Authentication in OpenSSH Putty by JaCarta PKI
This article describes the setup algorithm for Putty SSH client for Windows for working with JaCarta PKI.
JaCarta PKI - tokens produced by Aladdin R.D. for strong two-factor authentication of users while accessing secure information resources of the enterprise, secure storage of keys and key containers of software cryptographic information protection tools.
SSH is an application-level network protocol that allows remote control of the operating system and tunneling of TCP connections. Encrypts all traffic, including transmitted passwords. SSH allows the selection of various encryption algorithms. SSH clients and SSH servers are available for most network operating systems.
SSH supports RSA-key authentication, which provides the highest level of security for the data channel, as well as two-factor authentication of remote users.
To configure SSH operation using RSA certificates, you need to configure the SSH server, as well as the SSH client on the client machine. This document describes an algorithm for configuring SSH using a smart card or JaCarta PKI token for authentication and encryption of the established channel.
You must transfer the certificate to the smart card. To transfer, you need to collect all the necessary objects in an encrypted container and write it to a smart card.
ssh -I /usr/lib/x86-athena/libASEP11.so 127.0.0.1
Version requires putty-cac 0.62
In general, the certificate appears automatically in the certificate store, but in some cases it may be necessary to add it manually.
Connection / SSH / CAPI Tab
After entering the user PIN, an SSH session will be established.
JaCarta PKI - tokens produced by Aladdin R.D. for strong two-factor authentication of users while accessing secure information resources of the enterprise, secure storage of keys and key containers of software cryptographic information protection tools.
General information
Ssh
SSH is an application-level network protocol that allows remote control of the operating system and tunneling of TCP connections. Encrypts all traffic, including transmitted passwords. SSH allows the selection of various encryption algorithms. SSH clients and SSH servers are available for most network operating systems.
SSH supports RSA-key authentication, which provides the highest level of security for the data channel, as well as two-factor authentication of remote users.
Certificate Authentication
To configure SSH operation using RSA certificates, you need to configure the SSH server, as well as the SSH client on the client machine. This document describes an algorithm for configuring SSH using a smart card or JaCarta PKI token for authentication and encryption of the established channel.
Configuring smart cards for an SSH client
The procedure for configuring the server side on the example of Ubuntu
Ssh-keygen utility key pair generation
- Go to the directory /home/user/.ssh
- ssh-keygen -t rsa
- Set key name, e.g. key
- Set the key password (for encrypting the private key), for example, 12345678
- The output is two files, for example, key and key.pub
Generating a certificate request with keys from clause 1
- openssl req -new -out user.req -key key
Certificate Issue in openssl CA
- Setting up openssl CA
- cd / etc / ssl
- sudo -i
- echo “01”> serial
- cp / dev / null index.txt
- Editing /etc/ssl/openssl.cnf nano openssl.cnf
- dir = ./
- certs = $ dir / certs
- crl_dir = $ dir / crl
- database = $ dir / index.txt
- new_certs_dir = $ dir / certs
- certificate = $ dir / ca.crt
- serial = $ dir / serial
- crl = $ dir / crl.pem
- private_key = $ dir / ca.key
- dir = ./
- openssl req -new -x509 -keyout ca.key -out ca.crt -days 3650
- mkdir crl
- Download
- Launch makehashlink
- chmod + x make_hash_link.sh
- ./make_hash_link.sh / etc / ssl
- ./make_hash_link.sh / etc / ssl / crl
- cd / etc / ssl
- Signing a user certificate (release)
- sudo -i
- cd /home/user/.ssh
- openssl ca -out user.crt -infiles user.req
- sudo -i
Import public key in Autorized_keys
- The directory /home/user/.ssh should contain a public key file containing ssh-rsa {KEY}. In the example, we created a file called key.pub
- Import this key into authorized_keys file
- echo key.pub> authorized_keys
Reconfiguring the server side
- chmod 700 authorized_keys
- Openssh settings. In /etc/ssh/sshd.conf we edit the authentication configuration
- RSA Authentication yes
- PubkeyAuthentication yes
- PasswordAuthentication no - refusal of password authentication (optional)
- RSA Authentication yes
Writing a certificate to a smart card
You must transfer the certificate to the smart card. To transfer, you need to collect all the necessary objects in an encrypted container and write it to a smart card.
- openssl pkcs12 -export -in user.crt -inkey key -certfile ca.crt -name "user" -out user.pfx
- Transferring the user.pfx file to a Windows system with the JaCarta Single Client software installed , or JC Client
- Enter user PIN
- Import Token Certificate
- Select the user.pfx file and click "Import"
Certificate Health Check
ssh -I /usr/lib/x86-athena/libASEP11.so 127.0.0.1
Configuring Putty SSH Client on Windows
Running utilities from putty-cac \ executables distribution
- pageant.exe
- putty.exe
Version requires putty-cac 0.62
Certificate selection in pageant
In general, the certificate appears automatically in the certificate store, but in some cases it may be necessary to add it manually.
Launch and configure Putty
Connection / SSH / CAPI Tab
Logging in to an SSH session with a certificate
After entering the user PIN, an SSH session will be established.