2 Jul 2014 pipeman   » (Journeyer)

SSH authentication using the Finnish electronic ID card (FINEID) on OS X

The government of Finland provides smart card-enabled ID cards to all residents under the FINeID program run by the Population Register Centre (Väestörekisterikeskus). The chip provided is, according to the spec, based on ISO/IEC 7816-15 (also known as PKCS#15), 7816-4 and 7816-8. The open source project OpenSC makes it possible to interact with PKCS#15 cards on a variety of operating systems, including OS X, Linux and Windows.

When I renewed my ID card I became interested in the possibilities provided by this, so I ordered a card reader known to work with Mac and installed version 0.13. The latest version is 0.14.0 but there are no pre-compiled binaries for OS X, and my own attempts at building it failed quite early.

After installing OpenSC, you'll see something similar to the following message in the system log when inserting the card reader and the card:

2014-07-02 20:11:38,774 com.apple.SecurityServer[17]: reader SCR35xx Smart Card Reader 00 00 inserted token "HENKILOKORTTI" (088f5dfb29f6672f9435db333fc0539bc64f2769) subservice 2 using driver com.apple.tokend.opensc

You can then use the pkcs15-tool command to list available private keys stored on the card:

$ pkcs15-tool -k
Using reader with a card: SCR35xx Smart Card Reader 00 00
Private RSA Key [todentamis- ja salausavain]
Object Flags : [0x1], private
Usage : [0x26], decrypt, sign, unwrap
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Access Rules : execute:01;
ModLength : 2048
Key ref : 0 (0x0)
Native : yes
Path : 3f004b01
Auth ID : 01
ID : 45

Private RSA Key [allekirjoitusavain]
Object Flags : [0x1], private
Usage : [0x200], nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
Access Rules : execute:02;
ModLength : 2048
Key ref : 0 (0x0)
Native : yes
Path : 3f0050164b02
Auth ID : 02
ID : 46

Your FINeID card provides you with two certificates and corresponding keys; one for signing and one for authentication and encryption. However, for the purpose of SSH authentication the certificates (and their stated purpose) don't matter; we just care about the corresponding RSA public and private keys, so we can pick either one. You need to know which one you're using because they're protected with different PIN codes, provided to you by mail. Above, we can see that the first key, labelled todentamis- ja salausavain has ID 45 on the card - let's pick that. It happens to be the authentication/encryption key and is protected with PIN1. We then simply need to retrieve its corresponding public key in a format suitable for an OpenSSH authorized_keys file. Luckily pkcs15-tool provides exactly that - just tell it you want the key with ID 45 and pipe it to pbcopy to place it into your pasteboard.

$ pkcs15-tool --read-ssh-key 45|pbcopy
Using reader with a card: SCR35xx Smart Card Reader 00 00

Open ~/.ssh/authorized_keys on the target computer and paste the contents of your pasteboard into its own line.

Next you need to tell your SSH client to defer authentication to your smart card. This is done by using the -I option to ssh to specify the OpenSC PKCS#11 library, like this:

$ ssh -I /usr/lib/opensc-pkcs11.so karin.local
Enter PIN for 'HENKILOKORTTI (perustunnusluku)':
Last login: Wed Jul 2 21:06:33 2014 from otter.local
karin:~ rasmus$

You will be prompted for your PIN - enter PIN1 here provided that you picked the "todentamis- ja salausavain" key earlier and you will be logged in. To have ssh always query your ID card, add the following to ~/.ssh/config (add a "Host" section above to apply it to one or more specific remote hosts):

PKCS11Provider /usr/lib/opensc-pkcs11.so

That's it! You can now use your Finnish ID card as a hardware authentication token for your SSH logins.

Update: you can apparently also do this using ssh-agent. I haven't tried this yet myself but will update the blog post once I have. Following those instructions seem to put launchd in a very bad state on OS X 10.9.4. I'll investigate a bit more but until then I recommend against trying ssh-agent with the OpenSC PKCS#11 support.

Latest blog entries     Older blog entries

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!