Using an Aladdin eToken to store your SSH keys.
The past week I have tried using an Aladdin eToken on my Ubuntu desktop. They are used at Nikhef to store x509 certificates with Grid credentials, and make proxy certificates from those. (A proxy certificate is a more temporary certificate, signed by the original.) The ultimate goal (for me) was to use it to store the private keys I use most, my SSH keys.
After peeking around the Nikhef Gridwiki and downloading the eToken PKI Client 4.55 from aladdin.ru, the pkcs11-tool confirmed the token was loaded and recognized by the system. I was also able to store my grid certificate on it with the instructions provided, and loaded the /usr/lib/libeToken.so file into Firefox as a security device. After restarting firefox things took a turn for the worse...
It appears the Aladdin client ships with some of its own binaries, which appear to do something to firefox (like overwriting the LD_LIBRARY_PATH environment variable) and shipping an old version of libnss3 that's needed by firefox. This sends firefox crashing with a "could not initialize XPCOM" message. A colleague helped me to locate (using strace) and fix the offending libraries in /usr/lib/eToken/nss_tools. The shipped files should be removed, and replaced by symlinks to the system certutil and modutil binaries. This fixes the problem! (Thanks again, Willem)
After alleviating this puzzling error, I was free to play around with the token some more. Concerning Openssh, it appears the shipped Ubuntu version doesn't enable the use of a smartcard (which is what the token pretends to be). This can be alleviated in two ways. Either by recompiling openssh with the --with-opensc flag, or applying a PKCS11 patch to openssh. The opensc option seemed to be the easier route. Getting the source packages built on Ubuntu was as simple as:
aczid@maggie:~$ apt-get source openssh; apt-get build-dep openssh
If you get errors about public keys that are missing, look them up using gpg --keyserver keyserver.ubuntu.com --search-keys <name of maintainer> This implies you trust this person and his or her public key!
aczid@maggie:~$ cd openssh-5.1p1/ aczid@maggie:~/openssh-5.1p1$ vi debian/rules
Add the line: confflags += --with-opensc=/usr/ and build the package with dpkg-buildpackage. Now your SSH will understand opensc which relies on PKCS15, but the card is still formatted as PKCS11. Luckily, the token can hold files to facilitate both API's simultaneously. Detailed instructions to accomplish this with a different kind of token Worked For Me (TM). I suppose once you have the pkcs#-tools working, they're all more or less the same.
Now that you know how to put your certificate on the token using both API's, we can finally use openssh! Extract the public key from you certificate and place it in a remote server's authorized_keys file, and launch your newly built ssh with:
aczid@maggie:~/openssh-5.1p1$ ./debian/openssh-client/usr/bin/ssh -I0 <some host>
If you would like to use your existing keys (like the ones generated by ssh-keygen) you need to generate a self-signed certificate from them and put it on the token. Now you can use ssh without even needing a .ssh directory to store your private key! Unfortunately I was still unable to use the token to generate grid proxy certificates on Ubuntu.
