SSH with Belgian electronic ID card

OpenSSH can be compiled against OpenSC. Since the latter has support for the Belgian electronic ID card, that means you can use your eID card to log on to a remote server using OpenSSH. To do this is fairly simple, once you know how it works.

First, obviously, you need to have ssh compiled against opensc. Unfortunately, the Debian package comes with that option disabled, but it's easy to enable that:

sudo apt-get build-dep openssh
sudo apt-get source openssh
cd openssh-*
$EDITOR debian/rules

Find the "Common build options", and add another line:

confflags += --with-opensc=/usr

Now add another changelog entry, so that your next apt-get upgrade won't overwrite your locally-modified SSH package:

dch -i

Next, build and install the package:

dpkg-buildpackage -rfakeroot -b -uc -us
cd ..
sudo dpkg -i openssh-client*

You now have an OpenSSH that can access smartcards. So, how do you use it to log on to a remote system? Simple:

pkcs15-tool -c
ssh-keygen -D 0

The first command will tell you the order of the certificates on the card. In my case, the Authentication certificate is first, while the Signature certificate is second. You do not want the Signature certificate; you only want the Authentication certificate.

The second command will output the RSA public keys that are on the smartcard in both SSH1 and SSH2 format, in the same order as in the pkcs15-tool output. You only want the SSH2 version, and you only want to get the Authentication key. That key needs to be added to your ~/.ssh/authorized_keys on the remote host. Note that the '0' assumes that your smartcard is in slot 0; if that doesn't work, 'pkcs11-tool -L' should tell you which slot you need.

After we've done this, we're ready to start using the smartcard to log in. While ssh-add has an option to load keys from a smartcard, this only works with smartcards that allow one to download the private key from the smartcard into the computer's RAM. This is not possible with the eID (and for good reason), so you can't use ssh-agent with your eID card. However, you don't really need it.

beid-pkcs11-tool -l -t

This will log in to the Authentication key on the smartcard (note that while it is possible to log in to the Authentication key, it is not possible to do the same with the Signature key). You will get the familiar belpic login window now, and the smartcard will now allow use of the private key. In order to actually use this key, you need to specify one extra option to ssh:

ssh -I 0

The -I option instructs SSH to use a smartcard key as a private key. Since we're already logged in to the smartcard, we do not need to enter a PIN code (and regardless, SSH does not know how to do that). You will now be logged on to the server.

Note that there is no way to 'log out' of a smartcard; the proper way to do that is to remove your card from the cardreader...