Nils Schneider

Secure SSH authentication using an ePass2003

I recently bought an ePass2003 at the ATE in L├╝beck. An ePass2003 is a cryptographic USB token supporting RSA and ECDSA algorithms. It can store up to 64 KiB of data and incorporates a hardware random number generator.

This post will help you get started with your ePass2003 on a recent Debian Linux and show you how you can log into a remote system using SSH public key authentication and your ePass2003.

Preperations

In order to use most cryptographic tokens we’ll have to install OpenSC. That’s a set of utilties and libraries for working with smart cards. Unfortunately, the most recent version in Debian Wheezy does not support the ePass2003 yet so we need to add a repository.

Add this to your /etc/apt/sources.list:

deb http://apt.gooze.eu/debian/ wheezy main
deb-src http://apt.gooze.eu/debian/ wheezy main

The packages from Gooze are signed so we’ll import their key (make sure it’s the correct one by checking their website!):

# wget -q "http://apt.gooze.eu/257FF7B2.asc" -O- | sudo apt-key add -
OK

Now we can run apt-get update to and install the required packages:

# sudo apt-get update
# sudo apt-get install opensc pcscd

pcscd is a daemon managing access to smart cards. It needs to be running in order to access the ePass2003. On my system this worked without further configuration.

So we have all the software installed. Let’s check whether OpenSC supports the ePass2003:

# opensc-tool --list-drivers
Configured card drivers:
  ...
  entersafe        entersafe
  epass2003        epass2003      <--- There it is!
  rutoken          Rutoken driver
  ...

If you can not spot epass2003 in that list you should check your OpenSC package. We can now check whether OpenSC is able to access the token:

# opensc-tool --list-readers
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Feitian ePass2003 00 00

If this doesn’t work there might be something wrong with pcscd. Check whether it’s running. Maybe you need to add yourself to a special group in order to use smart cards.

Initialising the ePass2003

Now can actually start using the ePass2003. This will involve two new tools: pkcs15-init and pkcs15-tool.

The very first thing you probably want to do is erasing it. Erasing might not strictly be necessary but it’ll ensure that all data you store on the token is controlled by you.

# pkcs15-init --erase-card
Using reader with a card: Feitian ePass2003 00 00

Smart cards are organized in a similar way as USB or hard drives are. They contain a filesystem that can store various kinds of information. For example, you can store a PIN, private and public keys and even certificates on your ePass2003.

We’ll create a filesystem compliant to PKCS15. You may replace the label with your own name or whatever you prefer. While creating the filesystem you’ll be asked for both a PIN and a PUK. You may enter up to 16 alphanumeric characters for each. Choose them carefully! Knowledge of the PIN is required each time you attempt to use the token while the PUK is only required to reset the PIN. Store the PUK in a very secure place!

# pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label "My ePass2003"
Using reader with a card: Feitian ePass2003 00 00
New User PIN.
Please enter User PIN: test123
Please type again to verify: test123
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK): foo456
Please type again to verify: foo456

Leaving the PUK empty does not work even though it’s optional.

Let’s have a look at what is on the ePass2003 at this point:

# pkcs15-tool --dump
Using reader with a card: Feitian ePass2003 00 00
PKCS#15 Card [My ePass2003]:
        Version        : 0
        Serial number  : 7715381915111201
        Manufacturer ID: EnterSafe
        Last update    : 20130620203410Z
        Flags          : EID compliant

PIN [User PIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x32], local, initialized, needs-padding
        Length         : min_len:4, max_len:16, stored_len:16
        Pad char       : 0x00
        Reference      : 1 (0x01)
        Type           : ascii-numeric
        Path           : 3f005015

Generating a key

Now that we have a PKCS15 structure create we can generate an RSA key pair. The ePass2003 can work with RSA keys of 1024 and 2048 bits. You do want 2048 bits.

# pkcs15-init --auth-id 1 --generate-key rsa/2048 --key-usage sign,decrypt --label "My first RSA key pair"
Using reader with a card: Feitian ePass2003 00 00
User PIN [User PIN] required.
Please enter User PIN [User PIN]: test123

You can’t delete keys once you have created them (except if you erase the entire token) so choose a good label.

