The standard openssh packages shipped with Ubuntu 10.04 provide no support for smartcards. In order to get either the ssh-agent or ssh itself to accept a smartcard (such as the Aladdin eToken), I needed to recompile the whole package. I have no idea why the developers included no apparent support for smartcards in the distribution, installing the necessary packages doesn't make it possible to use them in any application I know.
Here's how to get support for smartcards in openssh:
- Set up a directory to download and compile the sources in.
- If You haven't already, make sure the "Source code" checkbox is checked in
software-properties-gtk or You have the right deb-src lines in Your /etc/apt/sources.list. After doing so, don't forget to execute apt-get update to update the package lists.
- Install all the required packages:
| Code: |
|---|
$ apt-get install build-essential libopenct1 libopensc2 libopensc2-dev openct opensc
$ apt-get build-dep openssh |
In order to be able to use opensc as a normal user, You have to add Your regular account to the scard user group:
| Code: |
|---|
| $ adduser <username> scard |
You might have to start a new shell/terminal or even log out and back in to apply the change.
- Now download the package into the directory You created. You can do this as an unprivileged user (I would recommend to do so). Change into the directory and execute:
| Code: |
|---|
| $ apt-get source openssh |
You should now have 2 .tar.gz files, 1 .dsc file and a source directory named openssh-<version number>. Change into the directory.
- Make sure openssh will be compiled with smartcard support. In the
debian subdirectory, there's a file named rules. This file specifies what options are passed to configure when the package is compiled. Edit the file and insert the following line:
| Code: |
|---|
| confflags += --with-opensc |
The best place would be behind the first block of confflags += ... statements, titled "Common build options.", as it's essential to insert it before the line saying
| Code: |
|---|
| confflags_udeb := $(confflags) |
- Now You can compile the package. Make sure You are in the source code root directory (
openssh-<version number>) and execute
This will build the package without signing the package itself or the .changes file.
- If You now go back into the directory You created (should be 1 above Your current directory), You should see several new
.deb packages. Install these (for this you need root access again)
- You're almost done. If you use GNOME, You need to stop the gnome-keyring from breaking Your ssh-agent. Doing this from command line is a pain in the arse, so just use the "Startup Applications" menu entry under "System"->"Preferences". Use the tool to disable the "SSH Key Agent". If You don't use GNOME, You just wasted Your time reading this step.
- Now log out and back in to make sure Your ssh-agent is killed. If You don't use GNOME, You also need to make sure it is running at all (most desktop managers start it automatically, but if You only use a console, You need to configure it Yourself).
- You should now be able to list the smartcard devices with
Ignore any error messages that might appear, it should still work just fine. 2 OpenCT reader (detached) will appear by default and if You plugged in a smartcard, it should show up as such. Use
(or substitute 0 with the reader number if it is different) to add Your private key to the ssh-agent.
One last note: Upon upgrading the
openssh packages, You need to do all this again, of course.
That's it! You're done!
Posts
Keine Kommentare:
Kommentar veröffentlichen