česky | english
How to setup SSH and OpenSC
Quick run through of how to use your PKI card to authenticate against remote machines for passwordless access.
Currently neither Debian or Ubuntu's SSH client come with OpenSC compiled in, I'm hoping this will be rectified in a version shortly, so you will need to add deb-src lines to your /etc/apt/sources.list in the mean time.
deb-src http://au.archive.ubuntu.com/ubuntu breezy main restricted universe deb-src http://au.archive.ubuntu.com/ubuntu breezy-updates main restricted universe deb-src http://security.ubuntu.com/ubuntu breezy-security main restricted universe
apt-get update apt-get install libopensc1-dev sharutils apt-get source openssh-client
- You will have to change into the openssh-x directory (x will be the version of that package)
- Edit debian/rules, search for ../configure and add "--with-opensc" to the end of both lines
- Edit debian/changelog and change the version of the top line so that when you upgrade next it won't wipe out your package eg 1ubuntu1 to 1ubunut2.
Now you can start building your new packages, although you will more then likely have missing dev packages and will need to install them and restart the build package afterwards.
Once you sucessfully have the packages built, you can install them.
dpkg -i ../ssh-askpass-gnome*.deb ../openssh-client*.deb
Due to brain dead programming you need to run ssh-agent and then tell it your card each time. In the below example 0 is the card reader and 45 is the file ID on the card, run pkcs15-tool -k|grep ID to find out the file ID if you are unsure, by default 0:45 should be fine.
eval `ssh-agent` ssh-add -s0:45
You will need to export your public ssh key, so you can load it onto remote servers.
ssh-keygen -D 0:45
You should end up with something like the following.
ssh-rsa AAABBBNUHqliylKxKsmwWyJxu6HjIAah3MmtTu0HyAf+vCNCW0u13itLg4E58viqROq8Vh/XzGAF2lB5Q== 1024 65537 11560447490493365780302623827316452093555581678043295974453571605676666647036389
On the host you want to connect to without needing a password, copy the above lines into the user account you want to connect to, such as ~root/.ssh/authorized_keys make sure you only have the 2 lines and that you don't have any wrapping occuring or this won't work.
Finally you can now connect to the remote host and it should simply connect without prompting you for a password.
ssh -I0:45 myhost.myisp.com