OpenSSH smartcard authentication

It took me some time to figure this out.


One could generate the required keys inside the card. Although this offers more security, it makes it impossible to backup the keys. So, instead of using the smartcard, we're going to generate the keys ourselves and copy them to the card.


The first steps are identical to certificate based authentication.

ssh-keygen -t rsa -f ca_rsa

ssh-keygen -t rsa

Once we have all required keys, we can create a self signed certificate.

openssl req -new -key ca_rsa -x509 -days 3650 -out ca_rsa.crt

Create a signing request.

openssl req -new -key id_rsa -out id_rsa.csr

And sign the certificate.

openssl x509 -req -in id_rsa.csr -CA ca_rsa.crt -CAkey ca_rsa -CAcreateserial -CAserial ca_rsa.seq -out id_rsa.cer

Now it's time to prepare the smartcard. On a Linux Mint 15 system, I first installed opensc and its dependencies. Since I am using an ACR-101 smartcard reader, I also installed the ACS driver for pcsc.


Step 1: erase the card

pkcs15-init -E

Step 2: initialize the card. The SO pin and puk are the final ones, but the user pin and puk are irrelevant at this point.

pkcs15-init -C --so-pin 1234 --so-puk 56789012 --pin 1111 --puk 1111

Step 3: create first pin and puk. SO pin is required for this operation.

pkcs15-init -P -a 1 -l "Basic PIN"

Step 4: create second pin and puk.

pkcs15-init -P -a 2 -l "Second PIN"

Step 5: the card is now ready and we can copy the keys and certificate to the card.

pkcs15-init --id 45 -a 01 --store-private-key id_rsa --key-usage sign,decrypt

pkcs15-init --id 45 -a 01 --store-certificate id_rsa.cer

Verify that everything was copied.

pkcs15-tool --list-keys

pkcs15-tool --list-public-keys

pkcs15-tool --list-certificates

And authenticate using the smartcard.

ssh -v -p 1234 -I /usr/lib/opensc-pkcs11.so user@host