The smart cards must contact the Secure Shell server for certificate validation. Secure Shell is based on OpenSSH and provides the necessary PKCS #11 support for clients, so requires no additional configuration for smart cards. The Secure Shell server can be running any OpenSSH version. See How to Use the OpenSSH Implementation of Secure Shell in Managing Secure Shell Access in Oracle Solaris 11.3.
From a Secure Shell client, the private key on the user's smart card authenticates to a remote Secure Shell server by using key-based authentication. The user must configure the keys.
In this procedure, you, the smart card user, obtain the public key from your smart card, use that key to identify the card to Secure Shell, then configure Secure Shell to recognize it.
Before You Begin
A smart card reader with your smart card in it is attached to your Oracle Solaris system. The system has the pcsclite and ccid packages installed and the pcscd daemon enabled.
For the procedure, see How to Display a Smart Card's X.509 Certificate.
$ cd ; mkdir .ssh ; chmod 755 .ssh $ cd .ssh ; touch authorized_keys
Append the first public key in the output into the authorized_keys file, as in:
Printing data for mapper openssh: ssh-rsa AAAAB3NzaC1yc2EAAAA ... ... fname.lname@example.org
The key starts with ssh-key-signing-algorithm and ends with your email address. Do not introduce spaces when copying and pasting it.
$ chmod 600 authorized_keys
From a PC or workstation that has a CCID-compliant smart card reader attached, type ssh to connect to the smart card server.
$ ssh username@SSH-server
You are authenticated by your X.509 certificate-based CAC or smart card and PIN.
Your Secure Shell connection is a secure trusted link into the server. To prevent a possible attack from their local PC or workstation, users must log out of the server or remove their smart card or CAC when not actively working.