-
Notifications
You must be signed in to change notification settings - Fork 72
Using the IsoApplet with OpenSSH
Philip Wendland edited this page Dec 16, 2018
·
2 revisions
This post describes how to use OpenSSH with your smartcard using the IsoApplet. As OpenSSH includes PKCS#11 support by default, using your smartcard/IsoApplet with it should be fairly easy.
- Please see the documentation in this wiki and follow the instructions describing how to set up your drivers and smartcard for use with the IsoApplet. Make sure to initialize the applet with a PIN and PUK.
- Generate a 2048 bit RSA key that is to be used for signing:
pkcs15-init --generate-key "rsa/2048" --key-usage "sign" --id "1" --auth-id "FF" --label "OpenSSH authentication key" - You should now be able to verify that your new keypair is present by using
pkcs15-tool --dump. - Extract your public SSH key from your smartcard:
pkcs15-tool --read-ssh-key "1" --output "id_smartcard_1.pub" - Add the public SSH key to the
authorized_keysfile of the host you wish to be able to connect to. - Make sure you use OpenSSH version v5.4p1 or later on hosts you want to use the smartcard with. Native PKCS#11 support had been introduced with this version.
A simple method would be to explicitly pass the PKCS#11 provider each time:
ssh -I /usr/lib/opensc-pkcs11.so hostname
Note that OpenSC could also be located at /usr/local/lib/opensc-pkcs11.so,
depending on which location you chose when installing.
You can additionally specify the default PKCS#11 provider in the SSH configuration (~/.ssh/config or /etc/ssh/ssh_config).
This allows to skip passing the -I option. Do this by adding the following line:
PKCS11Provider /usr/lib/opensc-pkcs11.so
ssh-agent can easily be used with OpenSC as a smartcard provider by calling:
ssh-add -s /usr/lib/opensc-pkcs11.so
To remove your smartcard again, call:
ssh-add -e /usr/lib/opensc-pkcs11.so