Smart cards on Linux

 [[opensc card inspection

$ pcsc_scan

$ pkcs11-tool --list-slots

$ pkcs11-tool --list-objects --login

[[atomic operations, download certificate from a smartcard and show its content

$ pkcs11-tool --list-object --id 01 --type cert \

    --output-file cert.der

$ openssl x509 -inform DER -in cert.der > cert.pem

$ openssl x509 -inform DER -in cert.pem -text

$ pkcs11-tool --sign -id 01 --mechanism RSA-PKCS --login \

    --input-file data --output-file data.sig

$ openssl rsautl -verify -certin -inkey cert.pem \

    -in data.sig

[[openssh client

[[List public keys on the smart card in OpenSSH format

$ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so

ssh-rsa AAAAB3..............................Q==

[[Install the keys to the server

[[Connect to server

$ ssh -I /usr/lib64/pkcs11/opensc-pkcs11.so example.com

Enter PIN for 'PIV_II (PIV Card Holder pin)':

[[Store permanent configuration in client configuration

$ cat ~/.ssh/config

Host example.com

  PKCS11Provider /usr/lib64/pkcs11/opensc-pkcs11.so

[[RSA keys only (OpenSSH bug #2474)

[[OpenSSH Client (SSH-Agent)

[[Start ssh-agent (does not work with gnome-keyring):

$test -e "$SSH_AUTH_SOCK" || eval $(ssh-agent)

[[Add a card:

$ ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so

Enter passphrase for PKCS#11:

Card added: /usr/lib64/pkcs11/opensc-pkcs11.so

[[Connect to server:

$ssh example.com

[[SUDO (PAM_SSH_AGENT_AUTH)

[[Set up ssh-agent as in previous slide

[[Store public key in /etc/security/authorized_keys

[[Configure sudo through pam:

$cat /etc/pam.d/sudo

...

auth sufficient pam_ssh_agent_auth.so \

     file=/etc/security/authorized_keys

[[Even on remote hosts (forwarded ssh-agent)

[[TLS Client authentication

[[Firefox > Preferences > Privacy&Security > Security > Security Devices > Load

[[Concurrent access

[[Configuration opensc.conf

drivers = PIV-II; # speed up detection and avoid mismatches

reader_driver pcsc {

    disconnect_action=leave; # do not break concurrent sessions

}

[[OpenSSH ssh-agent: long-running session

eval "ssh-agent" && ssh-add -s /usr/lib64/opensc-pkcs11.so

ssh example.com

[[pkcs11-tool: ad-hoc commands

pkcs11-tool --login --sign --id02 -mRSA-PKCS -i data -o data.sig

[[Some application require exclusive access (GnuPG sdaemon) :(

[[More applet on a single card = problems

[[GNUPG

[[Email,git commit signing

[[GnuPG's scdaemon

 [not using PKCS#11 to access OpenPGP applets

 [directly accessing PC/SC with exclusive access

 [preventing other application to use the card

[[gnupg-pkcs11-scd

 [Accessing card using PKCS#11

 [More complicated configuration

[[Troubleshooting smartcard

[[Is the reader/USB device detected?

$ lsusb

[[Is the card detected in pcsc-lite?

$ pcsc_scan

[[PCSC trace (APDU messages)

$ systemctl stop pcscd

$ sudo LIBCCID_ifdLogLevel=0x000F pcscd --foreground --debug --apdu --color

[[Is the card detected in OpenSC?

 pkcs11-tool -L

[[PKCS#11 level trace:

 export PKCS11SPY=/usr/lib64/pkcs11/opensc-pkcs11.so

 pkcs11-tool -L /usr/lib64/pkcs11-spy.so

[[OpenSC debug logs:

OPENSC_DEBUG=9 pkcs11-tool -L

MORE TIPS=

Some older versions of Adobe software can work in Wine (PlayOnLinux, Bottles) under Linux as well as on Windows.

Modern gaming is possible on Linux (Proton, Lutris, Steam), some games are much better than on Windows.

Firefox, Thunderbird, Libre Office, Inkscape, Gimp, YouTube, FreeTube, VLC, Zoom, Microsoft Teams, OBS, Microsoft Visual Studio Code, Kdnlive, OpenShot, Shotcut, Flowblade, Lightworks, Blender, Cinelerra GG Infinity, DaVinci Resolve, VidCutter, can working on Linux in the latest and greatest versions.

You can bury Windows without any regrets. Losses are minimal. The advantages of Linux are very big today.

After all, you can install full blooded Windows 11 in KVM or Oracle Virtual Box under Linux.

Windows 11 working much better under Linux in virtual environment.