How to install OpenSC on IPFire Firewall
This article is the continuation of our previous work on IPFire firewall. In this tutorial, support for hardware tokens (such as smart cards) and their readers (CCID compliance) are integrated with the IPFire project. The following tools are successfully compiled for IPFire 2.19 version.
- PCSC (PC/SC Smart Card Daemon)
- CCID (Chip/Smart Card Interface Devices) (free software drivers)
- OpenSC ( )
PC/SC smart card daemon is used to access smart cards on the Linux platform using CCID or proprietary drivers. A driver program for the CCID smart card reader is required to access the smart cards. The CCID package contains drivers for different smart card readers for the Linux/Unix environment. Smartcard access (PKCS#11 API) and management (PKCS#15 file structure) is supported by OpenSC project which consists of several open source tools & libraries. Hardware tokens such as smart card can be used for following purposes
- Secure Web Login
- WorkStation Login
- File Encryption
- VPN (OpenVPN,L2TP)
- Email Encryption
Several of the OpenSC supported smart card vendors are given below.
- ASEPCOS
- FTCOSPK01C
- OpenPGP Card
- Cyberflex
- CardOs
- STARCOS
Environment Setup
For the setup of a development environment, a detailed explanation has been given in the previous article.
Addons in test shell of IPFire
It is recommended to install the IPFire addon's in the test shell (similar to the Linux terminal) which is invoked by using the following command in the root directory.
./make shell
The source packages on the IPFire build environment are placed inside the /usr/src/cache directory. All required packages for this tutorial are already placed in the cache directory.
The source of the pcsc-lite package is shown in the following snapshot.
Before we start the compilation of pcsc-lite tool, it is recommended to install the required libudev-dev library with the following command
apt-get install libudev-dev
Now, extract the source package using the following command and run the ./configure script as shown below.
tar -xf pcsc-lite-1.8.18.tar.bz2
As shown below, no error is generated by the configure command.
Now, simply run ./make and ./make install command to install pcscd daemon in the test environment.
Successful installation of pcsc-lite packages shows few important paths which will be used to compile CCID package.
The following screenshot shows that pcscd is running in IPFire in the test environment.
The next package that is required for smart cards iis the CCID drivers package. As shown below, CCID package is placed in the cache directory.
The following screenshot shows the error generated by the ./configure script of the CCID package.
The error shows that pcsc-lite is not found by the configure script. Therefore, set PCSC_CFLAGS with the configure script as shown below.
./configure PCSC_CFLAGS=-I/usr/local/include/PCSC
However, another error is generated by the script because libpcsclite.pc is not found under pkg-config path on the IPFire LFS.
Therefore, first export the PKG_CONFIG_PATH and again run the configure script command.
export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/
./configure PCSC_CFLAGS=-I/usr/local/include/PCSC
Successful output of the configure script run is shown below. It shows that, required files of PCSC is found by the script.
Run the ./make & ./make install commands to complete the installation of CCID drivers.
Copy the udev rules for the smart card readers in the /etc/udev/rules directory as shown below.
Copying 92_pcscd_ccid.rules file in the /etc/udev/rules directory.
Following screenshot shows the OpenSC tool in the /usr/src/cache directory.
Run configure script to check the dependencies of the package.
The output of configure script is shown in following snapshots.
Run the ./make and ./make install commands for the OpenSC installation in the test environment.
Following screenshot shows that the OpenSC tool has been successfully installed in the test shell of IPFire.
After installation of the required tools in the LFS shell of IPFire, the next step is to build the addon in the IPFire package manager format (pakfire).
Compilation of IPFire addon's
The detailed procedure regarding addon building for an IPFire environment is already given in the "Building PSAD addon" section of the previous article.
- A compilation script also known as lfs script is created in the lfs directory of IPFire setup.
- Changes for new addons have to be done in the make.sh script.
The LFS script is created for the pcsc-lite-1.8.18 , ccid-1.4.24, and opensc-0.16.0 packages. Download all lfs scripts for the packages and place them inside the lfs directory of ipfire-2.x.
LFS scripts for the above addon's are shown below.
pcsc-lite
ccid
opensc
The changes in the build script (make.sh) file are shown below.
Run the following commands to build the packages.
ipfiremake pcsc-lite
ipfiremake ccid
ipfiremake opensc
It is required to run following command two times for the compilation of the new addons.
./make.sh build
The following screenshot shows that the lfs scripts of new addons are compiled without an error.
The following screenshot shows the output of first build command. The rootfiles for all three packages are not found during this build process.
Three rootfiles for the new addon's are inside the log directory with the same package/file name as shown below.
The following screenshot shows that the rootfiles of new addons are copied into the config/rootfiles/packages
path. Change the name of the copied rootfiles to match the lfs name of the new addon. (placed in the lfs directory)
cp log/pcsc-lite-1.8.18 config/rootfiles/packages/pcsc-lite
cp log/ccid-1.4.24 config/rootfiles/packages/ccid
cp log/opensc-0.16.0 config/rootfiles/packages/opensc
The rootfiles of new addons contain a "+" sign which must be removed before running the build command.
pcsc-lite root file
ccid rootfile
opensc rootfile
Use the following sed command to remove the "+" sign from the rootfiles of the new packages.
sed -i 's/+//g' config/rootfiles/packages/pcsc-lite
sed -i 's/+//g' config/rootfiles/packages/ccid
sed -i 's/+//g' config/rootfiles/packages/opensc
Following screenshot shows that plus sign has been removed from the rootfiles.
PakFire is the package management system for IPFire which is used by the install, uninstall and update routines in the new addons.
Create directories (same as lfs of the packages) for all new addon's inside the src/paks path and copy install.sh, uninstall.sh an update.sh scripts from src/paks/default/ into the src/paks/pcsc-lite , src/paks/ccid,src/paks/opensc .
Run the build command again to complete the build process.
./make.sh build
This time, ignore the rootfiles missing message for all new addon's because we have already updated rootfiles in the config directory.
Finally, the following screenshot shows that the new addon's (pcsc-lite-1.8.18-2.ipfire, ccid-1.4.24-2.ipfire , opensc-0.16.0-2.ipfire) have been created inside the packages directory.
Installation of pakfire packages
As shown below, the compiled packages are copied to the already installed IPFire system inside the /opt/pakfire/tmp directory.
Following screenshot shows that packages are copied on IPFire system.
New addons are extracted by using the following command for installation on IPFire.
tar -xvf pcsc-lite-1.8.18-2.ipfire
tar -xvf ccid-1.4.24-2.ipfire
tar -xvf opensc-0.16.0-2.ipfire
Installation of the new addon's is shown in the following screenshot using ./install.sh script.
Successful installation of pcsc-lite is shown in the following snapshot.
The following figure shows the installation of CCID smart card drivers.
As shown below, the openSC tool is finally installed for the management of smart cards on IPFire system.
In this tutorial, new addon's are build in the development system of IPFire. These new addons are used to integrate smartcards and their readers with open source IPFire project.