Skip to content

Instantly share code, notes, and snippets.

@KaarelP2rtel
Last active September 4, 2022 18:59
Show Gist options
  • Save KaarelP2rtel/46094873e56cb7f0c47712f318e89e6e to your computer and use it in GitHub Desktop.
Save KaarelP2rtel/46094873e56cb7f0c47712f318e89e6e to your computer and use it in GitHub Desktop.
SSH sisselogimine ID Kaardiga - muljeid aastast 2019

SSH autentimine ID Kaardiga - muljeid aastast 2019

(English version below)

Juhiseid, kuidas ID-Kaardiga logida SSH kaudu sisse on kirjutatud juba 2011 aastast. Kirjutan natuke oma tähelepanekutest 2019 aastal ning ka sellest, kuidas kasutada ID Kaarti Windowsis Puttyga.

Smartcardi kasutamine võimaldab SSH ligipääsu erinevatest masinatest nii, et ei pea hakkama igas masinas võtmeid genereerima või masinate vahel võtmeid kopeerima. ID Kaart peaks olema enamustel Eestlastel olemas olema, seega hea võimalus on seda ära kasutada.

Linux (Ubuntu 19.10+)

1. Vajalik tarkvara

openssh-client versioon 8+
open-eid ehk Eesti ID kaardi tarkvara

Openssh 8 on Ubuntus saadaval alates versioonist 19.10. Openssh peab olema versioon 8 (või uuem), kuna ver 7 (ja vanemad) ei toeta ECDSA võtmeid PKCS11 liidese kaudu.

open-eid ID kaardi kasutamiseks on vajalik alla laadida opensc-pkcs11 tarkvara. 26.10.2019 seisuga ei toeta opensc (versioon 0.19) uute IDEMIA ID kaartide pkcs11 liidest. Eesti ID kaardi tarkvara repodest on saadaval opensc versioon, millele on juurde lisatud idemia tugi. Lihtsaim variant on paigaldada kogu ID kaardi tarkvara , aga võib ka lisada käsitsi repo ja paigaldada ainult opensc-pkcs11 paketi.

Legendid räägivad, et opensc 0.20 toetab ka IDEMIA pkcs11 kaarte, aga hetkel seda proovinud ei ole. Kui see tõesti ka nii on, siis pole ID kaardi tarkvara otseselt vajalik.

2. Kasutamine

Avaliku võtme lugemine

Võtme lugemiseks ja kaardi hilisemaks kasutamiseks on vaja ainult ssh -le öelda, et ta kasutaks OpenSC-d.
ssh-keygen -D onepin-opensc-pkcs11.so
Faili salvestamiseks
ssh-keygen -D onepin-opensc-pkcs11.so > id.pub
Avalik võti tuleb kopeerida masinatesse samamoodi, nagu tavalise ssh võtme puhul.

SSH sisselogimine (Variant 1)

Sarnaselt nagu võtme lugemisel, tuleb SSHle öelda, et ta kasutaks OpenSC-d.
ssh -I onepin-opensc-pkcs11.so [email protected]
Selleks et ei peaks seda iga kord sisetama, võib selle lisada SSH config faili.
echo "PKCS11Provider onepin-opensc-pkcs11.so" >> .ssh/config
Variant 1 puhul küsitakse iga autentimise puhul PIN koodi. Selleks et seda vältida võib kasutada variant 2-te.

NB! Antud meetod ei tööta osade klaviatuuride sisseehitatud ID kaardi lugejatega. Täpsemalt nende klaviatuuridega, mille lugejatel on pinpad tugi. Nende klaviatuuridega töötab variant 2.

SSH sisselogimine (Variant 2)

Variant 2 puhul tuleb ka eemaldada ssh config failist Variant 1 rida PKCS11Provider onepin-opensc-pkcs11.so kuna muidu ikka küsitakse iga kord PINi.

Variant 2 puhul salvestatakse PIN kood ssh-add abil mällu, mis tähendab et seda ei pea iga kord sisestama.
Antud meetodiga on vajalik anda ette täispikk asukoht pkcs11 teegile.
ssh-add -s /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
Kaardi eemaldamine agendist
ssh-add -e /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so

NB kui vahepeal ID Kaart lugejast eemaldada, tuleb selleks kaart agendist eemaldada ja uuesti lisada. Selle jaoks võib luua väikse skripti käsuga:

sudo cat << EOF > /tmp/add-id-card-ssh
#!/bin/bash
ssh-add -e /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so 2>/dev/null 1>/dev>
ssh-add -s /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
EOF

sudo chmod +x /tmp/add-id-card-ssh
sudo mv /tmp/add-id-card-ssh /usr/local/bin/

ja edaspidi jooksutada käsku add-id-card-ssh

SSH sisselogimine Automatiseeritult (Variant 3) - Veidi kahtlane aga töötab häšti.

