Go to main content

Managing Authentication in Oracle® Solaris 11.4

Exit Print View

Updated: November 2020

Configuring Secure Shell Clients for Smart Cards

The smart cards must contact the Secure Shell server for certificate validation. Secure Shell in Oracle Solaris 11.4 is based on OpenSSH and provides the necessary PKCS #11 support for clients, so requires no additional configuration for smart cards. The Secure Shell server can be running any OpenSSH version.

From a Secure Shell client, the private key on the user's smart card authenticates to a remote Secure Shell server by using key-based authentication. The user must configure the keys.

How to Configure the Secure Shell Client for Smart Cards

In this procedure, you, the smart card user, obtain the public key from your smart card, use that key to identify the card to Secure Shell, then configure Secure Shell to recognize it.

Before You Begin

A smart card reader with your smart card in it is attached to your Oracle Solaris system. The system has the pcsclite and ccid packages installed and the pcscd daemon enabled.

  1. Obtain the public key from your smart card.

    For the procedure, see How to Display a Smart Card's X.509 Certificate.

  2. Add the public key portion to the .ssh directory in your home directory.
    1. Create an authorized_keys file in your $HOME/.ssh directory.
      $ cd ; mkdir .ssh ; chmod 755 .ssh
      $ cd .ssh ; touch authorized_keys
    2. Copy the public key information from the preceding output into the authorized_keys file.

      Append the first public key in the output into the authorized_keys file, as in:

      Printing data for mapper openssh:
      ssh-rsa AAAAB3NzaC1yc2EAAAA ...
      ... fname.lname@example.org

      The key starts with ssh-key-signing-algorithm and ends with your email address. Do not introduce spaces when copying and pasting it.

    3. Verify that the permissions on the authorized_keys file are 600.
      $ chmod 600 authorized_keys
  3. Test your access.

    From a PC or workstation that has a CCID-compliant smart card reader attached, type ssh to connect to the smart card server.

    $ ssh username@SSH-server

    You are authenticated by your X.509 certificate-based CAC or smart card and PIN.

    Note - At the ssh login prompt, the system should now require your PIN instead of your password, because the system is now authenticating from the X.509 certificate information on the smart card.
  4. Log out immediately after the test.

    Your Secure Shell connection is a secure trusted link into the server. To prevent a possible attack from their local PC or workstation, users must log out of the server or remove their smart card or CAC when not actively working.