OpenSSH smartcard authentication
It took me some time to figure this out.
One could generate the required keys inside the card. Although this offers more security, it makes it impossible to backup the keys. So, instead of using the smartcard, we're going to generate the keys ourselves and copy them to the card.
The first steps are identical to certificate based authentication.
ssh-keygen -t rsa -f ca_rsa
ssh-keygen -t rsa
Once we have all required keys, we can create a self signed certificate.
openssl req -new -key ca_rsa -x509 -days 3650 -out ca_rsa.crt
Create a signing request.
openssl req -new -key id_rsa -out id_rsa.csr
And sign the certificate.
openssl x509 -req -in id_rsa.csr -CA ca_rsa.crt -CAkey ca_rsa -CAcreateserial -CAserial ca_rsa.seq -out id_rsa.cer
Now it's time to prepare the smartcard. On a Linux Mint 15 system, I first installed opensc and its dependencies. Since I am using an ACR-101 smartcard reader, I also installed the ACS driver for pcsc.
Step 1: erase the card
Step 2: initialize the card. The SO pin and puk are the final ones, but the user pin and puk are irrelevant at this point.
pkcs15-init -C --so-pin 1234 --so-puk 56789012 --pin 1111 --puk 1111
Step 3: create first pin and puk. SO pin is required for this operation.
pkcs15-init -P -a 1 -l "Basic PIN"
Step 4: create second pin and puk.
pkcs15-init -P -a 2 -l "Second PIN"
Step 5: the card is now ready and we can copy the keys and certificate to the card.
pkcs15-init --id 45 -a 01 --store-private-key id_rsa --key-usage sign,decrypt
pkcs15-init --id 45 -a 01 --store-certificate id_rsa.cer
Verify that everything was copied.
pkcs15-tool --list-keys
pkcs15-tool --list-public-keys
pkcs15-tool --list-certificates
And authenticate using the smartcard.
ssh -v -p 1234 -I /usr/lib/opensc-pkcs11.so user@host