OpenSSH is often configured to use an RSA keypair to authenticate users. The general process is to generate the public and private keypair, install the private key in the user’s client environment, and install the public key on the user’s server environment. The eToken can be used to contain the private key instead of storing it with the OpenSSH client.
Support for smartcards in the OpenSSH client is via the PKCS#11 standard interface. This interface is implemented via a library included with the eToken client.
These instructions describe how to configure a UTORauth-issued eToken and certificate with the OpenSSH client on a Linux environment to authenticate to an ssh server. Note that a UTORauth-issued eToken and certificate are not sufficient for OpenSSH logins. This is because the OpenSSH client requires access to a public key object on the eToken which is not explicitly installed at the time of installation of the UTORauth certificate. A tool has been built to modify the eToken contents to add the public key to the existing private key and certificate objects.
- Openssh client should be a newer version and PKCS#11 support must be compiled in. This is usually the case for current Linux distributions. For MacOSX, download and compile a current version of the OpenSSH client (5.9p1 will work).
- Possession of eToken with UTORauth-issued certificate and a current version of the SafeNet client installed on all OpenSSH client hosts.
One-Time eToken Configuration
- On a Linux or MacOSX host configured as above, install OpenSC package.
- Download the perl script from here. Please read the script file for other perl module requirements if the script fails.
- Insert eToken and run the perl script available below. Follow the interactive instruction. At completion, the script will output the public key to be included in the .ssh/authorized_keys file on the ssh server.
MD5 checksum: cb7df829409ec8436db7fc2b7cfa375f
ssh -I /usr/lib/libeToken.so remote_host
To deploy this for many users, it is very desirable to configure the server side of OpenSSH to look up the public keys for the users in a store rather than a local file as described here: http://jpmens.net/2006/03/02/ssh-public-keys-from-ldap. This has been tested but a production service synchronized with the eToken management service is not currently available.