4

I would like to connect to ssh host using the following command:

ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so HOSTNAME

The error says that the library returned no slots..

debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: manufacturerID cryptokiVersion 2.20 libraryDescription libraryVersion 0.17 debug1: pkcs11_add_provider: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so returned no slots

The command to list readers works ok and I can see the slot - it's there.

$ opensc-tool --list-readers
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Gemalto USB Shell Token V2 00 00

What could be the reason for this?

This might be releated: How can I set up smart card SSH authentication?

===========================EDIT================================

I officially gave up on this.

user568021
  • 85
  • 2
  • 11

2 Answers2

2

The message from opensc-tool --list-readers indicates the reader is present and sees the card.

But the "slots" in the error message refer to a higher-level abstraction: the programmable "key slots" on the card itself. You could view them with pkcs11-tool --list-slots or pkcs11-tool --list-token-slots.

You might also want to run opensc-tool --name to verify that the card type has been identified correctly.

telcoM
  • 87,318
  • 3
  • 112
  • 232
  • Yeah --list-token-slots returns "Available slots: No slots.". Should I just give up? – user568021 Jul 25 '19 at 13:13
  • 1
    "Gemalto USB Shell Token V2" is apparently an old name for "Gemalto IDBridge K30". Is it supposed to be ready for use (already provisioned), or is it a "blank" card that would need initialization? [OpenSC has a QuickStart document you might want to read.](https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC) – telcoM Jul 25 '19 at 14:53
  • I'm only getting "Failed to connect to card: Internal error" with all this opensc-tool eg.: "opensc-tool --reader 0 --name" , the manual you've linked is apparently not for me. I get stuck at "opensc-tool --reader 0 --atr" with exactly the same 'Internal' error. I'm almost sure the USB is already provisioned and it all worked on Windoz. :( – user568021 Jul 26 '19 at 08:24
1

From https://piv.idmanagement.gov/engineering/ssh/#ssh-from-macos and works pretty much the same on linux:

  1. Install OpenSC.
  2. Insert your PIV/CAC into your card reader.

  3. To view the certificates on your Mac, enter:

    pkcs15-tool --list-public-keys

  4. Make note of the PIV AUTH pubkey ID number.

  5. Using reader with a card: SCR35xx Smart Card Reader
 Public RSA Key [PIV AUTH pubkey]
     Object Flags   : [0x0]
     Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
     Access Flags   : [0x2], extract
     ModLength      : 2048
     Key ref        : 154 (0x9A)
     Native         : yes
     ID             : 01 (EXAMPLE ONLY)
     DirectValue    : <absent>

  1. Use your PIV AUTH pubkey ID number to view your SSH key. Enter:

    pkcs15-tool --read-ssh-key 01

  2. When prompted, enter your PIV/CAC PIN. The SSH key will look like this:

    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCyPn2dShOFLBnMraiP2MnLU ....

  3. Copy the SSH key and paste it into a text file.

  4. Send the text file to the server administrator and request a new account.

  5. Once you have an account, you can log into the remote server. Enter:

    ssh -I /usr/lib64/opensc-pkcs11.so @

  6. Optionally, you can update the setting in the /etc/ssh_config file to:

    PKCS11Provider /usr/lib64/opensc-pkcs11.so

  7. Enter your PIV/CAC PIN when prompted. Once it’s validated, you’ll be logged into the remote server.

user84215
  • 221
  • 1
  • 1
  • I fail at first step (pkcs15-tool --list-public-keys). Error says: Failed to connect to card: Internal error – user568021 Aug 12 '19 at 09:58