SSH authentication using eToken Pro USB dongle
In this post I will tell you how to configure SSH authentication using the eToken USB key.
For this we need:
- Actually USB key eToken Pro (in my case, this eToken Pro 64k)
- Windows operating system with eToken PKI Client drivers installed
- Mozilla Firefox with the Key Manager plugin installed
- SSH client with smart card support. I personally like PuTTY SC - a modified version of PuTTY.
')
It is assumed that you already have an initialized USB key with a pin code installed, it is connected to the computer and is ready for operation.
Create public / private key.
1) Launch Firefox and open Key Manager (Tools -> Key Manager Tool Box -> Key Manager)
2) Enter the user password for eToken
3) In the main Key Manager menu, select “Generate Self-Signed Cert”
4) Fill in the fields as shown in the picture and click on “Generate Self-Signed Cert”. Naturally, you need to enter your data, such as city, country, and fqdn server. Optionally, you can specify additional properties of the certificate - expiration date, etc.
5) Select the desired token from the list and click "OK". Please note that if you generate a certificate immediately on a token, then it will be impossible to export the private key.
6) In the Key Manager main menu, highlight the newly created certificate, and click the “Export” button
7) In the window that appears, select the format "OpenSSH Pubkey" and click "OK"
As a result, we get a line like the one below. This is our public key - save it, we will need it in the next step.
Setting up key authentication on the server.
In my case, the server with the installed Debian Lenny acts as a server.
You need to make sure that the sshd configuration allows authentication using public keys. To do this, in the file “sshd_config” specify the value of the “PubkeyAuthentication” parameter in “yes” .
Then in the file "~ / .ssh / authorized_keys" we add our public key obtained earlier (in one line). Please note that the ".ssh / authorized_keys" file is located in the home directory of the user who will then log in using the public key.
Configure PuTTY SC SSH Client to use smart cards.
PuTTY SC is a modified version of PuTTY. The only significant difference from the original version is support for smart cards.
The setting in this case is almost the same as normal connections - you need to specify the server address, connection type, keyboard type, encoding.
To use authentication with a smart card, go to the "Connection -> SSH -> Pkcs11" section , tick the "Attempt PKCS # 11 smartcard auth (SSH-2)" checkbox, specify the path to the eToken library - "C: \ Windows \ System32 \ eToken.dll ” , select from the list the name of the token and the private key that we created earlier.
When connected, you will be asked to enter a custom pin code to the USB key.
Congratulations, you can now use SSH authentication with eToken Pro!
Note: undoubtedly, you can generate keys in various ways using different software and different operating systems. A bunch of Windows + Firefox was chosen as the most simple and clear.
Another note: to taste, you can disable other authentication methods on the server, leaving only the authentication by key.
For this we need:
- Actually USB key eToken Pro (in my case, this eToken Pro 64k)
- Windows operating system with eToken PKI Client drivers installed
- Mozilla Firefox with the Key Manager plugin installed
- SSH client with smart card support. I personally like PuTTY SC - a modified version of PuTTY.
')
It is assumed that you already have an initialized USB key with a pin code installed, it is connected to the computer and is ready for operation.
Create public / private key.
1) Launch Firefox and open Key Manager (Tools -> Key Manager Tool Box -> Key Manager)
2) Enter the user password for eToken
3) In the main Key Manager menu, select “Generate Self-Signed Cert”
4) Fill in the fields as shown in the picture and click on “Generate Self-Signed Cert”. Naturally, you need to enter your data, such as city, country, and fqdn server. Optionally, you can specify additional properties of the certificate - expiration date, etc.
5) Select the desired token from the list and click "OK". Please note that if you generate a certificate immediately on a token, then it will be impossible to export the private key.
6) In the Key Manager main menu, highlight the newly created certificate, and click the “Export” button
7) In the window that appears, select the format "OpenSSH Pubkey" and click "OK"
As a result, we get a line like the one below. This is our public key - save it, we will need it in the next step.
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAAAgQDL9ViU3+/80xZka0G91eoDyNuPT4eb1/8ro0iZEBnRI7+B+LwJbWrvqfJxNQluMiGPhftBCao4VjCcby21g0q+1sp42MR1bPD8BgA42ZDuum/sq5gFEM16n+g8+bXxtoZ/kF2bPJ4fGsowmdQCc8I7xECcYazz2AG8oZqU9l0anw==
Setting up key authentication on the server.
In my case, the server with the installed Debian Lenny acts as a server.
You need to make sure that the sshd configuration allows authentication using public keys. To do this, in the file “sshd_config” specify the value of the “PubkeyAuthentication” parameter in “yes” .
Then in the file "~ / .ssh / authorized_keys" we add our public key obtained earlier (in one line). Please note that the ".ssh / authorized_keys" file is located in the home directory of the user who will then log in using the public key.
Configure PuTTY SC SSH Client to use smart cards.
PuTTY SC is a modified version of PuTTY. The only significant difference from the original version is support for smart cards.
The setting in this case is almost the same as normal connections - you need to specify the server address, connection type, keyboard type, encoding.
To use authentication with a smart card, go to the "Connection -> SSH -> Pkcs11" section , tick the "Attempt PKCS # 11 smartcard auth (SSH-2)" checkbox, specify the path to the eToken library - "C: \ Windows \ System32 \ eToken.dll ” , select from the list the name of the token and the private key that we created earlier.
When connected, you will be asked to enter a custom pin code to the USB key.
Congratulations, you can now use SSH authentication with eToken Pro!
Note: undoubtedly, you can generate keys in various ways using different software and different operating systems. A bunch of Windows + Firefox was chosen as the most simple and clear.
Another note: to taste, you can disable other authentication methods on the server, leaving only the authentication by key.
Source: https://habr.com/ru/post/88540/
All Articles