Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-5316: How to configure smart card authentication for SSH from Mac to Linux

Centrify Identity Service, Mac Edition ,  

12 April,16 at 11:07 AM

Applies to: Centrify DirectControl for Mac

Question:

Can smart card-based authentication be configured for SSH from a Mac system into a Linux system?


Answer:

Notes:   
  1. On a Mac system, install OpenSC from: https://github.com/OpenSC/OpenSC/wiki
     
  2. Insert a smartcard into the Mac and run in Terminal:
    • pkcs15-tool --list-public-keys
       
    • This should result in an output similar to below:
       
    • > Public RSA Key [PIV AUTH pubkey]
    • >   Object Flags   : [0x0]
    • >   Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
    • >   Access Flags   : [0x2], extract
    • >   ModLength      : 1024
    • >   Key ref        : 154 (0x9A)
    • >   Native         : yes
    • >   Auth ID        : 01
    • >   ID             : 01
    • >   DirectValue    : <absent
  3. Run the following in Terminal:
    • pkcs15-tool --read-ssh-key 01
       
    • (Where 01 comes from the ID value in Step 2 above. If another value is returned for the ID, make sure to substitute it into this command here as well.)
  4. Enter the smart card PIN and it should produce a line similar to:
    • ssh-rsa AAAAB3NzaC...
  5. On the target server/machine to be SSH's into, login as the SSH user and create a the following file:
    • ~/.ssh/authorized_keys
  6. Copy the ssh-rsa AAAAB3NzaC... line from the previous step into the keys file.
     
  7. The following command should now be possible on the Mac client machine:
    • ssh -I /Library/OpenSC/lib/opensc-pkcs11.so user@ip.address
      • This should create an SSH session after entering the PIN.
      • To avoid having to specify the -I flag for SSH, the argument can also be set in the /etc/ssh_config file:
      • PKCS11Provider /Library/OpenSC/lib/opensc-pkcs11.so



Notes:
  • The above configuration has been tested in a Mac to Mac session using the following OpenSSH versions.
    • On the Client side: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
    • On the Server side: OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
  • OpenSC is used to Export out the ssh-rsa hash that is required to be included in the authorized_keys file under the user's home directory:
    1. Move the OpenSC tokend out of the tokend directory, as having this inside the folder will not allow authentication to take place.
       
    2. Login as the PIV card user.
       
    3. SSH into the OpenSSH server, by running:
      • ssh -I /Library/OpenSC/lib/opensc-pkcs11.so user@ip.address
        • This will use the shim included in OpenSC and result a PIN prompt:
        • Enter PIN for 'PIV_II (PIV Card Holder pin)':
        • Sign-in will be completed after entering the PIN.
  • The most important step is to Export out the hash into the authorized_keys file under the user home directory.
     
  • It is also important to note that this is a manual process and not part of any Centrify mapper script.


 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.