How to setup SSH and OpenSC

Quick run through of how to use your PKI card to authenticate against remote machines for passwordless access.

Currently neither Debian or Ubuntu's SSH client come with OpenSC compiled in, I'm hoping this will be rectified in a version shortly, so you will need to add deb-src lines to your /etc/apt/sources.list in the mean time.

for example:

deb-src http://au.archive.ubuntu.com/ubuntu breezy main restricted universe
deb-src http://au.archive.ubuntu.com/ubuntu breezy-updates main restricted universe
deb-src http://security.ubuntu.com/ubuntu breezy-security main restricted universe

Next:

cd /usr/src

Then:

apt-get update
apt-get install libopensc1-dev sharutils
apt-get source openssh-client

Now you can start building your new packages, although you will more then likely have missing dev packages and will need to install them and restart the build package afterwards.

./debian/rules binary-arch

Once you sucessfully have the packages built, you can install them.

dpkg -i ../ssh-askpass-gnome*.deb ../openssh-client*.deb

Due to brain dead programming you need to run ssh-agent and then tell it your card each time. In the below example 0 is the card reader and 45 is the file ID on the card, run pkcs15-tool -k|grep ID to find out the file ID if you are unsure, by default 0:45 should be fine.

eval `ssh-agent`
ssh-add -s0:45

You will need to export your public ssh key, so you can load it onto remote servers.

ssh-keygen -D 0:45

You should end up with something like the following.

ssh-rsa AAABBBNUHqliylKxKsmwWyJxu6HjIAah3MmtTu0HyAf+vCNCW0u13itLg4E58viqROq8Vh/XzGAF2lB5Q==
1024 65537 11560447490493365780302623827316452093555581678043295974453571605676666647036389

On the host you want to connect to without needing a password, copy the above lines into the user account you want to connect to, such as ~root/.ssh/authorized_keys make sure you only have the 2 lines and that you don't have any wrapping occuring or this won't work.

Finally you can now connect to the remote host and it should simply connect without prompting you for a password.

ssh -I0:45 myhost.myisp.com

CategoryCryptoHardware

SSHOpenSC (last edited 2015-12-15 06:55:41 by AlesKastner)