59 lines
3.8 KiB
HTML
59 lines
3.8 KiB
HTML
|
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
||
|
<title>OpenSsh - OpenSC - Trac</title><style type="text/css">
|
||
|
@import url(trac.css);
|
||
|
</style></head><body><div class="wikipage">
|
||
|
<div id="searchable"><h1>OpenSSH and OpenSC</h1>
|
||
|
<p>
|
||
|
OpenSSH contains support for opensc, if it was compiled with "--with-opensc".
|
||
|
Unfortunately the openssh version included in most distributions is not compiled
|
||
|
this way. You can recompile openssh yourself. Ready-to-use binary packages are
|
||
|
available here:
|
||
|
</p>
|
||
|
<table class="wiki">
|
||
|
<tr><td rowspan="1" colspan="1"> Distribution </td><td rowspan="1" colspan="1"> Download URL
|
||
|
</td></tr><tr><td rowspan="1" colspan="1"> Name </td><td rowspan="1" colspan="1"> ADD URL
|
||
|
</td></tr><tr><td rowspan="1" colspan="1"> Gentoo </td><td rowspan="1" colspan="1"> The USE-flag "smartcard" makes the openssh ebuild depend on opensc and apply appropriate patches. Add the USE-flag system-wide to /etc/make.conf or just for OpenSSH in /etc/portage/package.use and re-emerge openssh. <tt> USE=smartcard emerge openssh </tt> will still work but is discouraged by Gentoo.
|
||
|
</td></tr></table>
|
||
|
<p>
|
||
|
If you compile OpenSSH yourself: Please apply the patch in opensc-0.9.6/src/openssh/ask-for-pin.diff.
|
||
|
This patch fixes a small issue: openssh "ssh" command will not ask for a pin and thus not work well
|
||
|
with smart cards. Ssh-add will ask for a pin, and thus ssh plus ssh-agent will work well. This patch
|
||
|
adds code so that ssh will ask for the smartcard pin, too. This patch was not accepted upstream so
|
||
|
far, the openssh development team has a concept for a rewrite towards a cleaner solution, but this
|
||
|
is still pending. So for now the patch is our best option.
|
||
|
Seel also: <a class="ext-link" title="http://bugzilla.mindrot.org/show_bug.cgi?id=608" href="http://bugzilla.mindrot.org/show_bug.cgi?id=608" shape="rect">OpenSSH bug 608</a>
|
||
|
</p>
|
||
|
<h2>Using OpenSSH with a smartcard</h2>
|
||
|
<pre class="wiki" xml:space="preserve">ssh -I 0 root@somehost
|
||
|
</pre><p>
|
||
|
will use the smart card in reader 0 and private key 0x45 to authenticate as root on host somehost.
|
||
|
This will of course only work if root@somehost has a ".ssh/authorized_keys" file and the public key
|
||
|
related to this private key is in that file.
|
||
|
</p>
|
||
|
<pre class="wiki" xml:space="preserve">ssh-keygen -D 0
|
||
|
</pre><p>
|
||
|
will download the public key from your smart card and print it in ssh1 and ssh2 format. You only need
|
||
|
one of those two lines. Put it into ".ssh/authorized_keys" on the target host and account like you do
|
||
|
with a normal .ssh/id_rsa.pub file. You can add a space char and a comment at the end of the line,
|
||
|
I usually add something like " aj@smartcard" so I know this is the key from my smartcard.
|
||
|
</p>
|
||
|
<p>
|
||
|
Starting with the next OpenSC release you can also use pkcs15-tool to display a public key in openssh
|
||
|
format. To do this type
|
||
|
</p>
|
||
|
<pre class="wiki" xml:space="preserve">pkcs15-tool --read-ssh-key [--reader 0] [--id 45]
|
||
|
</pre><p>
|
||
|
the default reader is 0 and the default id is 45, so typically you don't need those options.
|
||
|
(This might be useful for windows, since putty/pageant currently has no equivalent of "ssh-keygen -D 0".)
|
||
|
</p>
|
||
|
<p>
|
||
|
The OpenSSH public key format is defined at
|
||
|
[<a class="ext-link" title="http://www.ietf.org/internet-drafts/draft-ietf-secsh-publickeyfile-08.txt" href="http://www.ietf.org/internet-drafts/draft-ietf-secsh-publickeyfile-08.txt" shape="rect">http://www.ietf.org/internet-drafts/draft-ietf-secsh-publickeyfile-08.txt</a>]
|
||
|
</p>
|
||
|
<p>
|
||
|
TODO: it would be propably nicer to have one --read-public-key parameter, and a second optional parameter
|
||
|
--format with possible values der, pem, ssh1, ssh2. A patch to implement this would be very welcome.
|
||
|
</p>
|
||
|
</div>
|
||
|
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
|