Authentication in OpenSSH Putty by JaCarta PKI

This article describes the algorithm for configuring the Putty SSH client for Windows to work with the JaCarta PKI.

JaCarta PKI - tokens manufactured by Aladdin RD for strict two-factor authentication of users when accessing protected information resources of the enterprise, secure key storage and key containers of software SKZI.

General information

Ssh

SSH is an application level network protocol that allows remote control of the operating system and tunneling of TCP connections. Encrypts all traffic, including transmitted passwords. SSH allows the choice of various encryption algorithms. SSH clients and SSH servers are available for most network operating systems.

SSH supports RSA-key authentication, which provides the maximum level of security for the data channel, as well as two-factor authentication for remote users.
')

Certificate Authentication

To configure SSH operation using RSA certificates, you need to configure an SSH server, as well as an SSH client on the client machine. This document describes the algorithm for configuring SSH operation using a smart card or a JaCarta PKI token for authentication and encryption of an established channel.

Setting up smart cards for SSH client

The order of the server side on the example of Ubuntu

Generating a key pair with ssh-keygen utility

Go to the /home/user/.ssh directory
ssh-keygen -t rsa
Set a key name, for example, key
Set the key password (to encrypt the private key), for example, 12345678
At the output we get two files, for example, key and key.pub

Generating a certificate request with keys from p. 1

openssl req -new -out user.req -key key

Certificate issue in CA openssl

Config openssl CA
1. cd / etc / ssl
2. sudo -i
3. echo “01”> serial
4. cp / dev / null index.txt
5. Editing /etc/ssl/openssl.cnf nano openssl.cnf
  - dir = ./
  - certs = $ dir / certs
  - crl_dir = $ dir / crl
  - database = $ dir / index.txt
  - new_certs_dir = $ dir / certs
  - certificate = $ dir / ca.crt
  - serial = $ dir / serial
  - crl = $ dir / crl.pem
  - private_key = $ dir / ca.key
6. openssl req -new -x509 -keyout ca.key -out ca.crt -days 3650
7. mkdir crl
8. Download
9. Run makehashlink
10. chmod + x make_hash_link.sh
11. ./make_hash_link.sh / etc / ssl
12. ./make_hash_link.sh / etc / ssl / crl
Signing a user certificate (release)
1. sudo -i
2. cd /home/user/.ssh
3. openssl ca-out user.crt -infiles user.req

Import public key in Autorized_keys

The /home/user/.ssh directory should contain a public key file containing ssh-rsa {KEY}. In the example, we created a file named key.pub
Import this key into the authorized_keys file
echo key.pub> authorized_keys

Donastroyka server part

chmod 700 authorized_keys
Openssh settings In /etc/ssh/sshd.conf, edit the authentication configuration
1. RSAAuthentication yes
2. PubkeyAuthentication yes
3. PasswordAuthentication no - failure to authenticate by password (optional)

Writing a certificate to a smart card

It is necessary to transfer the certificate to the smart card. To transfer, you need to collect all the necessary objects in an encrypted container and write it to a smart card.

openssl pkcs12 -export -in user.crt -inkey key -certfile ca.crt -name "user" -out user.pfx
Transferring the user.pfx file to a Windows system with the installed JaCarta Single Client software , or JC Client
Enter user PIN
Import certificate to token
Select the file user.pfx and click "Import"