How can I set up smart card SSH authentication?

Question

I would like to be able to SSH to my machine using a Gemalto .NET Smart Card as the authentication method. How could this be done on a Fedora 13 (or generic Red Hat style) machine?

These are the rough steps I think are needed:

1. Provision certificate for the smart card (and possibly a CA to issue it?)
2. Get the certificate onto the smart card
3. Configure SSH server to allow smart card authentication and configure it to use a particular certificate/CA
4. An SSH client that has smart card support (extra points for a free Windows based one)

Answer 1

Gemalto drivers are now open source I believe. They have the source code on their website.

You will need to configure the pam module (I'm not sure how to do this, but the code is certainly there). I imagine the pam configuration would require a mapping of a certificate principle to a local user id.

GDM I believe supports smart cards now, but I'm not sure how it detects it. I'll try to look this up later (easiest way is probably to just peek at the gdm source code).

Of course this all requires pcscd and libpcsclite to be installed. You will also need to copy the libgtop11dotnet.so to /usr/lib.

source code to compile libgtop11dotnet.so : https://github.com/AbigailBuccaneer/libgtop11dotnet

Answer 2

I'd recommend kerberos. MIT produces a krb5 client & server.

vwduder, could you recommend a smart card reader and a source of FIPS-201 compliant cards?

http://csrc.nist.gov/publications/fips/fips201-1/FIPS-201-1-chng1.pdf

I have a copy on my own server, but I am not popular enough on this stacktrace at this moment to share it with you. The above is only slightly less reliable than our own servers, so you will probably be able to get it from them ;)

[edit] I'm now popular enough!

http://www.colliertech.org/state/FIPS-201-1-chng1.pdf

Answer 3

When using RSA keys, 1) and 2) are trivial, because as we'll see in 3) the actual certificate is irrelevant in this context. Just head to cacert.org or generate a self-signed certificate and you are all set.

For 3) you'll need to extract your public key and install it in $HOME/.ssh/authorized_keys. Pay attention to file ownership and permissions! (700 for .ssh, 600 for authorized_keys). Host-wide public key authentication is discouraged but left as an exercise for inquisitive minds.

As for 4) you should look into PuTTY SC ( http://www.joebar.ch/puttysc/ ) or -preferably- PuTTY-CAC ( http://www.risacher.org/putty-cac/ ) which improves upon PuTTY SC with a better public key extraction algorithm and also includes the Kerberos-GSSAPI support from the development branch of PuTTY.

Answer 4

I made a video to show to use a smart card with a Linux server using PuttySC and SecureCRT. You can watch it here: How to SSH with your Smart Card

I do not explain how to provision a certificate in the card, but if you do, remember the admin key of the card should be changed using a Card Management System. It will be a lot easier for you if your company provides you with a smart card so that you don't have to worry about this part.

Once you have the card provisioned, you need to extract the public key out, then add it to ~/.sshd/authorized_key.

To connect to the server, you can use tools such as PuttySC or SecureCRT. You will need to obtain the PSKC#11 library for the card (either from the smart card manufacturer or an open source version). Configure the SSH tool with the library, it should be able to read it and find the certificate.

When you authenticate, the tool will prompt you for the smart card PIN.