Using ActivClient or Coolkey with SSH for Smart Card Login using Cygwin

At some point recently the SSH shipped with Cygwin added PKCS11 support. This support allows you to add a smart card library to use your smart card’s certificates as ssh keys. This article will describe how to use ActivClient or Coolkey to access your card, how to export the card’s public certificates (as rsa public keys), and how to use ssh/ssh-agent options to properly use the smart card.

[toc title=”Table of Contents”]

Prerequisites

I’ve tested with the below software and versions. Other versions may work, but haven’t been tested.

  • ActivClient 6.2+ or Coolkey
  • Cygwin 1.7+
    • OpenSSH_5.5p1+
    • OpenSSL 0.9.8n+

Obviously you’ll also need a smart card, and a supported smart card reader.

All the instructions below pertain to either ActivClient, or Coolkey. You need one or the other, not both. Coolkey is FOSS, and works, if you do not wish to buy ActivClient; for the full FOSS smart card suite, see the ESC guide.

Some of the following instructions assume you are typing commands into a Cygwin window that has an SSH agent started the following way:

ssh-agent /bin/bash

Add the reader library

ActivClient

Add the acpkcs211.dll to your agent:

ssh-agent -s acpkcs211.dll

Coolkey

Add the libcoolkeypk11.dll to your agent:

ssh-agent -s libcoolkeypk11.dll

Export the card’s public certificates

You can export the public certificates with an agent running with the following command:

ssh-add -L

You can export the public certificates without an agent with the following command for ActivClient:

ssh-keygen -D acpkcs211.dll

You can export the public certificates without an agent with the following command for Coolkey:

ssh-keygen -D libcoolkeypk11.dll

Add the public certificates to your authorized_keys file

If you have an agent running, you can have the keys automatically added to your authorized_keys file by running the following command:

ssh-copy-id [user@]<hostname>

If you do not have an agent running, copy the output from the section above, and manually append it to the end of your authorized_keys file.

Signing into a system using the card’s certificates

If you are using an agent, you simply need to ssh as you normally would. If you are not using an agent, there are two different ways to use the card:

Using ActivClient

ssh -I acpkcs211.dll [user@]<hostname>

or:

ssh -o PKCS11Provider=acpkcs211.dll [user@]<hostname>

Using Coolkey

ssh -I libcoolkeypk11.dll [user@]<hostname>

or:

ssh -o PKCS11Provider=libcoolkeypk11.dll [user@]<hostname>

If you notice, the second method is using an SSH configuration option, which means you can add this to your user or system configuration file so that the card’s library will be used by default.