Using TrustBearer OpenID on Linux

Using TrustBearer OpenID on Linux is easy.

Doing so requires PC/SC Lite: most distributions include this package, for example as “pcscd” (Debian / Ubuntu) or “pcsc-lite” (Red Hat / Fedora).

First install, then start the service with “/etc/init.d/pcscd start” (Debian / Ubuntu) or “services pcscd start” (Red Hat / Fedora). To use the TrustBearer Security Key, first download the drivers for the ASEDriver IIIe Reader USB from Athena Smartcard Solutions and extract the files. Run “./configure” followed by “make” and “make install.” You will need the PC/SC Lite development files, usually provided by the distro in a separate package. You will need to restart PC/SC after installation, then just plug the key into a USB port.

(Note: these instructions are for x86 architectures; using another architecture like AMD64 is possible, but requires the use of 32-bit versions of PC/SC Lite and Firefox, plus some more work.)

Advertisements

9 responses to “Using TrustBearer OpenID on Linux

  1. Maybe a silly question but is there a possibility to add the Thinkpad fingerprint reader onto list as well?

  2. Hello Michael,

    It is definitely possible. In fact, we have some preliminary support for the
    UPEK/SGS Thomson Microelectronics fingerprint reader (USB ID 0483:2016)
    which is also present on a number of already existing devices.

    Outside of smartcards, tokens, etc that work with PC/SC, our framework allows us to digitally sign vendor specific DLL’s and deliver them to the specific platform and use our plugin to access them. We are certainly interested in supporting new devices such as this and will soon post a wish list for devices so we can prioritize which ones we support.

    We also have an SDK for developing support for new devices such as this that contains skeleton code and test sequences for new devices that we can provide to third parties for supporting new devices.

    Thanks,
    Dave

  3. I’ve been trying to get a TrustBearer Athena ASEkey USB token to work under Ubuntu Gutsy Gibbon with no success so far.
    After a bit of preparation to get the development environment functional I can get the Athena Linux drivers ( asekey-3.4.tar.bz2 from the Athena site ) to compile. I had pcscd installed and running before compiling and installing the drivers and it appeared to be working fine. Once the Athena drivers have been installed it (still) tells me that it is unable to find any driver bundle and then says it is disabling it’s USB support. The token remains unrecognised by the OS (and the red LED that comes on when the driver loads under Windows remains unlit)
    I suspect that there may be issues with the usb.h that the drivers is compiled against as there were a number of warnings when I run make for the driver. The Firefox xpi installs fine and appears to be working but the token cannot be found.
    Is there any additional documentation available? Suggestions?
    The token works perfectly under Vista so I know the token works – installation is plug and play and the TrustBearer OpenID enrollment process is flawless.

  4. In Ubuntu (and I’m assuming Debian) I found a precompiled package for the ASEDrive. The package name is “libasedrive-usb”. Hurray for Synaptic… I just signed in to the OpenID page and it appears to work fine.

  5. Note that the ASEKey driver is not the right driver for the TrustBearer tokens. The devices are flashed as an ASEDrive IIIe Reader which behaves the best of all the drivers (in our experience).

    I would try the libasedrive-usb driver provided by your package system before a custom one.

  6. Fantastic – that worked perfectly. Great product guys.

    I have a couple of other questions in case anyone has some info – I have looked for this but haven’t found what I’m looking for yet so I apologize if I’ve just failed to find it.

    Are the stored key’s that are generated during enrollment flagged as non-exportable? If so how would I go about recovering from a loss of the actual hardware token? And if they are exportable how is that done? Can this device be used to provide the PKCS#11 functions for a Firefox hardware security module?

    As far as the TrustBearer OpenID service is concerned do you have any plans to provide more fine grained control of site authorizations – something similar to the My Trusted Sites functionality that Verisign’s PIP OpenID service provides?

  7. Hello Joe,

    The keys are not exportable so unfortunately you cannot recover your keys. We do have the capability of enrolling multiple tokens to the same account so you could have a backup though this feature is not visible in the Beta.

    We originally did have fine grained control so you could specify the amount of time/etc for each site. We pulled this as we wanted to keep the user experience as simple as possible for now and require authentication each time the site is visited. We will definitely revisit this and are keeping a list of feature requests for the next version.

    For PKCS#11 – we do have a lightweight PKCS#11 for Windows at the moment that works with Firefox – we could send this to you if you are interested. Send a request using our Contact Us on our website.

    Thanks,
    Dave

  8. To be honest I think that for an entry level consumer device having non-exportable keys is a very good thing and enabling multiple tokens on one account would be a more than acceptable loss\theft recovery strategy. This approach makes it much easier to demonstrate to people not familiar with the technologies involved why this is a very secure authentication mechanism

    I would like to see the fine grained control at some point but the current simple model is quite elegant given that it is safe by default.

    Thanks again for your responses – I’m a very happy customer.

  9. Pingback: How should we handle lost tokens? « OpenID with Strong Authentication

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s