Skip to content

Instantly share code, notes, and snippets.

@tonybenoy

tonybenoy/hardware_token.md

Forked from sandys/hardware_token.md
Last active June 8, 2019 19:58
Show Gist options
  • Save tonybenoy/1d8c411e72be450585f4a037d412db71 to your computer and use it in GitHub Desktop.
Save tonybenoy/1d8c411e72be450585f4a037d412db71 to your computer and use it in GitHub Desktop.
Download ZIP
Registering a hardware token
Raw
hardware_token.md

OSX - https://github.com/OpenSC/OpenSC/releases/download/0.16.0/OpenSC-0.16.0.dmg

Fedora - sudo dnf install pcsc-tools opensc ccid

ubuntu - sudo dnf install pcsc-tools opensc libccid

archlinux - sudo pacman -S opensc ccid

You will have to start enable the pcscd.socket in the case of arch linux https://wiki.archlinux.org/index.php/Common_Access_Card

  `sudo systemctl start pcscd.socket`
  
  `sudo systemctl enable pcscd.socket`

Find out where OpenSC has installed the pkcs11 module.

For OS X with binary installation this is typically in /Library/OpenSC/lib/. Homebrew users can use export OPENSC_LIBS=$(brew --prefix opensc)/lib

pkcs15-init --erase-card should show some output.

Windows - https://github.com/OpenSC/OpenSC/releases/download/0.19.0-rc1/OpenSC-win64_vs12-Release.msi

First time init

In windows, use "C:\Program Files\OpenSC Project\OpenSC\tools\pkcs15-init.exe" commands remain the same

pkcs15-init --erase-card

** In this step you will choose a password and enter it 4 times. Please choose a strong password**

pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label "RedCarpet"

pkcs15-init --auth-id 1 --generate-key rsa/2048 --key-usage sign,decrypt --label "RedCarpet"

# credit to https://zerowidthjoiner.net/2019/01/12/using-ssh-public-key-authentication-with-a-smart-card for Windows help
# Apparently windows needs a certificate along with a key. OpenSC does not create certificates, but can definitely store them

openssl req -engine pkcs11 -new -key "pkcs11:object=RedCarpet" -keyform engine -out myCert.pem -days 3650 -outform pem -x509 -utf8 (press enter everywhere)

pkcs15-init --store-certificate myCert.pem --id 01 --verify-pin

To verify it worked, pkcs15-tool --dump It should show a x509 certificate

Listing keys

To list the keys that you created in your previous step

pkcs15-tool --list-keys

Get ssh public key of the key you created in the previous step

pkcs15-tool --read-ssh-key <key id>

This key id is something we add to our servers. Whenever we ask you to "send your public key". This is what you send.

ssh (after your public key has been added to servers)

Fedora - ssh   -o PKCS11Provider=/usr/lib64/opensc-pkcs11.so [email protected]

Ubuntu - ssh  -o PKCS11Provider=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so  [email protected]

OSX - ssh -o PKCS11Provider=/Library/OpenSC/lib/opensc-pkcs11.so [email protected]

Windows - download Putty CAC. Follow the "PKCS 11" configuration section in http://risacher.org/putty-cac/

DB access through bastion

#OSX ssh -N -o PKCS11Provider=/Library/OpenSC/lib/opensc-pkcs11.so -L 5432:rds.db.aws.com:5432 username@bastion-ip

#Ubuntu ssh -N -o PKCS11Provider=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L 5432:rds.db.aws.com:5432 username@bastion-ip

#fedora ssh -N -o PKCS11Provider=/usr/lib64/opensc-pkcs11.so -L 5432:rds.db.aws.com:5432 username@bastion-ip

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment