pipeman is currently certified at Journeyer level.

Name: Rasmus Sten
Member since: 2001-11-07 01:45:59
Last Login: 2014-07-15 10:07:09

FOAF RDF Share This

Homepage: http://dll.nu/


Recent blog entries by pipeman

Syndication: RSS 2.0
2 Jul 2014 (updated 7 Jul 2014 at 12:24 UTC) »

SSH authentication using the Finnish electronic ID card (FINEID) on OS X

The government of Finland provides smart card-enabled ID cards to all residents under the FINeID program run by the Population Register Centre (Väestörekisterikeskus). The chip provided is, according to the spec, based on ISO/IEC 7816-15 (also known as PKCS#15), 7816-4 and 7816-8. The open source project OpenSC makes it possible to interact with PKCS#15 cards on a variety of operating systems, including OS X, Linux and Windows.

When I renewed my ID card I became interested in the possibilities provided by this, so I ordered a card reader known to work with Mac and installed version 0.13. The latest version is 0.14.0 but there are no pre-compiled binaries for OS X, and my own attempts at building it failed quite early.

After installing OpenSC, you'll see something similar to the following message in the system log when inserting the card reader and the card:

2014-07-02 20:11:38,774 com.apple.SecurityServer[17]: reader SCR35xx Smart Card Reader 00 00 inserted token "HENKILOKORTTI" (088f5dfb29f6672f9435db333fc0539bc64f2769) subservice 2 using driver com.apple.tokend.opensc

You can then use the pkcs15-tool command to list available private keys stored on the card:

$ pkcs15-tool -k
Using reader with a card: SCR35xx Smart Card Reader 00 00
Private RSA Key [todentamis- ja salausavain]
Object Flags : [0x1], private
Usage : [0x26], decrypt, sign, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Access Rules : execute:01;
ModLength : 2048
Key ref : 0 (0x0)
Native : yes
Path : 3f004b01
Auth ID : 01
ID : 45

Private RSA Key [allekirjoitusavain]
Object Flags : [0x1], private
Usage : [0x200], nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Access Rules : execute:02;
ModLength : 2048
Key ref : 0 (0x0)
Native : yes
Path : 3f0050164b02
Auth ID : 02
ID : 46

Your FINeID card provides you with two certificates and corresponding keys; one for signing and one for authentication and encryption. However, for the purpose of SSH authentication the certificates (and their stated purpose) don't matter; we just care about the corresponding RSA public and private keys, so we can pick either one. You need to know which one you're using because they're protected with different PIN codes, provided to you by mail. Above, we can see that the first key, labelled todentamis- ja salausavain has ID 45 on the card - let's pick that. It happens to be the authentication/encryption key and is protected with PIN1. We then simply need to retrieve its corresponding public key in a format suitable for an OpenSSH authorized_keys file. Luckily pkcs15-tool provides exactly that - just tell it you want the key with ID 45 and pipe it to pbcopy to place it into your pasteboard.

$ pkcs15-tool --read-ssh-key 45|pbcopy
Using reader with a card: SCR35xx Smart Card Reader 00 00

Open ~/.ssh/authorized_keys on the target computer and paste the contents of your pasteboard into its own line.

Next you need to tell your SSH client to defer authentication to your smart card. This is done by using the -I option to ssh to specify the OpenSC PKCS#11 library, like this:

$ ssh -I /usr/lib/opensc-pkcs11.so karin.local
Enter PIN for 'HENKILOKORTTI (perustunnusluku)':
Last login: Wed Jul 2 21:06:33 2014 from otter.local
karin:~ rasmus$

You will be prompted for your PIN - enter PIN1 here provided that you picked the "todentamis- ja salausavain" key earlier and you will be logged in. To have ssh always query your ID card, add the following to ~/.ssh/config (add a "Host" section above to apply it to one or more specific remote hosts):

PKCS11Provider /usr/lib/opensc-pkcs11.so

That's it! You can now use your Finnish ID card as a hardware authentication token for your SSH logins.

Update: you can apparently also do this using ssh-agent. I haven't tried this yet myself but will update the blog post once I have. Following those instructions seem to put launchd in a very bad state on OS X 10.9.4. I'll investigate a bit more but until then I recommend against trying ssh-agent with the OpenSC PKCS#11 support.

30 Aug 2012 (updated 30 Aug 2012 at 13:02 UTC) »
Disabling Java in Safari for all users on a Mac

There are a lot of instructions on how to disable Java applets in different web browsers. However, none of the instructions I've seen have tackled my situation: in my home we each have one account, and even though I administer the computer I don't know the password of the other accounts hence I can't login as all the other users and manually uncheck the "Enable Java" check box in the Safari security preferences. Because of that I was looking for a way to do it automatically for all users, and this is what I came up with:

# become root
sudo -s

# exit all instances of Safari
killall Safari

# wait for Safari to exit
while ps axc|grep -q Safari ; do echo "waiting..." ; done

# for all users that have a Safari prefs file, set the appropriate keys to "false"
# paste the following all in one go
dscl . -list /Users home | while read username homedir ; do \
file="${homedir}/Library/Preferences/com.apple.Safari" ; \
if [ -f "${file}.plist" ] ; then echo "Disabling Safari's Java for user $username" ; \
for prop in com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled WebKitJavaEnabled ; do \
defaults write "$file" $prop false ; chown $username "${file}.plist" ; \
done; \
fi ; \

That's it!

  • This will only change Safari's preferences (we use Safari at home, with Firefox reserved for sites that require Java or Flash)
  • This will only change Safari's preferences if the user has launched Safari at least once
  • While I have tested this in Mountain Lion (10.8.1) and Lion (10.7.4), I can't make any guarantees as to whether it'll work in your particular environment. Worst case it may reset your Safari preferences to default. Always have backups. :-)

If you want to disable all plug-ins as well as Java, something I recommend, run this instead for the last step:

dscl . -list /Users home | while read username homedir ; do \
file="${homedir}/Library/Preferences/com.apple.Safari" ; \
if [ -f "${file}.plist" ] ; then echo "Disabling Safari's Java and all plug-ins for user $username" ; \
for prop in com.apple.Safari.ContentPageGroupIdentifier.WebKit2JavaEnabled WebKitJavaEnabled \
WebKitPluginsEnabled com.apple.Safari.ContentPageGroupIdentifier.WebKit2PluginsEnabled ; do \
defaults write "$file" $prop false ; chown $username "${file}.plist" ; \
done; \
fi ; \

Top shell commands in my home computer as of today:

$ history|awk '{a[$2]++ } END{for(i in a){print a[i] " " i}}'|sort -rn|head
88 git
76 cd
74 ls
34 sudo
21 ssh
18 du
14 cat
13 ps
13 mdfind
12 open

Almost five years ago I took this test, and it classified me as Amiga OS - now I took the same test again and came up as OS X. It would be interesting to see what has changed in more detail; I couldn't figure out any questions that I definitely would have answered differently five years ago.

You are OS X. You tend to be fashionable and clever despite 
being a bit transparent.  Now that you've reached some stability you're 
expecting greater popularity.
Which OS are You?

What has changed in the last five years, however, is that run OS X on most of my computers. Back then, I had Windows 2000 on my desktop computer (with coLinux for development), and Windows XP (I think) on my laptop. I do have a W2K VM on my home Mac (mostly used for getting dissapointed at SF Anytime, a local video-on-demand service that requires Windows (and lately, newer Windows than Windows 2000)), and at work I keep a spare hard disk that I plug in when I need to do things that requires Windows (some of the bureaucracy tools require IE, among other this), but about 80% if my time is spent in OS X and 19% in Linux (although it depends on how you count; I'm pretty much always logged-in to my home Linux server (a small fanless VIA x86 with a flash disk), for example, and similarly always using a handful of Linux servers at work where, among other things, our testing infrastructure is largely Linux- based, even the parts that runs automated tests on Mac OS X (which in itself is an interesting topic for another talk or blog post).

In a Dream

Reading about Juha's dream reminded me of my own from a couple of nights back.

In the beginning it was a bit like a bad re-make of BSG. We were heading for a destination of unknown location, on a big Battlestar-esque space ship. Somehow magically me and some other dude was on a smaller ferry ship, travelling through some worm-hole-like tunnel that was made out of metal. We landed on some unknown planet, with grass and stone plates laid out in plaths on the ground. We followed one of the paths and ended up in a candystore. A girl worked in the candy store. I noticed that they had Ahlgrens Bilar, a typical Swedish candy, which I found odd for what was presumably an extrasolar planet. I commented to the shopkeeper girl that I liked that candy, and she replied that she had never tasted it, and went to do so. Soon she had eaten all of it, delighted by its taste. I was a bit sad that I got none myself. I also found it odd that they accepted Earth currency and credit cards, and I noticed that she had received mail from Earth, with postage stamps from some Earth country. I even think she had a phone connected to the Earth GSM network. I asked her about it, and she explained that she was part of an intergalactical conspiracy, where her kind had infiltraded all layers of society in, among other worlds, Earth, like in Fight Club but with no malicious intent. Instead it was just a practical thing to be able to communicate and trade intergalactically, also in worlds that were not intergatactically aware yet. I don't remember her name exactly, but I remember her telling me that if someone wanted to mail her from earth, all they had to do was address the envelope to "Her name with-the- Hat" and people of her kind at the post office would make sure that it made its way to her little candy shop in a completely different part of the galaxy.

46 older entries...


pipeman certified others as follows:

  • pipeman certified pipeman as Apprentice
  • pipeman certified pawal as Apprentice
  • pipeman certified alan as Master
  • pipeman certified chalst as Journeyer
  • pipeman certified raph as Master
  • pipeman certified Bram as Master
  • pipeman certified esr as Master
  • pipeman certified Akira as Journeyer
  • pipeman certified e8johan as Journeyer
  • pipeman certified titus as Journeyer
  • pipeman certified robey as Master

Others have certified pipeman as follows:

  • pipeman certified pipeman as Apprentice
  • lerdsuwa certified pipeman as Apprentice
  • derupe certified pipeman as Apprentice
  • freax certified pipeman as Apprentice
  • pvanhoof certified pipeman as Apprentice
  • titus certified pipeman as Journeyer
  • icherevko certified pipeman as Master

[ Certification disabled because you're not logged in. ]

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page