Selleks et ei peaks mõtlema, kas vahepeal sai ID kaart välja võetud või mitte, saab kogu protsessi veidi automaagiliseks teha. Sisuliselt, on vaja seda, et enne SSH käivitamist kontrollitaks, kas kaart on sisestatud, ning kas see on ssh agenti lisatud. Kirjutasin selleks mõned bashi funktsioonid.

Esiteks on vaja aptist juurde tõmmata pakk pcsc-tools.
Teiseks on vaja lisada .bashrc faili järgnevad read.


id-card-inserted(){
    #The card can have many different names depending on the  Card version,
    #library versions and even the card status.
    grep -e "id.ee" -e "EstEID" -e "Estonian Identity Card" <(timeout 0.1 pcsc_scan) --quiet
    return "$?"
}
id-card-added(){
    timeout 0.1 ssh-add -T <(ssh-add -L | grep pkcs11) 2>/dev/null 1>/dev/null
    card_added="$?"
    #Code 124 means that the command timeouted and was probably going to succeed.
    #If the command failed, then it would not timeout and exit immidiately
    if [ "$card_added" -eq 124 ]; then return 0
    else return 1; fi
}
remove-id-card(){
    ssh-add -e /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so 2>/dev/null 1>/dev/null
}
add-id-card(){
    remove-id-card
    echo -n "ID Card PIN1 - "
    ssh-add -s /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
}
check-id-card(){
    if ! id-card-inserted; then remove-id-card; return 1; fi
    if ! id-card-added; then add-id-card; fi
}
alias ssh="check-id-card; ssh"

Ettepanekud kuidas probleemi mõistlikumalt lahendada on teretulnud.

Windows Putty

Vajalik tarkvara

Putty CAC
Eesti ID kaardi tarkvara

Putty CAC on Putty eriversioon, millele on juurde lisatud smartcardide tugi. Vaja läheb putty.exet ja pageant.exet, aga mõistlik oleks paigaldada kogu pakk (.msi installer)

ID Kaardi tarkvara on vajalik, kuna see sisaldab vajaminevaid draivereid kaardiga suhtlemiseks.

Kaardi lisamine ja Avaliku võtme lugemine

Kui tarkvara on paigaldatud, siis esimese asjana tuleb käima panna Pageant. Pageant Start menüüs

Seejärel tuleb pageant lahti teha.
Pageanti valikud kiirmenüüs

Kaardi lisamiseks pageantisse tuleb valida Add PKCS Cert Pageanti aken

ning seejärel valida draiver, mis kaarti lugema hakkab.

NB! Enne 2019 väljastatud ID Kaartide puhul tuleb valida onepin-opensc-pkcs11.dll ning uute ID Kaartide puhul tuleb valida OcsPKCS11Wrapper.dll

PKCS11 Draiver valik
Kui see on tehtud, siis kaardi avalikku võtit saab kopeerida, kui valida nimekirjast soovitud võti ja vajutada Copy to Clipboard
Pageanti aken näitamas Copy to Clipboard nuppu

Selleks, et kaarti ei peaks iga kord uuesti lisama, oleks mõistlik valida pageantist Autoload certs. Nii lisab Pageant käivitamisel automaatselt varasemalt lisatud kaardid.
Pageanti valik Autoload Certs

Putty kasutamine

Putty kasutamine erineb tavalisest vaid selle võrra, et sisselogimise hetkel küsitakse ID Kaardi PIN koodi (PIN 1). Putty kasutamise näide

SSH authentication with the Estonian ID card - remarks from the year 2019

Guides on how to use the Estonian ID-Card for SSH login have been written since 2011. Here I have written some remarks in the year 2019 and also how to use the ID-Card with Putty on Windows.

Using smartcards for SSH authentication gives the user SSH access from different machines without having to generate and deploy new keys or copy existing keys between machines. Most Estonians already have an ID-Card so it is a good opportunity to put it to use.

Linux (Ubuntu 19.10+)

1. Required software

openssh-client version 8+
open-eid aka Estonian ID-Card software

OpenSSH 8 is available in Ubuntu since Ubuntu 19.10. OpenSSH has to be version 8 (or newer) because OpenSSH 7 (and older) does not support ECDSA keys over the PKCS11 interface.

open-eid To use the ID card, opensc-pkcs11 must be installed. As of 26.10.2019 opensc (ver 0.19) does not support the newer IDEMIA ID-Cards. The Estonian ID-Card repository contains a patched verison of opensc with support for IDEMIA cards. Only the package opensc-pkcs11 is needed, but it is simpler to install the entire Estonian ID-Card software

Legends say, that opensc 0.20 supports the new IDEMIA cards. If that is the case, then the ID-Card software is not needed.

