A walk outside the sandbox

Home Blog Cheat Sheets MacOS Tips Area 51 About

Token-based Authentication for SSH



This is a short step-by-step tutorial for how to get an Aladdin eToken PRO to work for public-key authentication with OpenSSH through PKCS11. An Aladdin Pro token is needed (obviously!) with drivers and necessary libraries installed. Check the previous guide for details.

This post is part of the Security Bricks tutorials - simple methods and habits to build a deliberately secure operational environment, for personal and business use. The other parts below:


  • Check the objects on the token - Notice the two public/private key objects, generated previously:
    $ pkcs11-tool --module /usr/lib/ --slot 0 --login --list-objects
    Logging in to "mytoken3".
    Please enter User PIN: 
    Public Key Object; RSA 2048 bits
    ID:         01
    Usage:      encrypt, verify, wrap
    Private Key Object; RSA 
    ID:         01 
    Usage:      decrypt, sign, unwrap
    Certificate Object, type = X.509 cert
    ID:         01
  • Export the public key - Download the RSA public key from the token, in a format recognised by OpenSSH:
    $ ssh-keygen -D /usr/lib/
  • Add the key to autorized_keys file
    $ ssh-keygen -D /usr/lib/ >> ~/.ssh/authorized_keys
  • Login using the private key - Connect to the server using the token to provide the private key. The PIN will be requested to access it:
    $ ssh -I /usr/lib/ m@192.168.X.X   
    Enter PIN for 'mytoken3': 
    Welcome to Ubuntu 14.04.5 LTS (GNU/Linux 3.19.0-66-generic x86_64)