First you need to Install security/ccid + security/opensc from pkgsrc.

Once installed, start the pcscd daemon

# /etc/rc.d/pcscd onestart

Verify that OpenSC finds your ePass2003 smartcard

$ opensc-tool -n
Using reader with a card: Feitian ePass2003 00 00
epass2003

Start by erasing the card

$ pkcs15-init --erase-card

Bootstrap the ePass2003

$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label "pettai@NetBSD.org"
Using reader with a card: Feitian ePass2003 00 00
New User PIN.
Please enter User PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:

Generate a new RSA key on the card

$ pkcs15-init --generate-key rsa/2048 --key-usage sign,decrypt --auth-id 01 --label "pettai@NetBSD.org"
Using reader with a card: Feitian ePass2003 00 00
User PIN [User PIN] required.
Please enter User PIN [User PIN]:

Check the ID of the generated key

$ pkcs15-tool --dump
Using reader with a card: Feitian ePass2003 00 00
PKCS#15 Card [pettai@NetBSD.org]:
        Version        : 0
        Serial number  : 0926531503081201
        Manufacturer ID: EnterSafe
        Last update    : 20151002154352Z
        Flags          : EID compliant

PIN [User PIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x32], local, initialized, needs-padding
        Length         : min_len:4, max_len:16, stored_len:16
        Pad char       : 0x00
        Reference      : 1 (0x01)
        Type           : ascii-numeric
        Path           : 3f005015

Private RSA Key [pettai@NetBSD.org]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 0 (0x0)
        Native         : yes
        Path           : 3f0050152900
        Auth ID        : 01
        ID             : 45d70cc6cdd46ce9914edcf6a81cb4fa60bf21ec
        MD:guid        : {ceefd809-2b85-adf5-c5a6-1205790bc09e}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Public RSA Key [pettai@NetBSD.org]
        Object Flags   : [0x2], modifiable
        Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
        Access Flags   : [0x0]
        ModLength      : 2048
        Key ref        : 0 (0x0)
        Native         : no
        Path           : 3f0050153000
        ID             : 45d70cc6cdd46ce9914edcf6a81cb4fa60bf21ec

Export the public key (and copy it to your .ssh/authorized_keys file on your remote host)

$ pkcs15-tool --read-ssh-key 45d70cc6cdd46ce9914edcf6a81cb4fa60bf21ec 
Using reader with a card: Feitian ePass2003 00 00
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCl/O9hhKOos+1KkL7Q/jqrmSN9EXKFP86kZp+nRyCDErYBNiNl4PTGBfS7sx//suPIxzw8epmHR26JSIq0e0ZErjwBMTDzksUwLJ3+hOMgVnlInYPn+p569EcHiIWsKurfZBClllNHOMmTf3ZblbpN3+lwQUHNaUFECmLeh+wcDq6wGnHyCYF/UPUkqr/eiO2DkAYRhCgyPSfcM6a41H4hPWvo/HZgZvq3+Rpd0NHHHdleWfqHlGrdt00nzFV1TCsW16VhGh0KBfSfTKhH2WywqKGL5ik7SS5pFbD/rFSqn5Toc68hrkfbTbb5WBep2JM6htsSLuJ4079EKV3tIfpF pettai@NetBSD.org

Now you can use your smartcard's private key then ssh:ing to your remote host

$ ssh -I /usr/pkg/lib/opensc-pkcs11.so pettai@localhost
Enter PIN for 'pettai@NetBSD.org (User PIN)':
Last login: Fri Oct  2 15:41:21 2015 from 109.105.104.135
NetBSD 7.99.19 (GENERIC) #0: Mon Jun 22 06:11:15 UTC 2015
Add a comment
Contact | Disclaimer | Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.
NetBSD® is a registered trademark of The NetBSD Foundation, Inc.