SSH authentication using smartcard
88 views
Skip to first unread message
Pooja Bagga
May 7, 2024, 11:27:06 AM5/7/24
to piv-test-cards
Hi Team,
I need help in SSH authentication using smartcard.
Have followed these steps :
TestPIVCardsv2TrustAnchorRootCA.cer is the root certificate , im trying to create public key from this certificate using following 2 cmds :
openssl x509 -inform der -in TestPIVCardsv2TrustAnchorRootCA.cer -noout -pubkey > TestPIVCardsv2TrustAnchorRootCA.pub
ssh-keygen -f TestPIVCardsv2TrustAnchorRootCA.pub -i -m PKCs8
Have provided the generated pub key location in sshd_config as TrustedUserCAKeys :
TrustedUserCAKeys /nsconfig/ssl/test_new/TestPIVCardsv2TrustAnchorRootCA.pub
Please guide if im missing any configuration for SSH authentication ?
Please note that same root ca cert is working for GUI authentication.
Thanks.
Pooja Bagga
May 8, 2024, 8:54:43 AM5/8/24
to piv-test-cards, Pooja Bagga
Hi All,
Can someone please help in this query ?
Regards,
Pooja Bagga
Douglas E Engert
May 9, 2024, 3:43:48 PM5/9/24
to piv-tes...@list.nist.gov
Have a look at these:
https://www.idmanagement.gov/implement/scl-ssh/
https://ubuntu.com/server/docs/smart-card-authentication-with-ssh
These get the user's public key from the card so it can be used to add the user's pubkey to the server.
(Note that the PIV test cards are for testing, so should not be used to authenticate to a server
accessible from the internet. Anyone with a set of these cards could then login to your server.)
What you appear to be doing is getting the pubkey of the root CA, which would also be needed on the
server to verify the user's certificate when the user tries to login.
And it is not clear if TestPIVCardsv2TrustAnchorRootCA.pub is in the PKCs8 format.
> --
> To unsubscribe from this group, send email to piv-test-card...@list.nist.gov
> Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards
> To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov.
--
Douglas E. Engert <DEEn...@gmail.com>
https://www.idmanagement.gov/implement/scl-ssh/
https://ubuntu.com/server/docs/smart-card-authentication-with-ssh
These get the user's public key from the card so it can be used to add the user's pubkey to the server.
(Note that the PIV test cards are for testing, so should not be used to authenticate to a server
accessible from the internet. Anyone with a set of these cards could then login to your server.)
What you appear to be doing is getting the pubkey of the root CA, which would also be needed on the
server to verify the user's certificate when the user tries to login.
And it is not clear if TestPIVCardsv2TrustAnchorRootCA.pub is in the PKCs8 format.
> To unsubscribe from this group, send email to piv-test-card...@list.nist.gov
> Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards
> To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov.
--
Douglas E. Engert <DEEn...@gmail.com>
Pooja Bagga
May 13, 2024, 2:56:25 PM5/13/24
to Douglas E Engert, piv-tes...@list.nist.gov, Rashmi Bhaiya, Suman Rajaraman
Hi Douglas,
Thanks for sharing the link.
We followed the steps on Ubuntu desktop ( https://ubuntu.com/server/docs/smart-card-authentication-with-ssh) and observed following error :
ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so <username>@<IP>
PKCS#11 login failed: error 80
login failed
pkcs11_get_key failed
sign_and_send_pubkey: signing failed for RSA "PIV AUTH pubkey": error in libcrypto
PKCS#11 login failed: error 80
login failed
pkcs11_get_key failed
sign_and_send_pubkey: signing failed for RSA "PIV AUTH pubkey": error in libcrypto
I tried to search the details for this error, but wasn't able to. Can you please help in this case?
Also, as mentioned in the following shared link : https://www.idmanagement.gov/implement/scl-ssh/ , couldn't understand point 6 where it's mentioned to send the file to server administrator, can you please clarify which server administrator this file needs to be sent to ?
Regards,
Pooja Bagga
To unsubscribe from this topic, visit https://groups.google.com/a/list.nist.gov/d/topic/piv-test-cards/ib8zq5GY06M/unsubscribe.
To unsubscribe from this group and all its topics, send an email to piv-test-card...@list.nist.gov.
Jeffrey Walton
May 13, 2024, 3:36:30 PM5/13/24
to Pooja Bagga, piv-test-cards
Forgive me if this is off-topic... You can use OpenSSL to generate certificates for use with SSH, but you need to turn some knobs in your *.conf file. It is not clear to me you are doing that since you did not show your *.conf file.
Generate a CSR or certificate using a custom *.conf file, like described at <https://www.cryptopp.com/wiki/X509Certificate#OpenSSL_x509>. Use extended key usage of secureShellClient or secureShellServer per RFC 6187, <https://datatracker.ietf.org/doc/html/rfc6187>.
The extended key usages are available in OpenSSL 1.1.x or above (iirc).
Jeff
Douglas E Engert
May 13, 2024, 4:15:18 PM5/13/24
to Pooja Bagga, piv-tes...@list.nist.gov, Rashmi Bhaiya, Suman Rajaraman
Step 6 is assuming you do not have an account on the server. As indicated by steps 7, 8 and 9.
When you do get an account, the admins would have added your pubkey to your new accounts ~/.ssh/authorized-keys
man ssh says this:
" The file ~/.ssh/authorized_keys lists the public keys that are permitted for logging in. When the user logs
in, the ssh program tells the server which key pair it would like to use for authentication. The client
proves that it has access to the private key and the server checks that the corresponding public key is autho‐
rized to accept the account."
If you already have an account on the server machine you can add the entry yourself.
An I assume on the line: ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so <username>@<IP>
you put youy username and the server domain name name or IP address.
On 5/13/2024 1:49 PM, Pooja Bagga wrote:
> Hi Douglas,
>
> Thanks for sharing the link.
>
> We followed the steps on Ubuntu desktop ( https://ubuntu.com/server/docs/smart-card-authentication-with-ssh) and observed following error :
>
>
> *PKCS#11 login failed: error 80
> login failed
> pkcs11_get_key failed
> sign_and_send_pubkey: signing failed for RSA "PIV AUTH pubkey": error in libcrypto*
> > To unsubscribe from this group, send email to piv-test-card...@list.nist.gov <mailto:piv-test-cards%2Bunsu...@list.nist.gov>
> To unsubscribe from this group, send email to piv-test-card...@list.nist.gov <mailto:piv-test-cards%2Bunsu...@list.nist.gov>
When you do get an account, the admins would have added your pubkey to your new accounts ~/.ssh/authorized-keys
man ssh says this:
" The file ~/.ssh/authorized_keys lists the public keys that are permitted for logging in. When the user logs
in, the ssh program tells the server which key pair it would like to use for authentication. The client
proves that it has access to the private key and the server checks that the corresponding public key is autho‐
rized to accept the account."
If you already have an account on the server machine you can add the entry yourself.
An I assume on the line: ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so <username>@<IP>
you put youy username and the server domain name name or IP address.
On 5/13/2024 1:49 PM, Pooja Bagga wrote:
> Hi Douglas,
>
> Thanks for sharing the link.
>
> We followed the steps on Ubuntu desktop ( https://ubuntu.com/server/docs/smart-card-authentication-with-ssh) and observed following error :
>
>
> login failed
> pkcs11_get_key failed
> sign_and_send_pubkey: signing failed for RSA "PIV AUTH pubkey": error in libcrypto*
>
> I tried to search the details for this error, but wasn't able to. Can you please help in this case?
>
> Also, as mentioned in the following shared link : https://www.idmanagement.gov/implement/scl-ssh/ , couldn't understand point 6 where it's mentioned to send the file to server administrator, can you
> please clarify which server administrator this file needs to be sent to ?
>
> I tried to search the details for this error, but wasn't able to. Can you please help in this case?
>
> Also, as mentioned in the following shared link : https://www.idmanagement.gov/implement/scl-ssh/ , couldn't understand point 6 where it's mentioned to send the file to server administrator, can you
> please clarify which server administrator this file needs to be sent to ?
>
> > Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards
> > To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov <mailto:piv-test-cards%2Bunsu...@list.nist.gov>.
> To unsubscribe from this group, send email to piv-test-card...@list.nist.gov <mailto:piv-test-cards%2Bunsu...@list.nist.gov>
> Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards
> To unsubscribe from this topic, visit https://groups.google.com/a/list.nist.gov/d/topic/piv-test-cards/ib8zq5GY06M/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to piv-test-card...@list.nist.gov <mailto:piv-test-cards%2Bunsu...@list.nist.gov>.
> To unsubscribe from this topic, visit https://groups.google.com/a/list.nist.gov/d/topic/piv-test-cards/ib8zq5GY06M/unsubscribe.
Pooja Bagga
May 15, 2024, 8:53:35 AM5/15/24
to Douglas E Engert, piv-tes...@list.nist.gov, Rashmi Bhaiya, Suman Rajaraman, Kunal Patel
Hi Douglas,
For https://www.idmanagement.gov/implement/scl-ssh/ , we have following queries, can you please help in clarifying it :
- When we add pubkey to the authorized_keys file, do we need to add any prefix to the copied pubkey to make SSHD understand that its certificate based authentication which client is trying for ?
- OpenSSL has the capability to check the valid certificate issuer , and if a cert is expired or not. With expired cert, user is expected to not login. But when we use the expired Smart Card in PuttyCAC and copy the key file and copy the content to authorized_keys file (#5,#6 in the link), then if we try to login using SSH, the user will be able to login. What will be the expectation for SSH login with an expired certificate ?
- User is able to login using the steps mentioned in the link, but sshd debug logs mention that its public key authentication and not Certificate based authentication.
Regards,
Pooja Bagga
Douglas E Engert
May 16, 2024, 8:57:09 AM5/16/24
to Pooja Bagga, piv-tes...@list.nist.gov, Rashmi Bhaiya, Suman Rajaraman, Kunal Patel
Original ssh just used keys, which as you point out have the problem that expired keys can continue to be used.
OpenSSH also supports certificates, Google for: openssh certificate authentication
I have not looked closely at this but it looks like it addresses your problem, as this applies to more then just smartcards.
Note that the CA certificates need to be added to the server. I am note sure but since "CAPI:" is show on the screen
implies that it should be using certificates.
I don't know what your environment is, but if Windows Active Directory or Kerberos are are available,
a smartcard can be used with both to login to AD (that uses Kerberos PKINIT) and from there you can access any other
machine in the domain or Kerberos realm. SSH can use GSSAPI which is Kerberos based.
I am retired, but we were using gov issued PIV cards for AD and access to linux systems that were joined to AD domain.
and also use Shibboleth for cloud access that uses AD as a backend user database. Some cloud applications required
PIV card to accesss. The fact that the certificate was for a private key that resided on the PIV card, could then
address some HIPPA issues with some cloud applications.
I would suggest that if you have questions on SSH and smartcards use IDManagment or OpenSSH mail list or stackexchange.com.
On 5/15/2024 1:48 AM, Pooja Bagga wrote:
> Hi Douglas,
>
> * OpenSSL has the capability to check the valid certificate issuer , and if a cert is expired or not. With expired cert, user is expected to not login. But when we use the expired Smart Card in
> * image.png
> <mailto:piv-test-cards%2Bunsu...@list.nist.gov <mailto:piv-test-cards%252Buns...@list.nist.gov>>
Douglas E. Engert <DEEn...@gmail.com>
OpenSSH also supports certificates, Google for: openssh certificate authentication
I have not looked closely at this but it looks like it addresses your problem, as this applies to more then just smartcards.
