OpenSSH contains support for opensc, if it was compiled with "--with-opensc". Unfortunately the openssh version included in most distributions is not compiled this way. You can recompile openssh yourself. Ready-to-use binary packages are available here:
| Distribution | Download URL |
| Name | ADD URL |
| Gentoo | The USE-flag "smartcard" makes the openssh ebuild depend on opensc and apply appropriate patches. Add the USE-flag system-wide to /etc/make.conf or just for OpenSSH in /etc/portage/package.use and re-emerge openssh. USE=smartcard emerge openssh will still work but is discouraged by Gentoo. |
If you compile OpenSSH yourself: Please apply the patch in opensc-0.9.6/src/openssh/ask-for-pin.diff. This patch fixes a small issue: openssh "ssh" command will not ask for a pin and thus not work well with smart cards. Ssh-add will ask for a pin, and thus ssh plus ssh-agent will work well. This patch adds code so that ssh will ask for the smartcard pin, too. This patch was not accepted upstream so far, the openssh development team has a concept for a rewrite towards a cleaner solution, but this is still pending. So for now the patch is our best option. Seel also: OpenSSH bug 608
ssh -I 0 root@somehost
will use the smart card in reader 0 and private key 0x45 to authenticate as root on host somehost. This will of course only work if root@somehost has a ".ssh/authorized_keys" file and the public key related to this private key is in that file.
ssh-keygen -D 0
will download the public key from your smart card and print it in ssh1 and ssh2 format. You only need one of those two lines. Put it into ".ssh/authorized_keys" on the target host and account like you do with a normal .ssh/id_rsa.pub file. You can add a space char and a comment at the end of the line, I usually add something like " aj@smartcard" so I know this is the key from my smartcard.
Starting with the next OpenSC release you can also use pkcs15-tool to display a public key in openssh format. To do this type
pkcs15-tool --read-ssh-key [--reader 0] [--id 45]
the default reader is 0 and the default id is 45, so typically you don't need those options. (This might be useful for windows, since putty/pageant currently has no equivalent of "ssh-keygen -D 0".)
The OpenSSH public key format is defined at [http://www.ietf.org/internet-drafts/draft-ietf-secsh-publickeyfile-08.txt]
TODO: it would be propably nicer to have one --read-public-key parameter, and a second optional parameter --format with possible values der, pem, ssh1, ssh2. A patch to implement this would be very welcome.