Linux smart card authentication – OpenSSH

(This is part of my howto on smart card authentication in Linux.)

You can use the private key stored on your smart card to authenticate on a remote OpenSSH server using key-based authentication. If you are not familiar with OpenSSH key-based authentication, the Ubuntu Server Guide has a page about it.

PKCS#11 support was added in OpenSSH 5.4, so make sure you are running OpenSSH 5.4 or higher on the client side. PKCS#11 support is only needed on the client, so the server can be running any version of OpenSSH.

Using your card key

The first thing is to get your public key in SSH format, you get it with the –read-ssh-key flag of pkcs15-tool:

firas@tsukino ~ % pkcs15-tool --read-ssh-key 4eadab3c5ad2558770f25c344f4d553bb88812ef
Using reader with a card: Feitian SCR301 00 00
1024 65537 115702323876099146721300348557321596237555417891487582418748197531180427116175233668017458616743090701505974123216209903372379186813582600614291812575857719103616546400601950161593902344447589576733119889435845715763818728167400201106615285687997736316003989312600622508585515531923469261473779227304730461479
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQCkw/zx6nggRP9JuEgNnFx0BHSKsy1ikbNKXdE4oQ2Ur4ehINQHr+dL2da9qd2zCc8ge5oZymLmkHGR9F0/7SwTj/4x7k1xmXmWPpCVfF11CDvUoAKCChw24MVyxgOnmUwHz1FNDm9mxG+JLTbiO+eEnH+NT4Ss04B+dKJIV6KFJw==

Only the last line of output interests us, copy it to your ~/.ssh/authorized_keys on the server, just like you would any other key.

Try connecting to the server. You need to pass the -I flag to ssh to let it know where the PKCS#11 library is located:

firas@tsukino ~ % ssh -I /usr/lib/
Enter PIN for 'Firas Kraiem (User PIN)':
Linux itsuki 2.6.32-24-generic #39-Ubuntu SMP Wed Jul 28 06:07:29 UTC 2010 i686 GNU/Linux
Ubuntu 10.04.1 LTS

Welcome to Ubuntu!
 * Documentation:

0 packages can be updated.
0 updates are security updates.

No mail.
Last login: Sat Aug 21 18:44:30 2010 from

In order to not have to pass the -I flag every time, you can add this line to your ~/.ssh/config (or to /etc/ssh/ssh_config to apply it to all users):

PKCS11Provider /usr/lib/

Using an existing SSH key

If you already have a SSH key, you might want to store it on your card. Simply use the -S flag of pkcs15-init on your private SSH key file as described at the end of the first post:

firas@tsukino ~ % pkcs15-init -S .ssh/id_rsa --auth-id 01 --label "My Private SSH Key" --public-key-label "My Public SSH Key"
Using reader with a card: Feitian SCR301 00 00
Please enter passphrase to unlock secret key: 
User PIN [User PIN] required.
Please enter User PIN [User PIN]: 

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.