OpenSSH and smart cards PKCS#11
OpenSSH can be used with client keys on a smart card. There are three different methods.
Portable OpenSSH v5.4p1 added direct support for PKCS#11 modules.
Basic usage looks like this:
$ ssh -I /usr/lib/opensc-pkcs11.so martin@remotehost
Enter PIN for 'MARTIN PALJAK (PIN1)':
martin@remotehost:~$
Listing public keys in the authorized_keys file format looks like this:
$ ssh-keygen -D /usr/lib/opensc-pkcs11.so -e
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQ...
Alon Bar-Lev has a patch against OpenSSH which implements both X509 and PKCS#11 support. The patch was not accepted to OpenSSH but is available from http://sites.google.com/site/alonbarlev/openssh-pkcs11.. The patch depends on pkcs11-helper (also by Alon Bar-Lev) and needs to be activated on compile time with “—with-pkcs11”
Basic usage looks like this:
$ ssh -# /usr/lib/opensc-pkcs11.so martin@remotehost
Please enter PIN for token 'MARTIN PALJAK (PIN1)':
martin@remotehost:~$
Portable OpenSSH versions up to version 5.4p1 used to link against libopensc directly. OpenSSH needs to be compiled with “—with-opensc” (not done by most Linux distros) and the implementation has issues. Recent snapshot versions of OpenSSH don’t include the relevant source code any more. Recent snapshot versions of OpenSC don’tencourage/support linking directly against libopensc as well.
Warning: Due to attempts to plant malicious links to our wiki, it is no longer open to anyone to edit. If you want to contribute to this, wiki, please open a pull request here: https://github.com/OpenSC/Wiki