-
-
Save tiran/af7c21882e1732227455a13c3b8ff380 to your computer and use it in GitHub Desktop.
/* polkit rule to allow 'pkiuser' to access NitroHSM PCSC interface | |
* | |
* file name: /etc/polkit-1/rules.d/99-pkiuser-pcsc.rules | |
* | |
* Resources: | |
* - https://access.redhat.com/blogs/766093/posts/1976313 | |
* - https://raymii.org/s/articles/Get_Started_With_The_Nitrokey_HSM.html | |
* | |
* Installation: | |
* # dnf install opensc pcsc-lite pcsc-tools | |
* # cp 99-pkiuser-pcsc.rules /etc/polkit-1/rules.d/99-pkiuser-pcsc.rules | |
* | |
* Verify access to NitroHSM. | |
* # pcsc_scan | |
* # sudo -u pkiuser -- opensc-tool --list-readers | |
* # sudo -u pkiuser -- pkcs11-tool --list-slots | |
* | |
* Reset NitroHSM (WARNING: deletes all objects) | |
* # sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 1234567 | |
* | |
* Install FreeIPA: | |
* # ipa-server-install --hsm-enable --hsm-libfile=/usr/lib64/opensc-pkcs11.so --hsm-modulename=nitrohsm --token-name='UserPIN (SmartCard-HSM)' --token-password=1234567 | |
* | |
*/ | |
polkit.addRule(function(action, subject) { | |
if (action.id == "org.debian.pcsc-lite.access_pcsc" && | |
subject.user == "pkiuser") { | |
return polkit.Result.YES; | |
} | |
}); | |
polkit.addRule(function(action, subject) { | |
if (action.id == "org.debian.pcsc-lite.access_card" && | |
action.lookup("reader").startsWith("Nitrokey Nitrokey HSM") && | |
subject.user == "pkiuser") { | |
return polkit.Result.YES; | |
} | |
}); |
Thanks, this is super useful! I'm looking at FreeIPA and am finding HSM support docs really hard to track down.. there seems to be a feature request from a few years back that's still open..
This is a great starting place. Cheers!
Ah, though I have to ask - is --hsm-enable a flag in a special version of FreeIPA? It isn't supported in 4.6.4 it seems.
not seen in 4.7.90 either, found a workaround, but stuck somewhere else, not sure it's related yet.
Note it is not supported yet. We are working on hsm integration but there are bugs still at dogtag side and in FreeIPA. Options above were from the very early experiments. They would not be exactly the same once finalized.
Right Alexander. I tried with SafeNet Luna HSM with --pki-config-override and some other tweaks but failed.
Hoping to see HSM support in 4.8 release.
@type4ranjan -- can you share your override file and output?
Please share the information on either a new gist or better as an upstream ticket on https://pagure.io/freeipa
slots
objects
Dogtag NSSDB (internal)
Dogtag NSSDB (NitroHSM)