Go back to immanuelK.net
Basteleien, Hilfreiches, Undsoweiter

ssmart --> manage ssh/cfs via a I2C chipcard

ssmart v0.5.1 => [ download || changelog || roadmap || console screenshot || html`ized source code ];

\_/ The freshmeat.net project page is: http://freshmeat.net/projects/ssmart/ \_/

"Its not a bug, its a feature."

"Wenn einer nichts gelernt hat -: dann organisiert er. Wenn einer aber gar nichts gelernt und nichts zu tun hat -: dann macht er Propaganda."

News: The Gnome GUI is gone for now

The Gnome GUI is gone for now. Only command line avaiable. Furthermore you can now also use your Siemens mobile using the built in flexmem memory, accessing via the obexftp protocol with the flexmem tool.

what is it all about?

ssmart is program to manage secure shell and cryptographic file system with a chipcard as storage medium. It is written in Perl and can be driven fully via comandline. It uses blowfish encryption and zlib compression for the data storage.

You may ask: "Why do I need this?"

I try to summarize some reasons below.

If you often work on different boxen and want to keep your sensitive data on a save place, ssmart could be a way to solve your problems.

In general you leave your sensitive data on your harddrive. This has disadvantages like:

I'd like to achieve this a little bit more. The most things I note down here are facts because I wrote and use this piece of code. You may have other reasons or maybe really no reason for using ssmart.

First I thought of a way of easily carrying the data with me because I'm lazy from nature. I could have simply stored the data to a floppy. But thats not a good idea, just think of you leave the floppy in your car near your super new bass boosting 300Watt car radio. In general I lost too many data on floppies to take this risk on me. On the other hand, if someone gets the floppy in his hands the data would be plain text -- yes, you know. Furthermore, I think a chipcard is a good, good looking, and cheap way to carry the stuff with you. And data stored to the chipcard will overcome the strangest situations where other mediums would simply fail and your data would be corrupted.

Summarzing we can say, the advantages of ssmart are:

This was written fast, I take a look on it laters again.

what we need

Hardware:

or / and

Software:

If you use GNU Debian you can get all that stuff by simply apt-get`ting it.

installation

Its an easy task to install the required Perl modules. If you are behind a firewall, donīt forget to the set the ftp_proxy variable. Instead of using CPAN and install the modules by hand, you may also consider to install the Debian (libcrypt-blowfish-perl & libcrypt-cbc-perl) or NetBSD ( pkgsrc/security/p5-Crypt-CBC & p5-Crypt-Blowfish ) packages ... and so on. Just run ssmart, if it complains about missing modules, install those.

root@box:~$ export ftp_proxy=http://my.lan.proxy:3128/
root@box:~$ perl -MCPAN -e shell
cpan> install Crypt::Blowfish Crypt::CBC

Then run make install, which will place ssmart and its modules to /usr/local/.

root@box:~$ make install

Finito! :-)

how to use it

At first we need to create a new secure shell identity. It then will be stored to the chipcard and hence you won`t have a local copy of it on your harddrive or even worse on a NFS share. I furthermore use it to automate the mounting of cfs directories, mounting a lot of them can become a annoying task.

user@box:~$ ssmart

Give the command line help a look (this creates the default configuration file). Then edit the configuration file ~/.ssmart/ssmart.conf and change the blowfish keyphrase there. If you donīt want to use the configuration file for storing your blowfish keyphrase, you can always use the -k switch to get asked for it.

user@box:~$ ssmart --format

Now we have to "Format" the chipcard. This is to ensure you know what you do (mostly it is me who needs such a feature (-;).

user@box:~$ ssmart --ssh-create

"Create"s a new ssh private identity which will be written to your chipcard.

user@box:~$ ssmart --ssh-add

"Add"s the ssh private identity to the ssh-agent, I assume you have one running. Please read the ssh-agent manpage for detailed informations about how to set it up.

user@box:~$ ssmart --ssh-copy-key
Destination Host [user@host]:

Finally we copy the private identity to a remotebox and append it to the authorized_keys file. Thats it! You should now be able to log in on the remotebox without being asked for your identityīs password. If your NFS servers /home directory is globally exported, this should work now for your whole network. Easy!

data storage format

Your data will be stored in the following format to the chipcard:

$ssmart_version:$data_bytes:$freezed_data

Where $freezed_data is an array which is freezed with the FrezeThaw module to make the data storable in ASCII conform characters. Thawed (the opposite of freezed), it looks like this:

$array[0] = (time);     
	# Last modification time.
$array[1] = $card_id;   
	# Identification number.
$array[2] = [ @identities ];  
	# An array of the secure shell identities.
$array[3] = [ @cfs ];                  
	# An array of the cfs directories/passwords.
$array[4] = [ @a_future_content ];
        # ... Free for future additions.                  

