Easy Smart Card SSH Setup


If you manage systems with important data on them, you want to make sure you use the strongest form of authentication possible. Passwords are the worst form of authentication you can have, prone to theft, re-use, and hard to remember. SSH keys are much better, but the most secure option is to use a smart card, where your private key cannot be stolen, even if your computer is compromised. (attackers need control of your box while your smart card is plugged in to use it)

But it's not always clear how to get smart cards working. Most annoyingly, it can be very difficult to even find out where to buy smart cards, and if you're not careful with your vendors, you might end up with cards you can't use without spending thousands on management software or other hidden expenses.

The best vendor hands-down I have found so far is Aventra, which makes the MyEID card. In contrast with other vendors, it is very easy to order cards from their web store (https://services.aventra.fi/webshop/) inexpensively, and all the software you need to get the cards working you can get for free from their website or by using OpenSC. They sell the ACR38 reader, but you can also buy those or other readers elsewhere.

To set up the card (this can be performed on an offline box for maximum security):

  1. Generate keys and get a cert somehow. You should be able to get one with the New-SelfSignedCertificate powershell command (untested). Or, if this isn't an offline box, you can go to https://www.scriptjunkie.us/getacert in Google Chrome to get a test cert. (source)
  2. Then export that cert as a PFX (run MMC, add/remove snap in, select certificates, go to personal store, select the certificate, in properties hit the export button, include private keys)
  3. Delete the cert from the certificates snap-in

Next put the private key and cert onto a card from the same system. I wasn't having luck putting keys onto the card from OpenSC, but their MyClient software worked fine.

  1. Download and install the MyClient software on a Windows system or Windows VM with the card reader USB device attached.
  2. Then open regedit and change HKEY_LOCAL_MACHINE\Software\Fujitsu\DigiSign Client and set userLevel to 1 instead of the default 0 to allow you to edit cards
  3. Plug your card & reader in, right click in your tray icon and click Display Token. Then go to the Card Management tab, fill in PIN's and PIN Unlock Codes, and make sure you write down and/or remember them. Hit Initialize Card to set it up.
  4. Then rename your .pfx to a .p12 file, open it in the same view, put in your password, and click Load file to the card.
  5. Delete the .p12 file

You now have certificates on your smart that you can use to log into websites with Google Chrome or Internet Explorer, such as the example scriptjunkie.us site.

Last, set up SSH with your key from an online Linux system (or VM with the card reader USB attached)

  1. Install the OpenSC software
  2. sudo apt-get install opensc

  3. list certs and get ID of cert
  4. pkcs15-tool -c

  5. get SSH key by ID
  6. pkcs15-tool --read-ssh-key 0

  7. then copy SSH key to the remote system's /home/username/.ssh/authorized_keys file
  8. then log in with
  9. ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so user@remotesystem
    And it will prompt you for your PIN, at which point you will be logged in via smart card SSH.

, ,

  1. #1 by matze on November 25, 2014 - 7:56 pm

    i need to run SSH on Opensuse – what do i need to do?

    i have to enable SSH on OpenSuSE 13.1

    according to this hints i need to do following: http://wiki.aoxoa.com/Enabling_SSH_on_OpenSuSE_13.1

    martin@linux-70ce:~> netstat -an | grep :22
    udp 0 0 fe80::221:63ff:fed1:123 :::*
    martin@linux-70ce:~>

    furthermore i did the folloiwng steps:

    su –
    systemctl enable sshd.service

    martin@linux-70ce:~> kgpg -k
    martin@linux-70ce:~> netstat -an | grep :22
    udp 0 0 fe80::221:63ff:fed1:123 :::*
    martin@linux-70ce:~> su –
    Passwort:
    linux-70ce:~ #
    linux-70ce:~ # systemctl enable sshd.service
    ln -s ‘/usr/lib/systemd/system/sshd.service’ ‘/etc/systemd/system/multi-user.target.wants/sshd.service’
    linux-70ce:~ # ^C
    linux-70ce:~ #

    well – as it seems i am ready – am i !?

    i need to port forward now – can i go for it..!?

    • #2 by scriptjunkie on November 26, 2014 - 10:23 pm

      This really isn’t about setting up SSH to begin with; I think you need to install and configure sshd since it appears your SSH daemon is not listening. I haven’t set up SSHD on OpenSuSE in a few years, but https://en.opensuse.org/SDB:Configure_openSSH says they have a good yast2-sshd module.

(will not be published)