OpenSSH Authentication¶
Demonstration¶
The following screencast demonstrates the usage of Cryptoki Bridge along with Bridge Controller.
Minimal Requirements¶
- Cryptoki Bridge (but the whole MPC Bridge setup is recommended)
- MeeSign Server
- MeeSign Clients
Note
While the tutorial demonstrates configuration using Bridge Controller, Cryptoki Bridge can be used independently. For alternative ways to configure the component, please, refer to this documentation.
Tutorial¶
The following tutorial assumes you have created an authentication group on the MeeSign server. If not, please follow the MeeSign Server documentation.
-
Get the available group public keys in the OpenSSH format.
ssh-keygen -D <meesign_cryptoki_path.so> -e
-
Select the key corresponding to your target group and store it in a file
echo 'ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBdg292CUPY0xjjLziR6wkHlPP0yKRF8DYjxMllkphQozXth+Eo12t5vuia8GELe3OFECEeb+Ou34yYL07I2afQ= test-auth-group' > id_ecdsa.pub
-
Authorize logins using the acquired public key on a remote server
ssh-copy-id -f -i id_ecdsa.pub <user@server>
-
Authenticate using meesign
ssh -I <meesign_cryptoki_path.so> <user@server>
-
(Optional) Configure the ssh meesign entry by customizing and appending the following entry to
~/.ssh/config
.Host <entry_host_name> HostName <hostname> User <user> PKCS11Provider <meesign_cryptoki_path.so>
-
(Optional) Authenticate using the meesign ssh entry
ssh <entry_host_name> # e.g., ssh my_server_via_meesign
-
Alternatively, you can make your SSH agent aware of the keys provided by the Cryptoki lib using the following command. Subsequently, you should be able to ssh as with regular keys (DISCLAIMER: I haven't tested this one yet, TODO).
ssh-add -s <meesign_cryptoki_path.so> # to remove the provider, use ssh-add -e <meesign_cryptoki_path.so>