=> [ download ||
console screenshot ||
html`ized source code ];
"Its not a bug, its a feature."
"Wenn einer nichts gelernt hat -: dann organisiert er. Wenn einer aber gar nichts gelernt und nichts zu tun hat -: dann macht er Propaganda."
ssmart is program to manage secure shell and cryptographic file system with a chipcard as storage medium. It is written in Perl and can be driven fully via comandline. It uses blowfish encryption and zlib compression for the data storage.
You may ask: "Why do I need this?"
I try to summarize some reasons below.
If you often work on different boxen and want to keep your sensitive data on a save place, ssmart could be a way to solve your problems.
In general you leave your sensitive data on your harddrive. This has disadvantages like:
I'd like to achieve this a little bit more. The most things I note down here are facts because I wrote and use this piece of code. You may have other reasons or maybe really no reason for using ssmart.
First I thought of a way of easily carrying the data with me because I'm lazy from nature. I could have simply stored the data to a floppy. But thats not a good idea, just think of you leave the floppy in your car near your super new bass boosting 300Watt car radio. In general I lost too many data on floppies to take this risk on me. On the other hand, if someone gets the floppy in his hands the data would be plain text -- yes, you know. Furthermore, I think a chipcard is a good, good looking, and cheap way to carry the stuff with you. And data stored to the chipcard will overcome the strangest situations where other mediums would simply fail and your data would be corrupted.
Summarzing we can say, the advantages of ssmart are:
This was written fast, I take a look on it laters again.
or / and
If you use GNU Debian you can get all that stuff by simply apt-get`ting it.
Its an easy task to install the required Perl modules. If you are behind a firewall, donīt forget to the set the ftp_proxy variable. Instead of using CPAN and install the modules by hand, you may also consider to install the Debian (libcrypt-blowfish-perl & libcrypt-cbc-perl) or NetBSD ( pkgsrc/security/p5-Crypt-CBC & p5-Crypt-Blowfish ) packages ... and so on. Just run ssmart, if it complains about missing modules, install those.
root@box:~$ export ftp_proxy=http://my.lan.proxy:3128/
root@box:~$ perl -MCPAN -e shell
cpan> install Crypt::Blowfish Crypt::CBC
Then run make install, which will place ssmart and its modules to /usr/local/.
root@box:~$ make install
At first we need to create a new secure shell identity. It then will be stored to the chipcard and hence you won`t have a local copy of it on your harddrive or even worse on a NFS share. I furthermore use it to automate the mounting of cfs directories, mounting a lot of them can become a annoying task.
Give the command line help a look (this creates the default configuration file). Then edit the configuration file ~/.ssmart/ssmart.conf and change the blowfish keyphrase there. If you donīt want to use the configuration file for storing your blowfish keyphrase, you can always use the -k switch to get asked for it.
user@box:~$ ssmart --format
Now we have to "Format" the chipcard. This is to ensure you know what you do (mostly it is me who needs such a feature (-;).
user@box:~$ ssmart --ssh-create
"Create"s a new ssh private identity which will be written to your chipcard.
user@box:~$ ssmart --ssh-add
"Add"s the ssh private identity to the ssh-agent, I assume you have one running. Please read the ssh-agent manpage for detailed informations about how to set it up.
user@box:~$ ssmart --ssh-copy-key
Destination Host [user@host]:
Finally we copy the private identity to a remotebox and append it to the
authorized_keys file. Thats it! You should now be able to
log in on the remotebox without being asked for your identityīs password.
If your NFS servers /home directory is globally exported,
this should work now for your whole network. Easy!
Your data will be stored in the following format to the chipcard:
Where $freezed_data is an array which is freezed with the FrezeThaw module to make the data storable in ASCII conform characters. Thawed (the opposite of freezed), it looks like this:
$array = (time); # Last modification time. $array = $card_id; # Identification number. $array = [ @identities ]; # An array of the secure shell identities. $array = [ @cfs ]; # An array of the cfs directories/passwords. $array = [ @a_future_content ]; # ... Free for future additions.
