Using OpenSSH with smartcards Why use OpenSSH with smart ...

More documents

Recommendations

Info

Using OpenSSH with smartcards debug1: pkcs11_provider_unref: 0x153fb90 refcount 2 debug1: Authentication succeeded (publickey). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com [6] debug1: Entering interactive session. Linux firewall 2.6.32-trunk-486 #1 Sun Jan 10 05:53:18 UTC 2010 i686 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Thu Apr 1 16:57:20 2010 from xxxxxxxxxxxx Make sure that OpenSSH is asking for PIN and not using local keys in ~/.ssh on the client side. Using scp with smartcards scp allows to specify any OpenSSH syntax using -o switch. GNU/Linux: To use smart cards, add this switch to your scp command line: -o PKCS11Provider=/usr/lib/opensc-pkcs11.so Therefore a common file transfer using scp would be: $ scp -v -o PKCS11Provider=/usr/lib/opensc-pkcs11.so filename user@host:path To ease connection, you may add this line to /etc/ssh/ssh_config: PKCS11Provider /usr/lib/opensc-pkcs11.so Mac OS X: To use smart cards, add this switch to your scp command line: -o PKCS11Provider=/Library/OpenSC/lib/opensc-pkcs11.so Therefore a common file transfer using scp would be: $ scp -v -o PKCS11Provider=//Library/OpenSC/lib/opensc-pkcs11.so filename user@host:path To ease connection, you may add this line to /opt/local/etc/ssh/ssh_config: PKCS11Provider /Library/OpenSC/lib/opensc-pkcs11.so It is possible to enter several filenames or wildcards to avoid sending multiple commands: $ scp -v filename1 filename2 filename-other* user@host:path Copyright GOOZE 2010-2011 http://www.gooze.eu 10 / 15
Using OpenSSH with smartcards Using ssh authentication agent ssh-add with smartcards Using ssh-agent allows to use smartcards easily, as you just enter your PIN code once in a session. Adding keys from PKCS#11 provider If you are running OpenSSH in a shell environment, to load keys, type: GNU/Linux: $ ssh-add -s /usr/lib/opensc-pkcs11.so Enter passphrase for PKCS#11: Mac OS X: $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so Enter passphrase for PKCS#11: Enter PIN code to authenticate. Now verify that keys have been loaded: $ ssh-add -l 2048 75:9e:dd:32:aa:*************:fb:57:1f:ad:2e /usr/lib/opensc-pkcs11.so (RSA) 2048 41:16:d5:c0:37:*************:75:d6:f1:81:dc /usr/lib/opensc-pkcs11.so (RSA) You will be able to use SSH, SCP, SFTP without entering PIN code again. Now you may also comment this line, which becomes useless: # PKCS11Provider /usr/lib/opensc-pkcs11.so as ssh-agent will load RSA keys from smartcards. Removing keys provided by PKCS#11 provider Using the usual command does not work: $ ssh-add -D This will remove all identities, but the smartcard system will be left in a unusable state. Instead, you should run: GNU/Linux: $ ssh-add -e /usr/lib/opensc-pkcs11.so Mac OS X: $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so Copyright GOOZE 2010-2011 http://www.gooze.eu 11 / 15
Page 1 and 2: Using OpenSSH with smartcards Publi
Page 3 and 4: Using OpenSSH with smartcards You s
Page 5 and 6: Using OpenSSH with smartcards Do no
Page 7 and 8: Using OpenSSH with smartcards This
Page 9: Using OpenSSH with smartcards franc
Page 13 and 14: Using OpenSSH with smartcards Altho
Page 15: Using OpenSSH with smartcards Enter

Using OpenSSH with smartcards Why use OpenSSH with smart ...

Create successful ePaper yourself

Delete template?

Save as template?