Note that the CA certificates need to be added to the server. I am note sure but since "CAPI:" is show on the screen
implies that it should be using certificates.
I don't know what your environment is, but if Windows Active Directory or Kerberos are are available,
a smartcard can be used with both to login to AD (that uses Kerberos PKINIT) and from there you can access any other
machine in the domain or Kerberos realm. SSH can use GSSAPI which is Kerberos based.
I am retired, but we were using gov issued PIV cards for AD and access to linux systems that were joined to AD domain.
and also use Shibboleth for cloud access that uses AD as a backend user database. Some cloud applications required
PIV card to accesss. The fact that the certificate was for a private key that resided on the PIV card, could then
address some HIPPA issues with some cloud applications.
I would suggest that if you have questions on SSH and smartcards use IDManagment or OpenSSH mail list or stackexchange.com.
On 5/15/2024 1:48 AM, Pooja Bagga wrote:
> Hi Douglas,
>
> For https://www.idmanagement.gov/implement/scl-ssh/ , we have following queries, can you please help in clarifying it :
>
> * When we add pubkey to the authorized_keys file, do we need to add *any prefix *to the copied pubkey to make SSHD understand that its certificate based authentication which client is trying for ?
>
> * OpenSSL has the capability to check the valid certificate issuer , and if a cert is expired or not. With expired cert, user is expected to not login. But when we use the expired Smart Card in
> PuttyCAC and copy the key file and copy the content to authorized_keys file (#5,#6 in the link), then if we try to login using SSH, the user will be able to login. What will be the expectation
> for SSH login with an expired certificate ?
> * User is able to login using the steps mentioned in the link, but sshd debug logs mention that its *public key authentication* and not Certificate based authentication.
> for SSH login with an expired certificate ?
> * image.png
> > > Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards
> > > To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov <mailto:piv-test-cards%2Bunsu...@list.nist.gov>
> <mailto:piv-test-cards%2Bunsu...@list.nist.gov <mailto:piv-test-cards%252Buns...@list.nist.gov>>.
> > > To unsubscribe from this group and stop receiving emails from it, send an email to piv-test-card...@list.nist.gov <mailto:piv-test-cards%2Bunsu...@list.nist.gov>
> >
> > --
> >
> > Douglas E. Engert <DEEn...@gmail.com>
> >
> >
> > --
> > To unsubscribe from this group, send email to piv-test-card...@list.nist.gov <mailto:piv-test-cards%2Bunsu...@list.nist.gov>
> <mailto:piv-test-cards%2Bunsu...@list.nist.gov <mailto:piv-test-cards%252Buns...@list.nist.gov>>
> > --
> >
> > Douglas E. Engert <DEEn...@gmail.com>
> >
> >
> > --
> > To unsubscribe from this group, send email to piv-test-card...@list.nist.gov <mailto:piv-test-cards%2Bunsu...@list.nist.gov>
> > Visit this group at https://groups.google.com/a/list.nist.gov/d/forum/piv-test-cards
> > To unsubscribe from this topic, visit https://groups.google.com/a/list.nist.gov/d/topic/piv-test-cards/ib8zq5GY06M/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to piv-test-card...@list.nist.gov <mailto:piv-test-cards%2Bunsu...@list.nist.gov>
> <mailto:piv-test-cards%2Bunsu...@list.nist.gov <mailto:piv-test-cards%252Buns...@list.nist.gov>>.
> > To unsubscribe from this topic, visit https://groups.google.com/a/list.nist.gov/d/topic/piv-test-cards/ib8zq5GY06M/unsubscribe.
> > To unsubscribe from this group and all its topics, send an email to piv-test-card...@list.nist.gov <mailto:piv-test-cards%2Bunsu...@list.nist.gov>
Douglas E. Engert <DEEn...@gmail.com>
Reply all
Reply to author
Forward
0 new messages