Asking or verifying pin for smart card without ipsec secrets?
kimmo.koivisto at surfeu.fi
Wed Jan 11 23:23:52 CET 2006
I have openswan openswan-2.4.4 in my Fedora Core 5t1 box, smart card support
compiled into it. Opensc is 0.10.
Connections and smart card works fine and I use bash script for opening
tunnels. All tunnels have %smartcard as cert and auto=add.
My script does the following:
1. it tests that card is inserted (opensc -n) , if not I use kdialog to ask
2. it uses "ipsec secrets" which asks for the pin, I insert my pin to the
3. script opens all tunnels with ipsec auto --up connection-name, looping
through all tunnels
I would like to improve my script so that I could ask pin with "kdialog
--password" add feed the pin to the card, with "ipsec secrets" or with some
Q: Any ideas how to do this, I did not find any --stdin or similar options for
"ipsec secrets" and I don't know how to "verify" pin with opensc.
Q: How to list configured connection names, so that those can be used with
ipsec auto --up. Currently I have done it so that all connections have prefix
tunneli and postfix number (example tunneli1, tunneli2, tunneli3) and I use
TUNNELS=`ipsec auto --status | grep tunneli | cut -f 2 -d "\"" | sort | uniq |
while there are tunnels left $TUNNELS do
ipsec auto --up tunneli$TUNNEL
and this is quite ugly.
Q: Is there any way to just start all tunnels without starting every one
separately. Using auto=start is not what I want, because pin code and card
might not be available until user decides to use connections.
More information about the Users