You can always take a look on the freezed data while executing ssmart in the debugging mode:
./ssmart --debug -list Checking blowfish cipher... Reading chipcard... Reading finished. ... FrT;@4|$10|1023476237$2|77@2|@3|$2|OK$808|MIICWgIBAAKBgQC3tboUo8 czI+eYFamBErxsnVS5zzz68LbGArRPbgs5EmtIEIXIlc0cNPkAn+/QbWik63k/qo NVYv8zGjCKfcfa0gDLBNbCnn7wTxYVKJ/+3eKoSNHQOc0m/w5xYoddURZp0HamMo +Su1huJJmc2mH73yWd9KNUfLfDPwrK6jheGwIBIwKBgA+/HpQOCcKODIlg8UWT5E PS+KI2Va8b8mi+ZzoCHjgXhYnVh89dTBhcT9t7bFOxm0FWAxQV7gABK9EuIWr01p 2VC0b85SvjpH2ulFRBP6FLz1udu4H...
This is how the freezed data looks like.
The steps to build the final data together are the following:
$freezed_data = freeze(@array); # The array gets freezed. $freezed_data = compress($freezed_data); # Secondly, the array gets zlib compressed. $data = "$ssmart_version\:$data_bytes\:$freezed_data"; # Everything gets put together. $data = $cipher->encrypt($data); # Finally, the whole data gets blowfish encrypted.
Veit Wahlich <email@example.com> wrote me some worthy hints in conjunction with the
You can use the Linux v2.4 SB Prolific 2303 Single Port Serial Driver for the usb-towitoko.
Furthermore, since the smartcard program itself only talks to the first four serial devices, you can simply create a symlink from one of the serial devices you donīt use to your usb device where the usb-towitoko is connected.
$ ln -s /dev/ttyS3 /dev/usb/ttyUSB0
If you want to interact as less privileged user with the reader you may too have to change the devices permissions or owner.
$ chmod a=+r+w /dev/ttyUSB0
If this does not work, you may consider to set your smartcard binary +s (sticky bit).
Thanks Veit, more tips are welcome ( :
ssmart (v0.5.0-red-october) by Adrian Kiess. card/database options: -l, --list list content. -i, --id change #id. --size change size. --keyphrase change blowfish keyphrase. --duplicate duplicate. -f, --format format for ssmart usage. cfs options: --cfs-attach [id/all] attach directory(ies). --cfs-detach [id/all] detach directory(ies). --cfs-create create directory reference. --cfs-remove remove directory reference. gnupg options: --gpg-wipe [s/p/b] wipe local secring/pubring/both. --gpg-export [s/p/b] export secring/pubring/both. --gpg-import [s/p/b] import secring/pubring/both. --gpg-remove [s/p/b] remove secring/pubring/both. ssh options: --ssh-list list ssh-agent identities. -a, --ssh-add [id/all] add identity(ies) to ssh-agent. -x, --ssh-delete [id/all] delete identity(ies) from ssh-agent. --ssh-copy-key [id] copy public key to remote host. --ssh-copy-identity [id] copy private identity to another medium. -e, --ssh-export-key [id] export public key. --ssh-export-identity export private identity. --ssh-import import existing private identity. -c, --ssh-create create & write private identity. -r, --ssh-remove remove private identity. other options: --restore-conf restore default ssmart.conf and backup old one. -v, --version show version, abouttext and module informations. -h, --help print this helptext. additional options: -d, --device [dev] "memcard", "smartcard" or "flexmem". -p, --port [port] serial port number for smartcard [0=com1, ...] -k, --ask-keyphrase ignore keyphrase stored in ssmart.conf. -y, --assume-yes assume yes to obligatory questions. --debug print debugging informations.
Have phun. Please send Adrian Immanuel Kiess