Download Driver Nilox Smart Card Reader
Vada Tindell
In Red Hat Enterprise Linux, we strive to support several popular smart-card types. However, because it is not possible to support every smart card available, this document specifies our targeted cards. In addition it provides information on how to investigate a potential incompatibility between the cards and RHEL.
On the lower level, the operating system communicates with the smart card reader, using the PC/SC protocol, and this communication is performed by the pcsc-lite daemon. The daemon forwards the commands received to the card reader typically over USB, which is handled by low-level CCID driver.
The PC/SC low level communication is rarely seen on the application level. The main method in RHEL for applications to access smart cards, is via a higher level API, the OASIS PKCS #11 API, which abstracts the card communication to specific commands that operate on cryptographic objects (private keys etc). Smart card vendors, often provide a shared module (.so file), which follows the PKCS #11 API, and serves as a driver for the card. That shared module can be imported by applications, and be used to communicate with the card directly. In the open source world, we have projects like OpenSC, which wraps several smart card drivers into a single shared module. For example the OpenSC module as shipped by RHEL8.0, provides support for Yubikey, Nitrokey, and the US-government PIV and CAC cards and many more, on a single module. We highly recommend smart card vendors to provide support for their cards using the OpenSC libraries.
The PKCS#11 URI scheme is used to consistently identify smart cards, tokens and objects on them in the system. They are used by most of the tools in RHEL 8+ and simplify configuration of applications for smart cards. More information about supported applications and uses of the URI can be found in separate blog post.
When working with applications using smart cards, it is often useful to know the URIs of the tokens or the objects stored in the token.
The identification URIs of registered PKCS#11 modules can be seen with the following command (this uses p11tool from gnutls-utils component).
RHEL 7 was originally shipped with CoolKey smart cards driver, which was deprecated and is no longer available in RHEL 8 and newer. The current driver OpenSC supports all cards that used to be supported by CoolKey. For more information, see the RHEL7 Smart Cards article.
Gnome in RHEL7 was relying on pam_pkcs11 to provide access to Smart Cards through NSS. In RHEL8+, the desktop login is managed by System Security Services Daemon (SSSD). How to configure system to allow smart cards login of users in IdM is described in RHEL 8 Product documentation, section Configuring Identity Management.
OpenSSH in RHEL8 and newer supports PKCS #11 URIs as part of Consistent PKCS #11 support in RHEL8. In the past, configurations had to provide full path to the PKCS #11 shared object. This is no longer needed and minimal example to use private keys from smart cards with ssh requires the use of pkcs11: uri scheme:
RHEL 8+ is using system-wide registry of PKCS #11 modules for unifying access to cryptographic hardware. By default, only OpenSC PKCS #11 module is registered. If your smart card is not supported by OpenSC, but you have different PKCS #11 module, just create a new file under /usr/share/p11-kit/modules/ with the following syntax:
The OpenSC implements support for most of the cards, but if you know that you will be using only one or two, it can be runtime configured in /etc/opensc.conf (on x86_64 architecture). In the section app default use the card_drivers option and set it to appropriate drivers you are interested in. You can list all the supported drivers using opensc-tool --list-drivers. For example to allow only CAC and PIV drivers, use the following configuration:
If the card detection is still too slow after selecting only PIV driver, you can enable file caching of the certificate data by adding the following snippet to the framework pkcs15 section in /etc/opensc-*.conf:
Note, that the file_cache_dir needs to be accessible by the applications using smart cards, generally sssd's privileged process or any other application using pkcs11 module (Firefox, openssh, ...), depending on the use case. The directory should not be world-writable to prevent malicious users to tamper with this cache.
This was successfully tested with PIV cards, but should give performance improvement also for other card types.
The OpenSC supports using pinpad readers, but some of the readers do not comply with the CCID specification so this functionality is turned off by default. You can enable pinpad on your reader by setting the enable_pinpad = true option in /etc/opensc.conf under the app default and reader_driver pcsc sections. If the pinpad needs pin of fixed length, it is possible to tweak it with the fixed_pinlength option.
While in theory the automatic loading for thunderbird and firefox is nice, in our case we don't use our YK smart cards with either of them and yet TB and Firefox keep asking for the PIN/passphrase at certain times. How can I prevent this?
I bought a brandless, many to one card reader. It works well for XP, but I have an old Windows 98SE computer where the reader will not work. No driver came with the card reader.
Any place to find a generic Windows 98 driver for the card reader?
I don't use Win 98 myself, but if you use this Google search, you'll see that some people do claim to have generic Win98 Mass Storage Device drivers. If they work as claimed, then they are what would be needed to support that card reader under Win98:
Fraudsters would use long-range RFID readers to extract data from contactless cards from a distance and use that card data to access cardholders' accounts and steal money.
A fraudster with an NFC reader would access contactless cards in someone's pocket or bag in crowded public spaces like the subway. By doing so, they would extract enough sensitive data to make a counterfeit card or make online purchases.
B): Remove the card from PC. Uninstall the existing drivers using the "MOSCHIP_PCIUninst.exe" utility (located on the installation CD in the directory; if you do not have the CD, you can download the drivers from our support pages -faq). Restart the PC. Reinstall the drivers and turn off the PC. Re-insert the card. Once rebooted, the drivers should be properly installed.
B): If problems continue to persist, automatic printer driver installation may have failed. Try removing the printer and restarting the PC. After restart, install the printer drivers again, but so that you cancel the automatic installation and add the printer manually in Control Panels / Printers with manual selection from the list of printer drivers. When installing the printer manually, select the correct LPT port. If the problem still is not resolved, try moving the card to another PCI (PCIe) slot; it may be that the card is in conflict with another device on your computer.
B): System resources, including the LPT port address with additional cards (not only AXAGON, but also of other manufacturers), are allocated by the computer BIOS already when booting. The address can be changed in MS-DOS using the driver for this system. For higher OSs (WIN98, 2000, XP, etc.) this address cannot be changed. Addresses 378 or 278 are firmly reserved for the so-called Legacy LPT ports that are integrated into motherboard chipsets. If the HW key bypasses Windows management, it will not work. You can try to consult the manufacturer of the HW key, to which address it is set up and whether the address can be changed.
f448fe82f3