SSH Connections with YubiKey PKCS#11 User Authentication(PIV)
PKCS#11 Driver(Middleware) and Tool Installation
In order to proceed with PKCS#11 authentication in Xshell, you’ll need a Windows Type Smart Card Minidriver. Using the PKCS11 Minidriver provided by OpenSC middleware, you can obtain a compatible RSA key authentication.
Go to the following page to download the Windows Type OpenSC Library. (https://github.com/OpenSC/OpenSC/releases)
Under Assets, download the 32bit OpenSC installation file (OpenSC-0.xx.x_win32.msi).
Open the installation file to begin installation. When prompted to select a Setup Type, select Typical.
After the installation completes, check that the file exists in the following path:
C:\Program Files (x86)\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll
Registering the Hardware Token’s RSA Public Key on the SSH Server
Confirm the hardware token’s public key:
pkcs15-tool --list-public-keys
pkcs15-tool.exe --read-ssh-key [RSA PIV AUTH pubkey ID]
Copy the public key from above and register it in the server’s AuthorizedKeysFile. OpenSSH’s default AuthorizedKeyFile is in the ‘.ssh/authorized_keys’ file of the user’s home directory.
Note: Only the user should have access rights to the authorized_keys file and the ssh directory.
Creating and Connecting to a PKCS#11 Session
Now you’ll need to create a session in Xshell in order to utilize PKCS#11 authentication.
Run Xshell and click ‘New…’ under the File Menu.
You should see the Connection Properties page where you need to enter the Session File Name and the Host Address.
From the left menu, click ‘Authentication' and select PKSC11 as the authentication method. Then click the ‘Setup' button.
Note: Even if you don’t enter a User Name at this time, you’ll have a chance to enter it during the actual authentication process.In the PKCS11 Setup window, enter the Middleware Path and Token Pin.
- Middleware Path: This is the location of the OpenSC library (C:\Program Files (x86)\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll)
- Token Pin: This is the PIN which was setup in the USB token. This PIN can also be entered during the actual authentication process. (You may need to refer to the hardware token provider's software and user manual for setting and checking token pins.)Setup is now finished. You can now run the session file.