Skip to content

Instantly share code, notes, and snippets.

@sandys

sandys/hardware_token.md

Last active May 19, 2020 14:14
Show Gist options
  • Save sandys/3af5a5f26b7a3b8f28dcdbf4092876e0 to your computer and use it in GitHub Desktop.
Save sandys/3af5a5f26b7a3b8f28dcdbf4092876e0 to your computer and use it in GitHub Desktop.
Download ZIP
Registering a hardware token
Raw
hardware_token.md

OSX - https://github.com/OpenSC/OpenSC/releases/download/0.16.0/OpenSC-0.16.0.dmg

Fedora - sudo dnf install pcsc-tools opensc ccid

ubuntu - sudo dnf install pcsc-tools opensc libccid

Find out where OpenSC has installed the pkcs11 module.

For OS X with binary installation this is typically in /Library/OpenSC/lib/. Homebrew users can use export OPENSC_LIBS=$(brew --prefix opensc)/lib

pkcs15-init --erase-card should show some output.

Windows - https://github.com/OpenSC/OpenSC/releases/download/0.19.0-rc1/OpenSC-win64_vs12-Release.msi

First time init

In windows, use "C:\Program Files\OpenSC Project\OpenSC\tools\pkcs15-init.exe" commands remain the same

pkcs15-init --erase-card

** In this step you will choose a password and enter it 4 times. Please choose a strong password**

pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label "RedCarpet"

pkcs15-init --auth-id 1 --generate-key rsa/2048 --key-usage sign,decrypt --label "RedCarpet"

# credit to https://zerowidthjoiner.net/2019/01/12/using-ssh-public-key-authentication-with-a-smart-card for Windows help
# Apparently windows needs a certificate along with a key. OpenSC does not create certificates, but can definitely store them

openssl req -engine pkcs11 -new -key "pkcs11:object=RedCarpet" -keyform engine -out myCert.pem -days 3650 -outform pem -x509 -utf8 (press enter everywhere)

pkcs15-init --store-certificate myCert.pem --id 01 --verify-pin

To verify it worked, pkcs15-tool --dump It should show a x509 certificate

Listing keys

To list the keys that you created in your previous step

pkcs15-tool --list-keys

Get ssh public key of the key you created in the previous step

pkcs15-tool --read-ssh-key <key id>

This key id is something we add to our servers. Whenever we ask you to "send your public key". This is what you send.

ssh (after your public key has been added to servers)

Fedora - ssh   -o PKCS11Provider=/usr/lib64/opensc-pkcs11.so [email protected]

Ubuntu - ssh  -o PKCS11Provider=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so  [email protected]

OSX - ssh -o PKCS11Provider=/Library/OpenSC/lib/opensc-pkcs11.so [email protected]

Windows - download Putty CAC. Follow the "PKCS 11" configuration section in http://risacher.org/putty-cac/

DB access through bastion

#OSX ssh -N -o PKCS11Provider=/Library/OpenSC/lib/opensc-pkcs11.so -L 5432:rds.db.aws.com:5432 username@bastion-ip

#Ubuntu ssh -N -o PKCS11Provider=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L 5432:rds.db.aws.com:5432 username@bastion-ip

#fedora ssh -N -o PKCS11Provider=/usr/lib64/opensc-pkcs11.so -L 5432:rds.db.aws.com:5432 username@bastion-ip

@aszenz
Copy link

aszenz commented Jan 7, 2019

Currently on Ubuntu 18.04 apt installs an older version of opensc (0.17.0-3) which throws the following error:
PKCS#15 binding failed: Unsupported card while generating the rsa key.
See this issue for more info.

To get it working compile and install the latest version of opensc (0.19.0 working for me) following this guide. Make sure to install the build dependencies first.

Build Requirements for opensc (0.19) on Ubuntu 18.04

sudo apt install pcscd libccid libpcsclite-dev libssl-dev libreadline-dev autoconf automake build-essential docbook-xsl xsltproc libtool pkg-config zlib1g-dev

Then download latest version of opensc from here

Finally run the following commands to build and install opensc

tar xfvz opensc-*.tar.gz
cd opensc-*
./bootstrap
./configure --prefix=/usr --sysconfdir=/etc/opensc
make
sudo make install

@tonybenoy
Copy link

In case of Arch
https://wiki.archlinux.org/index.php/Common_Access_Card

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment