Using athena ASECard for PuTTY SSH/PKCS11 Authentication

Submitted by Geoff Thornton on Mon, 10/26/2009 - 18:27

Convert the certificate on the ASECard to a format OpenSSH can use for client authentication

1. Bring up the ASE Card Manager and select the Certificates & Keys tab


2. Select the public key (the named key with a certificate label icon) and choose Export Certficate

3. Give it a name you can remember. I like using the format <username>@<domain>.cer

4. Upload the file to your Linux system

5. Use OpenSSL to extract the public key portion of the X.509:

 openssl x509 -inform DER -in gthornton@overdrive.com.cer -noout -pubkey >gthornton@overdrive.com.pub

6. Use pubkey2ssh to convert the X.509 public key to OpenSSH format:

./pubkey2ssh gthornton@overdrive.com.pub gthornton@overdrive.com >>~/.ssh/authorized_keys

7. Configure PuTTY-SC to use PKCS11 Authentication:


8. Logon to your server and if all goes well, you should see a prompt similar to the following:

Using username "geoffrey".
Authenticating with public key "a329eec6-3664-4dfe-bff1-8344d467e8a8"
Passphrase for smartcard "ASECard #0C07501916200828":


How to create certs

Submitted by Anonymous on Wed, 08/04/2010 - 09:04.

Hello,
reading your tutorial I’m experiencing some problems about the certificate, when I try to login to SSH using method you described, in putty.log i can see :
Event Log: Using key (17b8649e-7648-4edc-946a-586ab0ea7030) from token (IDProtect#0003183920670000)
Event Log: sc: Found cert: 17b8649e-7648-4edc-946a-586ab0ea7030
Event Log: sc: Found cert: 17b8649e-7648-4edc-946a-586ab0ea7030
Event Log: sc: No pub key found
and login screen is asking me the password.
What could be wrong ?? Windows Auth via DC is working perfectly!

Thanks in advance!

Paolinux

I’m not sure why you are

Submitted by Geoff Thornton on Thu, 08/05/2010 - 00:44.

I’m not sure why you are having problems, but here are a couple of things to check:

* Is your 17b8649e-7648-4edc-946a-586ab0ea7030 key the default CAPI certificate if you have more than one on your card? Also, I’ve not tried this method with just x.509 certificates stored on the card.

* It seems as if you are using the ID Protect card from Athena and not the ASE Card. That one has FIPS certifications which may limit how you can interface with it. I’m not sure the API differences, but it’s possible that Putty-SC can’t read the public certificate info from the smart card reader.

I don’t have much experience except the few smart card readers I’ve personally used. I almost got the IronKey API to work, but I had to use a different PKCS11 dll file and it didn’t work consistently.

As I come across information, I’ll be sure to pass it your way. And if you find out more info, I would be interested to see what your experience is as well.

Thanks,

—Geoff

I’ve tested the reader with

Submitted by Anonymous on Thu, 08/05/2010 - 11:38.

I’ve tested the reader with OpenSC under Windows and OSX; in both of them, openSC recognize the reader (ASEDrive III USB) but NOT the card.

I’m suspecting the problem is tha card used.
Tomorrow we’ll try to use an Athena ASE Card, and then I’ll notice you about those tests.

Thanks,

PaoLinux

Home » Blogs » Geoff Thornton's blog