Several years ago, I blogged about how to use a Belgian electronic ID card with SSH. I never really used it myself, but was interested in figuring out if it would still work.
The good news is that since then, you don't need to recompile OpenSSH anymore to get PKCS#11 support; this is now compiled in by default.
The slightly bad news is that there will be some more typework. Rather
than entering ssh-add -D 0 (to access the PKCS#11 certificate in slot
0), you should now enter something along the lines of ssh-add -s
/usr/lib/libbeidpkcs11.so.0. This will ask for your passphrase, but it
isn't necessary to enter the correct pin code at this point in time. The
first time you try to log on, you'll get a standard beid dialog box
where you should enter your pin code; this will then work. The next
time, you'll be logged on and you can access servers without having to
enter a pin code.
The worse news is that there seems to be a bug in ssh-agent, making it
impossible to unload a PKCS#11 library. Doing ssh-add -D will remove
your keys from the agent; the next time you try to add them again,
however, ssh-agent will simply report SSH_AGENT_FAILURE. I suspect the
dlopen()ed modules aren't being unloaded when the keys are
removed.
Unfortunately, the same (or at least, a similar) bug appears to occur when one removes the card from the cardreader.
As such, I don't currently recommend trying to use this.
Update: fix command-line options to ssh-add invocation above.
ssh-add -e /usr/lib/libbeidpkcs11.so.0? I've encountered the same limitation ofssh-add -D(apparently just intended as a security measure?), but found-eto work with the module I use (/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so) when it gets into a weird state.