2. Usage

Reading the public key

To read the public key, we just need to tell ssh-keygen to use the opensc-pkcs11 library
ssh-keygen -D onepin-opensc-pkcs11.so
And to save it to a file.
ssh-keygen -D onepin-opensc-pkcs11.so > id.pub
The public key is copied to machines the same way as a regular SSH public key.

SSH login (Method 1)

As with reading the publik key, we just need to tell SSH to use the opensc-pkcs11 library.
ssh -I onepin-opensc-pkcs11.so [email protected]
This can be added to the ssh config to avoid having to do it every time.
echo "PKCS11Provider onepin-opensc-pkcs11.so" >> .ssh/config
With Method 1 the PIN code of the card is asked every time. To avoid this, Method 2 can be used.
NB! This method does not work with card readers on keyboards that have support for pinpad. For these keyboards, Method 2 can be used.

SSH login (Method 2)

For Method 2 the config line PKCS11Provider onepin-opensc-pkcs11.so msut be removed because this otherwise override Method 2 and still ask for the PIN.

For Method 2, the PIN is stored into memory using ssh-add, meaning it is not asked every time. For this however the full path to the PKCS11 library must be given.
ssh-add -s /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
Removing the card.
ssh-add -e /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so

NB If the card is removed from the reader, the card must be manually removed from the agent and added again. This can be achived by making a simple script with the command:

sudo cat << EOF > /tmp/add-id-card-ssh
#!/bin/bash
ssh-add -e /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so 2>/dev/null 1>/dev>
ssh-add -s /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
EOF

sudo chmod +x /tmp/add-id-card-ssh
sudo mv /tmp/add-id-card-ssh /usr/local/bin/

and later running the command add-id-card-ssh as needed.

SSH login Automatically (Method 3) - Slighlty sketchy, but workš well.

In order to not have to think about whether the card has been added or not, the entire process can be made somewhat automagical. Basically we just need to check if the card has been inserted and added before running SSH. I have written here some bash functions that do just that.

First we need to install the package pcsc-tools.
Second we need to add the following lines to .bashrc:


id-card-inserted(){
    #The card can have many different names depending on the  Card version,
    #library versions and even the card status.
    grep -e "id.ee" -e "EstEID" -e "Estonian Identity Card" <(timeout 0.1 pcsc_scan) --quiet
    return "$?"
}
id-card-added(){
    timeout 0.1 ssh-add -T <(ssh-add -L | grep pkcs11) 2>/dev/null 1>/dev/null
    card_added="$?"
    #Code 124 means that the command timeouted and was probably going to succeed.
    #If the command failed, then it would not timeout and exit immidiately
    if [ "$card_added" -eq 124 ]; then return 0
    else return 1; fi
}
remove-id-card(){
    ssh-add -e /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so 2>/dev/null 1>/dev/null
}
add-id-card(){
    remove-id-card
    echo -n "ID Card PIN1 - "
    ssh-add -s /usr/lib/x86_64-linux-gnu/onepin-opensc-pkcs11.so
}
check-id-card(){
    if ! id-card-inserted; then remove-id-card; return 1; fi
    if ! id-card-added; then add-id-card; fi
}
alias ssh="check-id-card; ssh"

Suggestions on how to do this more reasonalby are welcome.

Windows Putty

Required software

Putty CAC
Estonian ID-Card software

Putty CAC is a special version of Putty that has support for smartcards. Only putty.exe and pageant.exe are needed, but it is better to install the entire package (.msi installer)

The ID-Card software is needed because it contains drivers needed to communicate with the card.

Adding the card and readingthe public key.

Once the software is installed, the first thing to run is Pageant.
Pageant in the Start menu

Then open pageant.
Pageant in the quickbar

To add the card to the agent select Add PKCS Cert
Pageanti aken

then select the driver which reads the card.

NB! For cards issued before 2019 the driver onepin-opensc-pkcs11.dll must be used and for newer ID-Cards the driver OcsPKCS11Wrapper.dll must be used.

PKCS11 driver selection
Once that is done, the key can be copied by selecting it form the menu and clicking Copy to Clipboard
Pageant window with the Copy to clipboard button

In order to not have to add the card every time, the option Autoload certs should be selected. This way pageant will automatically add previously added cards.
Pageanti Autoload Certs option

Using Putty

The only difference when using Putty is that it will ask for the card's PIN 1 Putty usage example

@Cougar
Copy link

Cougar commented Nov 15, 2019

Kas seda "variant 3" automaagiat ei saa udev'iga teha?

@artizirk
Copy link

@whysthatso
Copy link

english version possible?

@KaarelP2rtel
Copy link
Author

english version possible?

Done

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment