Jan-Piet Mens :: SSH with a SmartCard-HSM and EC keys
When documenting my experiences using a SmartCard-HSM for DNSSEC I linked to a post by Remy van Elst in which he discusses using a CardContact SmartCard-HSM with SSH, and I thought I’d try that, focussing on using EC keys.
The six year-old HSM I have has support for 2048 bit only RSA keys which is enough reason to attempt using EC keys, but as Remy pointed out when he wrote the article in 2016, OpenSSH had no PKCS#11 support for them then.
It turns out my client of choice has OpenSSH_8.1p1 which isn’t recent enough either, so I install portable OpenSSH version 8.6p1.
The public SSH key I place into an authorized_keys file on the target system. (I do this manually now but will typically use ssh-copy-id to do so.)
Note how I use -P to whitelist the paths for PKCS#11 shared libraries that may be added using the -s option to ssh-add. This option expects the real directory and not a symlink to it.
And the rest, as they say, should be obvious: I can SSH into systems without having to specify the SmartCard-HSM PIN as the key is now managed by the agent.
Leave a Comment
Related Posts
Recent Posts
Unraveling water mysteries beyond Earth: Ground-penetrating radar will seek bodies of water on Jupiter
Comment
Cosmic rays streamed through Earth's atmosphere 41,000 years ago: New findings on the Laschamps excursion
Comment
Prevalence of polycystic ovaries and polycystic ovary syndrome in lesbian women compared with heterosexual women
Comment
Microsoft and OpenAI bet $100 billion to free themselves from the shackles and overreliance on the world's most profitable semiconductor chip brand for AI chips
Comment