You can always take a look on the freezed data while executing ssmart in the debugging mode:

./ssmart --debug -list
Checking blowfish cipher... Reading chipcard... Reading finished.
...

FrT;@4|$10|1023476237$2|77@2|@3|$2|OK$808|MIICWgIBAAKBgQC3tboUo8
czI+eYFamBErxsnVS5zzz68LbGArRPbgs5EmtIEIXIlc0cNPkAn+/QbWik63k/qo
NVYv8zGjCKfcfa0gDLBNbCnn7wTxYVKJ/+3eKoSNHQOc0m/w5xYoddURZp0HamMo
+Su1huJJmc2mH73yWd9KNUfLfDPwrK6jheGwIBIwKBgA+/HpQOCcKODIlg8UWT5E
PS+KI2Va8b8mi+ZzoCHjgXhYnVh89dTBhcT9t7bFOxm0FWAxQV7gABK9EuIWr01p
2VC0b85SvjpH2ulFRBP6FLz1udu4H...

This is how the freezed data looks like.

The steps to build the final data together are the following:

$freezed_data = freeze(@array);
	# The array gets freezed.
$freezed_data = compress($freezed_data);
        # Secondly, the array gets zlib compressed.
$data = "$ssmart_version\:$data_bytes\:$freezed_data";  
        # Everything gets put together.
$data = $cipher->encrypt($data);
        # Finally, the whole data gets blowfish encrypted.

usb-towitoko

Veit Wahlich <cru@ircnet.de> wrote me some worthy hints in conjunction with the towitoko usb-reader.
You can use the Linux v2.4 SB Prolific 2303 Single Port Serial Driver for the usb-towitoko.
Furthermore, since the smartcard program itself only talks to the first four serial devices, you can simply create a symlink from one of the serial devices you donīt use to your usb device where the usb-towitoko is connected.

$ ln -s /dev/ttyS3 /dev/usb/ttyUSB0

If you want to interact as less privileged user with the reader you may too have to change the devices permissions or owner.

$ chmod a=+r+w /dev/ttyUSB0

If this does not work, you may consider to set your smartcard binary +s (sticky bit).

Thanks Veit, more tips are welcome ( :

command line switch summary

ssmart (v0.5.0-red-october) by Adrian Kiess.

card/database options:
  -l, --list            list content.
  -i, --id              change #id.
      --size            change size.
      --keyphrase       change blowfish keyphrase.
      --duplicate       duplicate.
  -f, --format          format for ssmart usage.
  
cfs options:
  --cfs-attach [id/all]         attach directory(ies).
  --cfs-detach [id/all]         detach directory(ies).
  --cfs-create                  create directory reference.
  --cfs-remove                  remove directory reference. 

gnupg options:
  --gpg-wipe [s/p/b]            wipe local secring/pubring/both.
  --gpg-export [s/p/b]          export secring/pubring/both.  
  --gpg-import [s/p/b]          import secring/pubring/both.
  --gpg-remove [s/p/b]          remove secring/pubring/both. 

ssh options:
      --ssh-list                list ssh-agent identities.
  -a, --ssh-add [id/all]        add identity(ies) to ssh-agent.      
  -x, --ssh-delete [id/all]     delete identity(ies) from ssh-agent.
      --ssh-copy-key [id]       copy public key to remote host.
      --ssh-copy-identity [id]  copy private identity to another medium.
  -e, --ssh-export-key [id]     export public key.
      --ssh-export-identity     export private identity.
      --ssh-import              import existing private identity.
  -c, --ssh-create              create & write private identity.
  -r, --ssh-remove              remove private identity.

other options:
      --restore-conf    restore default ssmart.conf and backup old one.
  -v, --version         show version, abouttext and module informations.
  -h, --help            print this helptext.  

additional options:
  -d, --device [dev]    "memcard", "smartcard" or "flexmem".
  -p, --port [port]     serial port number for smartcard [0=com1, ...]
  -k, --ask-keyphrase   ignore keyphrase stored in ssmart.conf.
  -y, --assume-yes      assume yes to obligatory questions.
      --debug           print debugging informations.

Have phun. Please send me improvement suggestions.