Registering a hardware token

hardware_token.md

OSX - https://github.com/OpenSC/OpenSC/releases/download/0.16.0/OpenSC-0.16.0.dmg

Fedora - sudo dnf install pcsc-tools opensc ccid

ubuntu - sudo dnf install pcsc-tools opensc libccid

Find out where OpenSC has installed the pkcs11 module.

For OS X with binary installation this is typically in /Library/OpenSC/lib/. Homebrew users can use export OPENSC_LIBS=$(brew --prefix opensc)/lib

pkcs15-init --erase-card should show some output.

Windows - https://github.com/OpenSC/OpenSC/releases/download/0.19.0-rc1/OpenSC-win64_vs12-Release.msi

First time init

In windows, use "C:\Program Files\OpenSC Project\OpenSC\tools\pkcs15-init.exe" commands remain the same

pkcs15-init --erase-card

** In this step you will choose a password and enter it 4 times. Please choose a strong password**

pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label "RedCarpet"

pkcs15-init --auth-id 1 --generate-key rsa/2048 --key-usage sign,decrypt --label "RedCarpet"

# credit to https://zerowidthjoiner.net/2019/01/12/using-ssh-public-key-authentication-with-a-smart-card for Windows help
# Apparently windows needs a certificate along with a key. OpenSC does not create certificates, but can definitely store them

openssl req -engine pkcs11 -new -key "pkcs11:object=RedCarpet" -keyform engine -out myCert.pem -days 3650 -outform pem -x509 -utf8 (press enter everywhere)

pkcs15-init --store-certificate myCert.pem --id 01 --verify-pin

To verify it worked, pkcs15-tool --dump It should show a x509 certificate

Listing keys

To list the keys that you created in your previous step

pkcs15-tool --list-keys

Get ssh public key of the key you created in the previous step

pkcs15-tool --read-ssh-key <key id>

This key id is something we add to our servers. Whenever we ask you to "send your public key". This is what you send.

ssh (after your public key has been added to servers)

Fedora - ssh   -o PKCS11Provider=/usr/lib64/opensc-pkcs11.so user@gcp.red.com

Ubuntu - ssh  -o PKCS11Provider=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so  user@gcp.red.com

OSX - ssh -o PKCS11Provider=/Library/OpenSC/lib/opensc-pkcs11.so user@gcp.red.com

Windows - download Putty CAC. Follow the "PKCS 11" configuration section in http://risacher.org/putty-cac/

DB access through bastion

#OSX ssh -N -o PKCS11Provider=/Library/OpenSC/lib/opensc-pkcs11.so -L 5432:rds.db.aws.com:5432 username@bastion-ip

#Ubuntu ssh -N -o PKCS11Provider=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L 5432:rds.db.aws.com:5432 username@bastion-ip

#fedora ssh -N -o PKCS11Provider=/usr/lib64/opensc-pkcs11.so -L 5432:rds.db.aws.com:5432 username@bastion-ip

If one gets this error:
Failed to create PKCS #15 meta structure: Not allowed
Try(replace 0000 with pin that you need):
pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 0000 --puk 111111 --label "RedCarpet"

Currently on Ubuntu 18.04 apt installs an older version of opensc (0.17.0-3) which throws the following error:
PKCS#15 binding failed: Unsupported card while generating the rsa key.
See this issue for more info.

To get it working compile and install the latest version of opensc (0.19.0 working for me) following this guide. Make sure to install the build dependencies first.

Build Requirements for opensc (0.19) on Ubuntu 18.04

sudo apt install pcscd libccid libpcsclite-dev libssl-dev libreadline-dev autoconf automake build-essential docbook-xsl xsltproc libtool pkg-config zlib1g-dev

Then download latest version of opensc from here

Finally run the following commands to build and install opensc

tar xfvz opensc-*.tar.gz
cd opensc-*
./bootstrap
./configure --prefix=/usr --sysconfdir=/etc/opensc
make
sudo make install

In case of Arch
https://wiki.archlinux.org/index.php/Common_Access_Card