Aladdin eToken on FreeBSD

This page contains info about getting an Aladdin eToken PRO USB working as an authentication token on FreeBSD 7 using OpenSC. Most of it can probably be used more or less directly with any recent FreeBSD version.

This is WIP.

A lot of hacks are currently required. Hopefully some of this can be included in FreeBSD by default at some point.

The Aladdin eToken PRO 32K can be purchased in Denmark from TDC's webshop.

Software installation

You need to install the ports security/openct, security/opensc, and security/openssh-portable.

For OpenSSH the OPENSC and OPENSCPINPATCH options must be enabled either in the config menu or by setting WITH_OPENSC=yes and WITH_OPENSCPINPATCH=yes in /etc/make.conf. The first option enables OpenSC support in OpenSSH, and the second option enables a patch for OpenSSH which makes it possible for OpenSSH to ask for a PIN when using the eToken.

OpenSSL needs to support DSO which is not enabled by default in "older" FreeBSD version. It is enabled in FreeBSD 7-CURRENT after 2006-07-29 and 6-STABLE after 2006-07-24 (and will be in 6.2-RELEASE). It can also be enabled in older FreeBSD versions with a patch.

Setting it all up

OpenSSL command to load pkcs11 engine:

engine dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so

To make opencs detect the eToken when plugged in, add the following to /etc/devd.conf:

# eToken
attach 100 {
        device-name "ugen[0-9]+";
        match "vendor" "0x0529";
        match "product" "0x0514";
        action "/usr/local/etc/rc.d/openct restart";
};
detach 100 {
        device-name "ugen[0-9]+";
        match "vendor" "0x0529";
        match "product" "0x0514";
        action "/usr/local/etc/rc.d/openct restart";
};