...
After the OpenSC software is installed, open Terminal and validate the opensc-pkcs11.so exists within the /usr/local/lib directory.
Code Block % ls -l /usr/local/lib | grep opensc total 19824 -rwxr-xr-x 1 root admin 5072000 Mar 16 17:55 onepin-opensc-pkcs11.so -rwxr-xr-x 1 root admin 5071984 Mar 16 17:55 opensc-pkcs11.so
Note title Note 3 Expand title If the files don't show up If the libraries above don't exist, You will need to ensure that lib directory exists and then run the OpenSC installer again.
Code Block sudo mkdir /usr/local/lib
Run the OpenSC installer again once the directory is created.
Using a Terminal window, add your certificate to ssh-agent, by running the following command. It will prompt you for your PIN.
Note The following command will need to be run on each reboot as a reboot resets the ssh-agent
Code Block % ssh-add -c -s /usr/local/lib/opensc-pkcs11.so Enter passphrase for PKCS#11:
When successful, you will see the following message and will be able to verify with the following command(s).
Code Block Card added: /usr/local/lib/opensc-pkcs11.so % ssh-add -L ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC1tm0mikWaHIfhb055vy3cYIl9azAqWVKjoAAouBsU61FgJ+edt7RinkY6GTPZf07pATlLzYY3+FOQIh5MRkAhmMp2fi0/YZgFmMBKkGy84OFLvmczp+lb8b/LPIu2qLVaCumoksdDNT8z29e99PZMh0XhXzSh+cIWujGn4gEFFjlJn03OWxs7IRBaBz32uLCfV6wQeZtPWQiodvhNo39GK/XXrPIbiRbC2NEfCUxSo+493TKIISORLYAibLdlKPVIHHU9+1ZknbOeFXpMADi0z4LYhrRN9BRfdFfheInMQlVk2hqUD9SMWWgMkIiiK/y1IsBVqjkfiDe8AVbmDDvd /usr/local/lib/opensc-pkcs11.so --- % ssh-add -l 2048 SHA256:MSOJ3pXOzF1eLmAwvII7VSNzCJNGq2viE4kwFyUQQHM /usr/local/lib/opensc-pkcs11.so (RSA)
Note title Note 4 From OpenSSH 8.1p1 manpages for 'ssh-add':
-L Lists public key parameters of all identities currently represented by the agent.
-l Lists fingerprints of all identities currently represented by the agent.Now to use the certificate, you will need to forward the agent connection to the remote host. This is done with the -A switch for ssh command.
You will see the following prompt when you ssh to or sudo on a remote machine.
Note title Note 5 Expand Initial connection will see the following popup:
Click OK to allow.
Once logged in, you should be able to run the ssh-add command to verify the remote host is able to see your certificate.Code Block % ssh -A mgmt.rit.edu --- (mgmt)$ ssh-add -l 2048 SHA256:MSOJ3pXOzF1eLmAwvII7VSNzCJNGq2viE4kwFyUQQHM /usr/lib64/opensc-pkcs11.so (RSA)
Note title Note 6 From OpenSSH 8.1p1 manpages for 'ssh':
-A Enables forwarding of the authentication agent connection. This can also be specified on a per-host basis in a configuration file.
Agent forwarding should be enabled with caution. Users with the ability to bypass file permissions on the remote host (for the agent's UNIX-domain socket) can access the local agent through the forwarded connection. An attacker cannot obtain key material from the agent, however they can perform operations on the keys that enable them to authenticate using the identities loaded into the agent.
OR
Another option is to modify your local ssh config in ~/.ssh/config:Code Block Host * ForwardAgent yes
To remove the key from ssh-agent, you can run the ssh-add command with the -e switch.
Code Block % ssh-add -e /usr/local/lib/opensc-pkcs11.so Card removed: /usr/local/lib/opensc-pkcs11.so