Using NSS with OpenSSH for Smart Card Login

At some point in time, Red Hat snuck in experimental support for NSS in OpenSSH. What does that give us? Smart Card support! This article will describe how to use it.

In another blog post, I mentioned how to configure NSS and OpenSSL; you should take a look at that if you are unfamiliar with the process, because I assume that is prerequisite knowledge. I will also assume you have a basic understanding of how public key authentication in SSH works.

Here are the steps to the process:

  1. Copy the NSS databases to .ssh
  2. Start an ssh-agent, if you don’t already have one running and connected
  3. Add your Smart Card certificates to the ssh-agent
  4. Extract a public key from one of your certificates, and put it into the authorized_keys of the host you wish to connect
  5. SSH to the host

Copy the NSS database to your .ssh directory

We’ll take the centralized database, and place it somewhere that OpenSSH has permissions to read and write to. The centralized database should have the coolkey module loaded, which gives access to your smart card.

cp /etc/pki/nssdb/*.db ~/.ssh

Start an ssh-agent

First let’s see if you have an agent running:

env | grep 'SSH_AGENT'

If you see “SSH_AGENT_PID” listed, you already have an agent running, and can skip this step. If you do not see this, you should start an agent:

eval `ssh-agent`

Add your Smart Card certificates to the ssh-agent

This will add your certificates into the agent; notice that your keys never leave your card, so when you are SSHing back and forth, you’ll need to keep your card inserted.

ssh-add -n

Take note of the certificates that got added to your agent, you’ll need them.

Extract a public key from your Smart Card, and add it to the authorized_keys file

You’ll need to be able to log in with at least one of the certificates from your Smart Card, so you’ll need to extract the certificate and place it into the authorized_keys file on the host you wish to connect to.

ssh-keygen -n -D 'My PKCS11 Token' -f 'My Key ID'

You can get the ‘My PKCS11 Token’ by using modutil:

modutil -list -dbdir .ssh

Look for the “token:” line under the Coolkey module.

‘My Key ID’ is one of the certificates that was listed as being added to your ssh-agent.

The ssh-keygen command will output a public key. Take this public key, and place it into the authorized_keys file on whatever host you wish to login to with your smart card.

SSH to the host

Now you should be able to SSH to the host; it shouldn’t require a password, it should just log you in. You do have to use a special syntax though:

ssh -o 'UseNSS yes' <host>

If ssh asks you for the password for the “NSS Certificate DB”, simply press enter. I haven’t figured out how to make it ignore that database yet (and you can’t remove the built-in NSS database).

Bonus: connecting to a host without using an ssh-agent

If you’d like to skip the step about using an ssh-agent, you can connect simply by using ssh:

ssh -o 'UseNSS yes' -o 'NSSToken <My PKCS11 Token>' <host>

Like above, you can get the <My PKCS11 Token> by using modutil (see above section for command).

See the README.nss

Although the README.nss file is currently slightly incorrect on syntax, it explains the same process.

less /usr/share/doc/openssh-*/README.nss