Smart Cards - Thinstation/thinstation GitHub Wiki

Gemalto Smartcards

A brief guide to get smart cards working with thinstation running rdesktop connected to a microsoft terminal server. It is theoretically possible to get ThinStation working with a variety of cards and readers. This guide focuses only on the following:

gemalto v2 .net smartcards:
gemalto .net smart cards run a streamlined version of the .net framework and provide seamless integration with microsoft operating systems.
http://tinyurl.com/26o6htc

gemalto pc twin usb smart card reader:
simple usb smart card reader.
http://tinyurl.com/33qjsyg

you will need:
* a microsoft terminal server

  • an active directory domain controller
  • a linux box with a build environment
  • any test computer
  • a gemalto pc twin usb smart card reader
  • a gemalto .net smartcard

step 1:

first, get a working smart card environment set up. make sure you can log on locally to a machine with your smart card and reader, and also make sure you can connect and logon to a terminal server with the smart card over rdp.

the following links should help:
you will need to install the following update on xp or 2003 machines to enable logon via gemalto .net smartcard: http://tinyurl.com/yhdwrzc

the windows machine that the smart card reader is plugged in to should be able to find the drivers automatically, but just in case they can be found here: http://support.gemalto.com/?id=46

the gemalto documentation detailing the set up required to enable smart card logon to active directory, as well as installing certificates (users) on the cards themselves: http://tinyurl.com/2fpyuwn

step 2:

once you have a working smart card setup, download and setup thinstation. it is a good idea to familiarize yourself with the thinstation documentation to assist in later steps. use the latest version.

There are also multiple ways you can boot into thinstation, this guide should work for all of them. for reference, I use the pxe boot method, as no media is required to boot a machine into thinstation. Verify that you can boot a client machine into thinstation and connect to a terminal server using rdesktop.

step 3:

the gemalto pc twin usb smart card reader uses the linux ccid drivers. connections to the readers and driver management is provided by the pcsc lite resource manager daemon, or pcscd. both of these are available packages in a thinstation os, but ccid needs to be configured for a particular reader before thinstation is compiled, and the pcscd package has a bug that also requires some configuration before the thinstation image is compiled. luckily though, there is a fix for the pcscd package written by [email protected] on the sourceforge thinstation development email list. so, we need to download the thinstation source, patch the pcscd package, configure the ccid package to work with the gemalto pc twin usb smart card reader, and then compile the boot images.

3a:
Set up a linux machine with a current build environment. DevStation is excellent for this, but you can use any distro you want.

3c:
download patched version of pcscd and update thinstation source:

wget http://dl.dropbox.com/u/2334614/pcscd.tar.bz2
mkdir pcscd
mv pcscd.tar.bz2 pcscd
cd pcscd
tar xfj pcscd.tar.bz2
cd ..
mv Thinstation-2.2.2d/packages/pcscd/ ./oldpcscd
mv pcscd/ Thinstation-2.2.2d/packages/

3d:
in order to edit the ccid configuration to work with the gemalto pc twin usb smart card reader, we need the vendor id and the product id of the reader. these can be found here:
http://pcsclite.alioth.debian.org/readers/GemPCTwin.txt >br> the vendor id is 0x08E6 and the product id is 0x3437. now, edit the file
Thinstation-2.2.2d/packages/ccidreader/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist and change the following lines:

TARGET.VERSION
TO
libccid.so.1.0.1

ifdVendorID

   MAGIC_VENDOR

TO
ifdVendorID
0x08E6

ifdProductID

   MAGIC_PRODUCT

TO
ifdProductID
0x3437

ifdFriendlyName

   MAGIC_FRIENDLYNAME

TO
ifdFriendlyName
gemalto pc twin usb smart card reader

3e:
following the thinstation documentation, edit the Thinstation-2.2.2d/build.conf file to match your enviornment.
build the thinstation images:
cd Thinstation-2.2.2d

./build

3f:
if it was a success, copy the necessary boot images from Thinstation-2.2.2d/boot-images to your thinstation setup. for example, i boot thinstation via a custom pxe setup, so i copy Thinstation-2.2.2d/boot-images/pxe/initrd and Thinstation-2.2.2d/boot-images/pxe/vmlinuz to my tftpdroot directory.

3g:
configure your thinstation.conf.network file with the following (see thinstation documentation for more info):
USB_ENABLED=ON

PCSCD_USBFIX=ON
PCSCD_CARDREADER_TYPE="USB"
SESSION_0_RDESKTOP_OPTIONS="[WHATEVER RDESKTOP FLAGS YOU NEED] -r scard:'gemalto pc twin usb smart card reader 00 00'='USB Smart Card Reader 0;Gemalto'" 

3h:
make sure your reader is plugged in, then boot into thinstation. verify that the led on the reader is blinking. after rdesktop loads and you are at the terminal server logon screen, insert your card. you should see the led turn solid and the terminal server should prompt for the card pin.

other notes:

if you want an enviornment that supports multiple smart cards, you can download the ccid package also modified by [email protected] on the sourceforge thinstation development email list. a link can be here:
http://dl.dropbox.com/u/2334614/ccidreader.tar.bz2

if you are having problems, you can debug by booting in to thinstation and pressing ctrl-alt-f2, which should bring you to a terminal prompt. from here you can verify the Info.plist file, debug pcscd, etc. a useful switch to pcscd is -f, that will force it to run in the foreground and send all output to stdout.

kill `pidof pcscd`
pcscd -f

Add a custom footer
⚠️ **GitHub.com Fallback** ⚠️