![]() ![]() To use this key pair with SSH, we need to export the Public part in the right format. Some tokens also support some Elliptic Curves, but OpenSC's PKCS#15 tools could only create RSA keys up until recently, though I believe it's also possible to use OpenSC's PKCS#11 tools to create keys on the token. Note: Not all key sizes are supported by all tokens. >pkcs15-tool.exe -list-keys -list-public-keysĪccess Flags :, sensitive, alwaysSensitive, neverExtract, local I then created a new RSA key pair: >pkcs15-init.exe -verify-pin -auth-id 80 -generate-key rsa/2048 -key-usage sign,decrypt -label "RSA2k48" Length : min_len:4, max_len:15, stored_len:0 So I installed the latest release of OpenSC for Windows and verified it worked: >opensc-tool.exe -list-readers Unfortunately, WSL does not support libusb ( yet?), meaning it's not possible. Since OpenSC and OpenSSL are Unix tools, my first instinct was to use WSL (Windows Subsystem for Linux) to access the token. Thanks to my job, I already had (some) experience with OpenSSL, OpenSC, PKCS#11 and PKCS#15, and it's not like these technology are new, so I was expecting it would be simply a matter of finding the right commands.Īfter I managed to enable the Smart Card capability of the token, I continued with the Feitian guide on how to use their product with SSH authentication. The idea is simple: Public Key Authentication for SSH is well documented, I just want my private key to live on my hardware token instead of being a file on my hard drive. In case of mistake: replacing the certificate.Satisfying Putty-CAC by creating a certificate from our key pair.It was too good to last, or "why does connecting from a Windows host have to be so hard?".Or the result of several hours of fumbling around trying to use my new Feitian ePass Smart Card to login on my ssh server with asymmetric cryptography. Using SSH Public Key Authentication with a Smart Card
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |