Using OpenSSH with smartcards Why use OpenSSH with smart ...

More documents

Recommendations

Info

Using OpenSSH with smartcards ModLength : 2048 Key ref : 0 (0x0) Native : yes Path : 3f0050152900 Auth ID : 01 ID : 7645d913d5b4e03f3fe5*****f02324c23a7ebf Now extract the RSA key in SSH format: $ pkcs15-tool --read-ssh-key 7645d913d5b4e03f3fe5*****f02324c23a7ebf4 Using reader with a card: OmniKey CardMan 4321 00 00 Please enter PIN [User PIN]: 2048 65537 258115708996235*****134757454178319 ssh-rsa AAAAB3NzaC*****ed0aZdx9FFu/w6l7P5KsndWgP Notice the RSA public key in SSH format: ssh-rsa AAAB3NzaC*****ed0aZdx9FFu/w6l7P5KsndWgP Installing public key on OpenSSH server In this section we will copy your public RSA key to the ~/.ssh/authorized_keys file on server. The .ssh notation denotes a hidden folder. This folder should be inside the home of the user connecting. Please notice that on the server, the .ssh folder may not exist. In which case you will need to create it. In our example, we check that the .ssh exist: $ ls -lh /home/fperou/.ssh authorized_keys If the .ssh folder does not exist, create it using the user account: $ mkdir ~/.ssh $ touch ~/.ssh/authorized_keys Copy the content of the public key (on smart card) to the ~/.ssh/authorized_keys file (on server). In our example: ssh-rsa AAAAB3NzaC1yc2EAAAADAQ********9FFu/w6l7P5KsndWgP Using ssh with smart cards In our example, we log using ssh client, user 'fperou' on remote server 'remotehost': GNU/Linux: $ ssh -I /usr/lib/opensc-pkcs11.so fperou@remotehost Enter PIN for 'FRANCOIS PEROU (User PIN)':**** Copyright GOOZE 2010-2011 http://www.gooze.eu 8 / 15
Using OpenSSH with smartcards francois@remotehost:~$ To ease connection, you may add this line to /etc/ssh/ssh_config: PKCS11Provider /usr/lib/opensc-pkcs11.so Mac OS X: $ ssh -I /Library/OpenSC/lib/opensc-pkcs11.so fperou@remotehost Enter PIN for 'FRANCOIS PEROU (User PIN)':**** francois@remotehost:~$ To ease connection, you may add this line to /etc/ssh_config file (Mac OS X 10.6 / 10.7) or /opt/local/etc/ssh/ssh_config (Mac Ports): PKCS11Provider /Library/OpenSC/lib/opensc-pkcs11.so Exit and run the same command using verbose output: ssh -v francois@remotehost OpenSSH_5.5p1, OpenSSL 0.9.8m 25 Feb 2010 debug1: Reading configuration data /usr/etc/ssh_config debug1: Connecting to ****.*****.com [88.160.168.33] port 22. debug1: Connection established. debug1: manufacturerID OpenSC (www.opensc-project.org [5] cryptokiVersion 2.20 libraryDescription libraryVersion 0.0 debug1: label manufacturerID \ model serial \ flags 0x40d debug1: have 1 keys debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3 debug1: match: OpenSSH_5.3p1 Debian-3 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.4 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024
Page 1 and 2: Using OpenSSH with smartcards Publi
Page 3 and 4: Using OpenSSH with smartcards You s
Page 5 and 6: Using OpenSSH with smartcards Do no
Page 7: Using OpenSSH with smartcards This
Page 11 and 12: Using OpenSSH with smartcards Using
Page 13 and 14: Using OpenSSH with smartcards Altho
Page 15: Using OpenSSH with smartcards Enter

Using OpenSSH with smartcards Why use OpenSSH with smart ...

Create successful ePaper yourself

Delete template?

Save as template?