/.pine-smime/ca ~/.pine-smime/public ~/.pine-smime/private
cd ~/.pine-smime/ca
wget http://certs.eid.belgium.be/belgiumrs.crt
for certificateInDerFormat in *crt
do
openssl x509 -in $certificateInDerFormat -inform der -outform pem -out `basename $certificateInDerFormat`.pem
ln -sf `basename $certificateInDerFormat`.pem `openssl x509 -noout -hash -in $certificateInDerFormat -inform der`.0
rm $certificateInDerFormat
done
Make sure to enable signature verification in pine's configuration file (<M>ain menu, <S>etup, <C>onfig, smime-options: verify-on).
You should also put your trusted root certificates in ~/.pine-smime/ca: place the DER-formatted files in ~/.pine-smime/ca (make sure they are called *.crt), and re-run the for-loop.
If the certificates are already in pem-format (and have the *.pem extension), you can prepare them to use with pine with:
cd ~/.pine-smime/ca
for certificateInPemFormat in *.pem
do
ln -sf $certificateInPemFormat `openssl x509 -noout -hash -in $certificateInPemFormat`.0
done
- # after the configuration files have been set up, you have to prepare pine itself to make it support smime and time stamping. The patch for pine4.61 is the result of Jonathan Paisley, Martin Kouril, Henrik Edlund and Danny De Cock. It is wise to copy and paste the following commands ``step by step''. If your self-compiled pine binary crashes for one reason or another, this problem might be solved rebuilding everything using gcc-2.95:
- # if you have sudo, you might wish to first activate your root privileges (of course after having analyzed and tested the stuff appropriately):
sudo ls
- # initial preparation of the installation directories (the stuff works correctly for me on linux (debian and redhat), osf and cygwin):
UNAME=`uname`
PINEFILES=~/pine.downloads
PINEDIR=~/smime.pine.for.$UNAME
mkdir -p $PINEDIR $PINEFILES
cd $PINEDIR
COMPILER=""
if [ :$UNAME: == :OSF1: ]
then
SYSTEM=osf
fi
if [ :$UNAME: == :Linux: ]
then
SYSTEM=slx
COMPILER="gcc-2.95"
fi
if [ :$UNAME: == :CYGWIN_NT-5.1: ]
then
SYSTEM=cyg
COMPILER="gcc-2.95"
fi
if $COMPILER --version &> /dev/null
then
COMPILER="CC=$COMPILER"
else
COMPILER=""
fi
echo using compiler option :$COMPILER: for this :$UNAME: system
if time ls &> /dev/null
then
TIME=time
else
TIME=""
fi
if sudo ls
then
echo assuming sudo is allowed
SUDO="sudo"
SSLDIR=/usr/local/ssl
OPENSSLPREFIX="--prefix=$SSLDIR"
if [ :$UNAME: == :CYGWIN_NT-5.1: ]
then
BUILDPOSTFIX="cyg SSLDIR=$SSLDIR"
EXTENSION=.exe
else
BUILDPOSTFIX=" SSLDIR=$SSLDIR"
EXTENSION=""
fi
else
echo assuming sudo is not allowed
SUDO=""
if [ :$UNAME: == :CYGWIN_NT-5.1: ]
then
SSLDIR=/usr/local/ssl;
OPENSSLPREFIX="--prefix=$SSLDIR"
BUILDPOSTFIX="cyg SSLINCLUDE=$SSLDIR/include SSLLIB=$SSLDIR/lib"
EXTENSION=.exe
else
SSLDIR=~/openssl
OPENSSLPREFIX="--prefix=$SSLDIR"
BUILDPOSTFIX=" SSLDIR=$SSLDIR SSLCERTS=$SSLDIR/ssl/certs"
EXTENSION=""
fi
fi
- # download the source code of the most recent version of pine, openssl, the time stamping patch for openssl (comes from http://www.opentsa.org/ts/ts-20040320-0_9_7d-patch.gz), etc...
cd $PINEFILES
$TIME wget -N --retr-symlinks ts-20040320-0_9_7d-patch.gz
$TIME wget -N --retr-symlinks ftp://ftp.cac.washington.edu/pine/pine.tar.gz
$TIME wget -N --retr-symlinks http://www.openssl.org/source/openssl-0.9.7d.tar.gz
- # apply the time stamping patches to openssl:
cd $PINEDIR
rm -rf openssl-0.9.7d
$TIME tar -xzf $PINEFILES/openssl-0.9.7d.tar.gz
cd $PINEDIR/openssl-0.9.7d
gzip -dc $PINEFILES/ts-20040320-0_9_7d-patch.gz | $TIME patch -p1
$TIME ./config $OPENSSLPREFIX
$SUDO $TIME make install
- # apply the s/mime patch to pine and compile it:
cd $PINEDIR
rm -rf pine4.61
$TIME tar -xzf $PINEFILES/pine.tar.gz
$TIME wget -N --retr-symlinks smime.patch.for.pine4.61
cd $PINEDIR/pine4.61
cat ../smime.patch.for.pine4.61 | $TIME patch -p2
$TIME ./build$BUILDPOSTFIX $COMPILER $SYSTEM
- # you can now execute the smime-enabled pine:
$PINEDIR/pine4.61/bin/pine$EXTENSION
- # if it works, you can ``install'' it and include it in your default path:
mkdir -p ~/bin.$UNAME
cp $PINEDIR/pine4.61/bin/pine$EXTENSION ~/bin.$UNAME
echo export PATH=~/bin.$UNAME:\$PATH >> ~/.bash_profile
# if it does not work, you might try to compile the stuff again with a different compiler (remember that I got it all working using version 2.95 of gcc), e.g.:
COMPILER="CC=gcc-3.3"
$TIME ./build$BUILDPOSTFIX $COMPILER $SYSTEM
# you can get a list of the compilers with:
find /usr/bin -type f -iname gcc\*
find /usr/local/bin -type f -iname gcc\*
|
|
Tips For Ssh
- # pushing data to an ssh server:
tar czf - files/directories | ssh user@host "cd /fullpath && tar xzvf -"
- # pushing data to a tar.gz file on a remote ssh server:
tar czf - files/directories | ssh user@host "cat > /fullpath/file.tgz"
- # pulling data from an ssh server:
ssh user@host "tar czf - files/directories" | tar xzvf -
|
|
Tips For Sshd
- # configuring sshd by editing /etc/ssh/sshd_config to minimize break-in potential through the use of weak passwords and cryptographic mechanisms.
# Edit /etc/ssh/sshd_config to make sure that:
- # the use of the ssh protocol verion 1 is disabled and its hostkeys are not specified
- # the password and publickey authentication methods are enabled
- # the list of block ciphers and mac algorithms that can be used is updated
# You can accomplish this if you specify the following lines in your /etc/ssh/sshd_config:
Protocol 2
# HostKey /etc/ssh/ssh_host_key
PasswordAuthentication no
PubkeyAuthentication yes
Ciphers aes256-cbc,aes192-cbc,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour
MACs hmac-ripemd160,hmac-sha1,hmac-sha1-96
# Paolo Falcioni kindly provided a ready-to use copy of /etc/ssh/sshd_config which already contains this finetuning
|
|
