How to configure smartcard authentication with openssh on Red Hat Enterprise Linux 6 ?

Solution Verified - Updated 5 Mar 2014

Environment

Red Hat Enterprise Linux 6
coolkey-1.1.0-20.el6.x86_64
pam_pkcs11-0.6.2-12.1.el6.x86_64
openssh-5.3p1-81.el6.x86_64

Issue

How to configure smartcard authentication with openssh on Red Hat Enterprise Linux 6 systems.

Resolution

Currently there is workaround to achieve this. However currently RHEL6 has experimental support for NSS in OpenSSH which should allow to do smartcard authentication.

Here is documenetion to This content is not included.Enabling Smart Card Login on RHEL 6 system.

2. Make sure that libcoolkeypk11.so module is loaded in the nssdb. Install coolkey-1.1.0-20.el6.x86_64 package on the system.

	# modutil -list -dbdir /etc/pki/nssdb

	Listing of PKCS #11 Modules

	  1. NSS Internal PKCS #11 Module
		 slots: 2 slots attached
		status: loaded

		 slot: NSS Internal Cryptographic Services
		token: NSS Generic Crypto Services

		 slot: NSS User Private Key and Certificate Services
		token: NSS Certificate DB

	  2. CoolKey PKCS #11 Module
		library name: libcoolkeypk11.so
		 slots: There are no slots attached to this module
		status: Not loaded

Since libcoolkey in RHEL6.2 supports PIV cards, try using this method.

3. Copy the NSS database to user's .ssh directory inside user's home directory.

	# cp /etc/pki/nssdb/*.db ~/.ssh

4. Start an ssh-agent

	$ eval `ssh-agent`

5. Add smartcard certificates to ssh-agent

	$ ssh-add -n

	$ ssh-keygen -n -D 'PKCS11 Token' -f 'Key ID'

Can get the ‘My PKCS11 Token’ by using modutil. Look for the “token:” line under the Coolkey module.

	# modutil -list -dbdir .ssh

Now the ‘Key ID’ is one of the certificates that was listed as being added to your ssh-agent (i.e. # ssh-add -L).

The ssh-keygen command will output a public key. Take this public key, and place it into the authorized_keys file on whatever host wish to login to with your smart card (for example "/home//.ssh/authorized_keys").

6. Make sure the permission of the /home//.ssh/ and /home//.ssh/authorized_keys file should be something like this.

	# ls -l /home/idmuser/.ssh/
	total 4
	-rw-------. 1 idmuser idmuser 212 Dec 11 13:36 authorized_keys

	# ls -l /home/idmuser/.ssh/authorized_keys 
	-rw-------. 1 idmuser idmuser 212 Dec 11 13:36 /home/idmuser/.ssh/authorized_keys

7. Now try to login to target system using following command :

	$ ssh -o 'UseNSS yes' -o 'NSSToken <PKCS11 Token>' -l idmuser <hostname>

This prompt you token PIN and password for 'idmuser'. To configure ssh for not prompting password for 'idmuser'. Set 'UsePAM no' in /etc/ssh/sshd_config file and restart sshd service.

SBR

Identity Management

Product(s)

Red Hat Enterprise Linux

Components

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.