Skip to main content

Using ssh with smart cards

In our example, we log using ssh client, user 'fperou' on remote server 'remotehost':

GNU/Linux:

$ ssh -I /usr/lib/opensc-pkcs11.so fperou@remotehost
Enter PIN for 'FRANCOIS PEROU (User PIN)':****
francois@remotehost:~$

To ease connection, you may add this line to /etc/ssh/ssh_config:

PKCS11Provider /usr/lib/opensc-pkcs11.so

Mac OS X:

$ ssh -I /Library/OpenSC/lib/opensc-pkcs11.so fperou@remotehost
Enter PIN for 'FRANCOIS PEROU (User PIN)':****
francois@remotehost:~$

To ease connection, you may add this line to /etc/ssh_config file (Mac OS X 10.6 / 10.7) or /opt/local/etc/ssh/ssh_config (Mac Ports):

PKCS11Provider /Library/OpenSC/lib/opensc-pkcs11.so

Exit and run the same command using verbose output:

ssh -v francois@remotehost
OpenSSH_5.5p1, OpenSSL 0.9.8m 25 Feb 2010
debug1: Reading configuration data /usr/etc/ssh_config
debug1: Connecting to ****.*****.com [88.160.168.33] port 22.
debug1: Connection established.
debug1: manufacturerID OpenSC (www.opensc-project.org cryptokiVersion 2.20 libraryDescription libraryVersion 0.0
debug1: label manufacturerID \ model serial \<299851151317110> flags 0x40d
debug1: have 1 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3
debug1: match: OpenSSH_5.3p1 Debian-3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '*************' is known and matches the RSA host key.
debug1: Found key in /home/******/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /usr/lib/opensc-pkcs11.so
debug1: Server accepts key: pkalg ssh-rsa blen 279
Enter PIN for 'François Pérou' (User PIN)':
debug1: pkcs11_provider_unref: 0x153fb90 refcount 2
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Linux firewall 2.6.32-trunk-486 #1 Sun Jan 10 05:53:18 UTC 2010 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Thu Apr 1 16:57:20 2010 from xxxxxxxxxxxx

Make sure that OpenSSH is asking for PIN and not using local keys in ~/.ssh on the client side.