Skip to main content

Linux/UNIX: Multi-Factor Authentication

Your PK Protect System Administrator may require you to confirm each of your devices, including the desktop application, with Multi-Factor Authentication (MFA). This system provides additional security to all the data, as if your password should become compromised, any attacker would also need possession of one or more mobile devices to access the PK Protect account, and the data protected by it.

Follow these steps to set up MFA support through Smart Cards on Linux.

Set Up Trust for the CA for Certificate on Smart Card with PK Protect with PKCertTool

Add the certificates associated with your Smart Card to the certificate store. You should have the certificates exported to a *.p7b file.

PK Protect manages digital certificates on Linux with pkcerttool. Add the certificate file with pkcerttool -add -all <*.p7b>:

pkcerttool -add -all signing_ca.p7b
PKCertTool(tm) Version 1.70
Portions copyright (C) 2001-2019 PKWARE, Inc. All Rights Reserved.
Build Version ($BuildRev: 1102 $)
 
Adding Certificate: Siemens Issuing CA EE Auth 2016 to CA in the database: /home/jack/certificates.db
   using certFile: signing_ca.p7b
 
Adding Certificate: QuoVadis Enterprise Trust CA 3 G3 to CA in the database: /home/jack/certificates.db
   using certFile: signing_ca.p7b
 
Adding Certificate: QuoVadis Root CA 3 G3 to ROOT in the database: /home/jack/certificates.db
   using certFile: signing_ca.p7b

After you have added the certificates, Confirm PKCertTool sees them with pkcerttool -list -store ROOT:

pkcerttool -list -store ROOT
PKCertTool(tm) Version 1.70
Portions copyright (C) 2001-2019 PKWARE, Inc. All Rights Reserved.
Build Version ($BuildRev: 1102 $)
 
----------------------------------------------------------------
Certificates in ROOT in the database: /home/jack/certificates.db
----------------------------------------------------------------
 
--- Certificate     1 ---
QuoVadis Root CA 3 G3
SerialNumber:
   2EF5 9B02 28A7 DB7A FFD5 A3A9 EEBD 03A0
   CF12 6A1D
NotBefore:
   Thu Jan 12 20:26:32 2012
NotAfter:
   Thu Dec  7 13:58:16 1905
 
------------------
   1 certificates

Set up the PK Protect Agent

To complete setup, run the interactive pkagent script.

You should have this information at hand:

  • PK Protect Server URL
  • Email address configured with PK Protect Enterprise Manager
  • Password for PK Protect Enterprise Manager
  • Path to the Smart Card

/usr/pkware/pkzip/bin/pkagent --interactive
PKWARE pkagent for Linux 16.20.0021
Portions copyright (C) 1989-2019 PKWARE, Inc.
 
You already have a Smartcrypt Server URL "https://smds183-jd.qanet.dom/mds" configured
Would you like to change it [y/N]: n
You already have an email address "jack.dale@qanet.dom" configured
Would you like to change it [y/N]:
You already have a password configured
Would you like to change it [y/N]:
Does the account "jack.dale@qanet.dom" authenticate with Active Directory credentials [y/n]: n
PKMeta Initializing - Built Sep 12 2019 at 13:41:50
PKMeta initialized
Initialized Cluster Evaluator
Would you like to use a Smartcard for Multi-factor authentication (MFA)? [y/N]: y
 
Ubuntu: /usr/local/lib/libcardos11.so: is valid
 
Please insert 'Ubuntu' compatible smartcard.
Press any key when ready...
 
Slot# 1 : 'Siemens Corporate ID Card (V8)' selected
 
Do you use a Secure Pin Entry (SPE) device? [y/N]: n
 
Siemens Corporate ID Card (V8)
Please enter pin: ********
Please confirm pin: ********
 
Summary:
PKCS#11 Description                   : Ubuntu
PKCS#11 Shared Library                : /usr/local/lib/libcardos11.so
PKCS#11 Slot#                         : 1
PKCS#11 Label                         : Siemens Corporate ID Card (V8) | www.atos.net/cardos | CardOS V5.3, 201 |
Z00444MC4TMQIA75
PKCS#11 Secure Pin Entry (SPE) device : No
 
PKCS#11 for Certificate MFA configured

Pairing Card with PEM Administrator with Smartkeys

Use pkzipc -listsm to list Smartkeys configured on the system. This command will force the Smartkey's owner's login, and the card will pair with PEM Administrator.

Note → The first call might fail because the agent times out waiting for the action. Just issue the command again.

pkzipc -listsm
Smartcrypt(TM) Version 16 for Linux X86-64
Portions copyright (C) 1989-2019 PKWARE, Inc.  All Rights Reserved.
Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745  7,793,099  7,844,579
7,890,465  7,895,434;  Other patents pending
 
Connecting to Smartcrypt Manager............
Not logged in
 
jack@mkelin-jkd04:~$ pkzipc -listsm
Smartcrypt(TM) Version 16 for Linux X86-64
Portions copyright (C) 1989-2019 PKWARE, Inc.  All Rights Reserved.
Reg. U.S. Pat. and Tm. Off.  Patent No. 5,051,745  7,793,099  7,844,579
7,890,465  7,895,434;  Other patents pending
 
Connecting to Smartcrypt Manager...
 ----------------------------------------------------------------
                             Smartkeys
 -------------------------------  -------------------------------
             Name/URN                        Owner
 -------------------------------  -------------------------------
 Community: Ottos and Jack        smds183-rc@qanet.dom
 community-RTpw6Umqkjf6Iw+7-SAT_CP6JL3EagI2xqwlalrCMaIwR
 ----------------------------------------------------------------
 Personal Smartkey                jack.dale@qanet.dom
 priv--MA_728673_OpkMfSYngzLUfdPHI5fDmM7s
 ----------------------------------------------------------------


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close