Preface: We studied and used the technique on this other post: How to set up authentication in ThinLinc with PKCS #15 smart cards
The presumption there is that the smart card has a file system on it. When we go to view the certificates, we do not see any. So, the process breaks.
Note: the post’s length is to respect your time by including pertinent details, due to the time we’ve spent on this issue.
Problem Summary
We are missing a key step in getting a filesystem on the smart cards. The smart card vendor tool does not provide a filesystem that works pkcs15 apparently. We’ve locked two smart cards in the process of creating useful certificates for ThinLinc.
Ask
If you worked with smart card authentication and could provide the missing step(s) or some insight, I think we can get this solution promoted to a POC. We are very close, but have not been able to get the smart card functionality to work (particulars in the Background section below).
Environment
- New VMware RHEL9 image with the ThinLinc server
- HP thin clients with the ThinLinc client installed for front-end access
- User ID and PW authentication works fine (from the HP thin client units)
- The customer requires smart card reader and smart card authentication access to handle authentication (very busy medical practice)
- Aventra smart cards
The vendor claims their cards work with Cendio’s solution. Aventra provided input, but their software is not providing a filesystem that we can use, or we are unknowingly making a mistake. Aventra does not offer pre-configured smart cards.
Background
The excellent documentation offered on the Cendio site and forum plus even with third-party sites create the perception that using Smart Cards with SSH keys all appear to indicate that the keys are already stored on the card.
- We have not seen any reference to how to create and store a key on a Smart Card
- Performing a
pkcs15-tool --list-certificates
command, we see the card reader
and the card when inserted, but there are no certificates and no ID value preset - Even if we create a pin on the card, we are still not seeing a certificate (which seems correct, but offering it to be complete)
- Result: we are missing a key step in the process that others seem to know well
I’m a server and network guy, so some of these desktop issues make little sense to.
Appreciate any insight you can offer. We want to get our first Cendio installation successfully deployed.