This is a short step-by-step tutorial for how to get an Aladdin eToken PRO to work for public-key authentication with OpenSSH through PKCS11. An Aladdin Pro token is needed (obviously!) with drivers and necessary libraries installed. Check the previous guide for details.
This post is part of the Security Bricks tutorials - simple methods and habits to build a deliberately secure operational environment, for personal and business use. The other parts below:
- Part 1 - Physical OPSEC basics
- Part 2 - Preventing evil maid attacks
- Part 3 - KeePass password manager with 2FA
- Part 4 - Using tokens in Ubuntu with PGP
- Part 6 - Use a Bluetooth device for better security
Steps
- Check the objects on the token - Notice the two public/private key objects,
generated previously:
$ pkcs11-tool --module /usr/lib/libeTPkcs11.so --slot 0 --login --list-objects Logging in to "mytoken3". Please enter User PIN: Public Key Object; RSA 2048 bits label: john@snow.com ID: 01 Usage: encrypt, verify, wrap Private Key Object; RSA label: john@snow.com ID: 01 Usage: decrypt, sign, unwrap Certificate Object, type = X.509 cert label: john@snow.com ID: 01 - Export the public key - Download the RSA public key from the token, in a format recognised by OpenSSH:
$ ssh-keygen -D /usr/lib/libeToken.so ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCGJ/[...] - Add the key to
autorized_keysfile$ ssh-keygen -D /usr/lib/libeToken.so >> ~/.ssh/authorized_keys - Login using the private key - Connect to the server using the token to provide the private key. The PIN will be requested to access it:
$ ssh -I /usr/lib/libeToken.so m@192.168.X.X Enter PIN for 'mytoken3': Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.19.0-66-generic x86_64) [...]