Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

PKCS#11

...

Xshell에서 PKCS#11 인증하기

Xshell에서 PKCS#11 인증을 진행하기 위해서는 Windows용 Smart Card Minidriver가 필요합니다. OpenSC 미들웨어에서 제공하는 PKCS11 Minidriver를 사용하면 호환되는 RSA 키 인증을 받을 수 있습니다.

...

Driver(Middleware) and Tool Installation

In order to proceed with PKCS#11 authentication in Xshell, you’ll need a Windows Type Smart Card Minidriver. Using the PKCS11 Minidriver provided by OpenSC middleware, you can obtain a compatible RSA key authentication.

  1. Go to the following page to download the Windows Type OpenSC Library. (https://github.com/OpenSC/OpenSC/releases)

  2. 각 버전의 설명 하단에 나열된 다운로드 파일 중 32비트용 OpenSC 설치 파일 Under Assets, download the 32bit OpenSC installation file (OpenSC-0.xx.x_win32.msi)을 다운로드 받습니다.

  3. 해당 설치 파일을 실행하여 설치를 진행합니다. 설치 도중 설치 유형을 묻는 창이 나타나면 Typical을 선택합니다.

    Image Removed
  4. 설치가 완료되면 다음 경로에 해당 파일이 존재하는지 확인합니다: Open the installation file to begin installation. When prompted to select a Setup Type, select Typical.

    Image Added

  5. After installation complete, check that the file exists in the following path:
    C:\Program Files (x86)\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll

이제 Xshell에서 PKCS#11 인증을 위한 세션을 생성해보겠습니다.

...

Xshell을 실행하고 상단 메뉴의 ‘파일 - 새로 만들기(N)...’ 를 클릭합니다.

...

...

좌측 범주에서 ‘연결’ 을 선택한 후 세션 파일 이름호스트 주소를 입력합니다.

...

...

좌측 범주에서 ‘사용자 인증’을 클릭합니다. 사용자 인증 방법을 ‘PKCS11’로 지정한 후 사용자 이름을 입력합니다. 이후 우측의 ‘설정(S)...’을 클릭합니다.

...

...

Registering the Hardware Token’s RSA Public Key on the SSH Server

  1. Confirm the hardware token’s public key:

    1. pkcs15-tool --list-public-keys

      Image Added

    2. pkcs15-tool.exe --read-ssh-key [RSA PIV AUTH pubkey ID]

      Image Added

  2. Copy the public key from above and register it in the server’s AuthorizedKeysFile. OpenSSH’s default AuthorizedKeyFile is in the ‘.ssh/authorized_keys’ file of the user’s home directory.

    Image Added

    Note: Only the user should have access rights to the authorized_keys file and the ssh directory.

Creating and Connecting to a PKCS#11 Session

Now you’ll need to create a session in Xshell in order to utilize PKCS#11 authentication.

  1. Run Xshell and click ‘New…’ under the File Menu.

    Image Added

  2. You should see the Connection Properties page where you need to enter the Session File Name and the Host Address.

    Image Added

  3. From the left menu, click ‘Authentication' and select PKSC11 as the authentication method. Then click the ‘Setup' button.
    Note: Even if you don’t enter a User Name at this time, you’ll have a chance to enter it during the actual authentication process.

    Image Added

  4. In the PKCS11 Setup window, enter the Middleware Path and Token Pin.
    - Middleware Path: This is the location of the OpenSC library (C:\Program Files (x86)\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll)
    - 토큰 핀 : USB 토큰에서 설정된 PIN을 입력합니다. 이 부분은 추후 세션에 연결한 뒤에 입력해도 됩니다.

    Image Removed

    모든 설정이 완료되었습니다. 세션에 연결하여 문제 없이 접속 되는지 확인해봅니다.Token Pin: This is the PIN which was setup in the USB token. This PIN can also be entered during the actual authentication process. (You may need to refer to the hardware token provider's software and user manual for setting and checking token pins.)

    Image Added

  5. Setup is now finished. You can now run the session file.

    Image Added