Again, have a look at the token’s content:

# pkcs15-tool --dump
Using reader with a card: Feitian ePass2003 00 00
PKCS#15 Card [My ePass2003]:
        Version        : 0
        Serial number  : 7715381915111201
        Manufacturer ID: EnterSafe
        Last update    : 20130620205210Z
        Flags          : EID compliant

PIN [User PIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x32], local, initialized, needs-padding
        Length         : min_len:4, max_len:16, stored_len:16
        Pad char       : 0x00
        Reference      : 1 (0x01)
        Type           : ascii-numeric
        Path           : 3f005015

Private RSA Key [My first RSA key pair]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x4], sign
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 0 (0x0)
        Native         : yes
        Path           : 3f0050152900
        Auth ID        : 01
        ID             : b72dd4568bbf958619bff4f0baab0f41068b82c8
        GUID           : {0950ab9c-7b15-6c2e-1e8c-05d3ee04e31f}

Public RSA Key [My first RSA key pair]
        Object Flags   : [0x2], modifiable
        Usage          : [0x40], verify
        Access Flags   : [0x0]
        ModLength      : 2048
        Key ref        : 0 (0x0)
        Native         : no
        Path           : 3f0050153000
        ID             : b72dd4568bbf958619bff4f0baab0f41068b82c8
        DirectValue    : <absent>

There’s our private and public key. Take a look at their IDs. We’ll need them for working with them. For example, you can extract the public key using pkcs15-tool. Your key ID will be different!

# pkcs15-tool --read-public-key b72dd4568bbf958619bff4f0baab0f41068b82c8
Using reader with a card: Feitian ePass2003 00 00
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA1tv+n0Q5dG3qCu679jxy
FJhE23t3q6f5vT57G44hcxji+5ubGA2SZebMpoS/ML01NSzvPijKfOrcKdAd4HGz
dq5RTTy554ZVOD5m4tqO1+8FQXJB8PJnnjmrNVe73nKvoXgZWlTN0MUunebBOdA6
NrHho5a42CJL/TeGdSgv0EiglTmNpFeeOgLrsx0Ff//pzy9soRjiIb/McT2EQg+H
IR3TJHj7HngqUo9UqmZvLCsa60L6XCkAsJBHDTbMJZfCOqCPwBqM9AYapGfvVJMt
KNwR5LB8kDtj0Uq+wISOKoOnMdZxYNnG+CUlvoytUoWXeleuoWnfvjCtbN2enTy9
fQIDAQAB
-----END PUBLIC KEY-----

Notice how you are not asked for a PIN. The public key can be accesed by anyone having physical access to your token.

Authenticate SSH using your ePass2003

There’s another way to read the public key. pkcs15-tool can output in a format suitable for SSH:

# pkcs15-tool -read-ssh-key b72dd4568bbf958619bff4f0baab0f41068b82c8
Using reader with a card: Feitian ePass2003 00 00
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDW2/6fRDl0beoK7rv2PHIUmETbe3erp/m9PnsbjiFzGOL7m5sYDZJl5symhL8wvTU1LO8+KMp86twp0B3gcbN2rlFNPLnnhlU4Pmbi2o7X7wVBckHw8meeOas1V7vecq+heBlaVM3QxS6d5sE50Do2seGjlrjYIkv9N4Z1KC/QSKCVOY2kV546AuuzHQV//+nPL2yhGOIhv8xxPYRCD4chHdMkePseeCpSj1SqZm8sKxrrQvpcKQCwkEcNNswll8I6oI/AGoz0BhqkZ+9Uky0o3BHksHyQO2PRSr7AhI4qg6cx1nFg2cb4JSW+jK1ShZd6V66had++MK1s3Z6dPL19

Add this key to a remote system’s .ssh/authorized_keys and login using SSH while your ePass2003 is plugged in:

# ssh -I opensc-pkcs11.so krtek.metameute.de
Enter PIN for 'My ePass2003 (User PIN)': test123
nils@krtek ~ %  

Isn’t that cool? We’ve just SSH’d to a remote system using public key authentication without anyone being able to read the private key!

If you’d like SSH to try smart card authentication by default without specifying -I opensc-pkcs11.so each time you may add this line to your .ssh/config:

PKCS11Provider opensc-pkcs11.so

So what’s next? Well, the same key can be used to login to your local system. I’ll cover this in another blog post soon.