An overview of using the Aladdin eToken on Linux. Many of the components listed below have their own page elsewhere in the wiki.

Support Components

The primary method for using the Aladdin eToken from Unix applications is via the PKCS#11 provider supplied tith the RTE (run-time environment).

  • Aladdin RTE - includes PKCS#11 module.
  • PCSC-Lite - required for Aladdin RTE.
  • PCSC-tools - includes useful diagnostic tool pcsc_scan.
  • OpenSC Project components
    • OpenSC -
    • libp11 - required by pkcs11-helper and engine_pkcs11.
    • pkcs11-helper - required by gnupg-pkcs11-scd.
    • engine_pkcs11 - OpenSSL engine that uses PKCS#11 providers.
  • gnupg-pkcs11-scd - replacement for GnuPG scd (smart-card daemon). Also replaces SSH ssh-agent.

Applications Supporting Certificate Authentication

Here are some applications that will use certificates (not necessarily on tokens). Please add to this list if you know of any others.

Firefox/Mozilla/Thunderbird

Firefox, Mozilla, and Thunderbird all use PKCS#11 providers for interface to security tokens. Support appears to be pretty complete.

  • Requires Aladdin RTE and PCSC.
  • Can sign documents and do SSL client authentication.
  • Key Manager - Firefox extension for key generation, certificate enrollment, and identity and authority delegation
  • Gmail S/MIME - Firefox extension to send and receive signed and encrypted messages in Gmail.
  • Enigmail - OpenPGP message encryption and authentication for Thunderbird and Seamonkey.

OpenSSH

Openssh will authenticate users using public/private key pairs.

gnupg-pkcs11-scd

  • Uses gpg-agent with the enable-ssh-support option and gnupg-pks11-scd to access a card via PKCS#11.
  • No modifications to the ssh client or server are required.
  • gnupg-pks11-scd must be modified to support authentication.
  • PB: I use this every day.

Patches

  • OpenSSH has compile options to support OpenSC PKCS#15 smart cards.
  • There is an OpenSSH+PKCS#11 patch which can be applied to use keys via PKCS#11.
    • PB: I believe this only requires replacing ssh-agent and ssh-add.
  • There is an OpenSSH+X.509 patch to support certificate stuff like revocation checking and mapping between DN and user name.
    • PB: I haven't tried this yet.

GnuPG2

GnuPG is one of the primary cryptographic applications on Unix. Not only does it provide stand-alone applications, it is used as support for many other applications.

  • GnuPG supports OpenPGP smartcards and PKCS#15 cards via OpenSC.
  • By replacing scd with gnupg-pkcs11-scd, GnuPG can use PKCS#11 smart cards.
  • gpgsm provides S/MIME support.
    • PB: This seems to work.
  • gnupg-pkcs11-scd has an emulate-openpgp option which should allow use of keys on tokens from gpg2.
    • PB: I haven't tested this yet.
  • gpgme provides an API used by many applications.
    • PB: I haven't been able to get gpgme to use gpg2, just gpg.
    • PB: make check tests seem fine for gpg and gpgsm.
    • PB: Only limited success using this from mutt.

OpenSSL

OpenSSL is one of the primary cryptographic applications on Unix. Not only does it provide stand-alone applications, it is used as support for many other applications.

  • The OpenSC engine_pkcs#11 is used to provide an interface to PKCS#11 cryptographic modules.
  • PB: I have had only limited success with this.

mutt

  • Can use gpgsm.
  • Calls an external program, either openssl or gnupg.
  • See the smime.rc and pgp rc files in the samples directory.
  • PB: S/MIME via OpenSSL works fine.
  • PB: Limited success with token use via gpgsm.

Oracle

Oracle will use certificates with Oracle Advanced Security to authenticate the SSL connection between client and server. Authentication of the server has been tested in CNS. It appears certificates can also be used to authenticate clients. The Oracle Wallet Manager (own) also has support for PKCS#11, but that has not been tested yet.

Stunnel

Apache Mod-SSL

  • SSLClient auth works out of the box.
  • Tested with Apache 2.
  • Apache 2.2 should provide better support since you can have multiple auth methods combined, i.e. you should e able to avoid having to use a special URL for SSLClient auth.

CAS

  • CAS can do SSLClient authentication and map VT Certificate DN to VT PID.
  • https://auth.vt.edu:9443/ supports SSLClient auth.

Gnu POC

  • Gnu POC - Application to store passwords on smart cards.
  • No labels