nassh/doc/hardware-keys.md - apps/libapps - Git at Google

 # Using smart cards and hardware tokens with Secure Shell

 *** note
 **Warning: This document is old & has moved.  Please update any links:**<br>
 https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/hardware-keys.md
 ***

 This guide explains how to use an OpenPGP-enabled hardware token or smart card
 for SSH authentication with [Secure Shell]. Any device with an OpenPGP applet
 based on the [OpenPGP card specification] should be supported, which includes
 at least the following:

 * [OpenPGP Card V2.1](https://g10code.com/p-card.html)
 * [Nitrokey](https://www.nitrokey.com/)
 * [Yubico YubiKeys](https://www.yubico.com/products/yubikey-hardware/)

 ## Setup

 1. Ensure that your smart card/hardware token is properly set up and loaded
    with at least an authentication key.

    The initial setup cannot be carried out under Chrome OS and does take some
    time. There are plenty of guides available covering the process, among
    them the ones by
    [Yubico](https://www.yubico.com/support/knowledge-base/categories/articles/use-yubikey-openpgp/),
    [ageis](https://gist.github.com/ageis/14adc308087859e199912b4c79c4aaa4) and
    [drduh](https://github.com/drduh/YubiKey-Guide). The key generation part
    should not depend on the particular brand of smart card or hardware token.

 2. Install the [Smart Card Connector app] from the Chrome Web Store.

    This app implements the [PC/SC API] that is used to communicate with the
    OpenPGP applet. Other apps and extensions can connect to it and request
    permission to access the card or token, which has to be granted on first use.

 3. Launch [Secure Shell], add a new connection to your server and set the SSH
    relay server options to `--ssh-agent=gsc`.

    If you want to be able to use the key on the card or token also on the
    server, you can enable agent forwarding as usual by adding `-A` to the SSH
    arguments. **Note:** Only forward SSH agents to trusted servers.

 4. If `~/.ssh/authorized_keys` on your server does not yet contain the public
    key associated with the authentication key on the card or token, add a new
    line to it with the key in OpenSSH format.

    Under Linux, you can retrieve the public key in the correct format from the
    card via:
    ```console
    $ ssh-add -L
    ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHuUmPhKRpI2fHHyikgpW
    yLHckziThJXQ7UDupl7k3pw5Ue9qXjmuMRJJ5moGOtjSB3EnCFvve6Ym6J1
    ...
    qQ== cardno:000601234567
    ```

    Secure Shell also prints the public keys of all connected cards and tokens
    to the console when you connect to a server. To see the key, click on
    'Connect' and wait for an error to be shown because the key has not been
    added yet. Then, press Ctrl+Shift+J to bring up the developer tools and
    navigate to the 'Console' tab, where the public key will be shown.

 6. Click on 'Connect' (or press 'R' to reconnect if you already clicked
    'Connect' in the previous step) and enter your smart card PIN when asked.
    PIN entry works as in any other terminal (no characters shown while typing,
    copy & paste supported).

    If you use the smart card SSH agent for the first time, Smart Card Connector
    will show a dialog asking you whether to grant Secure Shell access to the
    Smart Card Connector app. Accept and you should get logged in to the server.

 ## Caching the smart card PIN (optional)

 After the correct smart card PIN is entered for the first time during an SSH
 session, the user has the option to cache it. The PIN will remain in the cache
 until either the SSH session is disconnected or the screen is locked.

 As the PIN will not be preserved through reconnects, this feature is mostly
 meant to make agent forwarding (SSH Arguments: `-A`) a more pleasant experience.
 Note however that using agent forwarding with a smart card that does not require
 physical confirmation for every connection attempt may pose a security risk when
 connected to a malicious server.

 The PIN cache is encrypted with a random [WebCrypto] AES key that is marked as
 non-extractable. While this might mean that it cannot be exfiltrated by e.g.
 an arbitrary read vulnerability on machines with hardware-backed WebCrypto key
 storage, the nature of JavaScript makes it so that no definite security
 guarantees can be given. If in doubt, do not use this feature.

 [OpenPGP card specification]: https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-2.0.pdf
 [PC/SC API]: https://en.wikipedia.org/wiki/PC/SC
 [Secure Shell]: https://chrome.google.com/webstore/detail/iodihamcpbpeioajjeobimgagajmlibd
 [Smart Card Connector app]: https://chrome.google.com/webstore/detail/khpfeaanjngmcnplbdlpegiifgpfgdco
 [Yubico]: https://www.yubico.com/support/knowledge-base/categories/articles/use-yubikey-openpgp/
 [WebCrypto]: https://en.wikipedia.org/wiki/Web_cryptography_API
	# Using smart cards and hardware tokens with Secure Shell

	*** note
	Warning: This document is old & has moved. Please update any links:<br>
	https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/docs/hardware-keys.md
	***

	This guide explains how to use an OpenPGP-enabled hardware token or smart card
	for SSH authentication with [Secure Shell]. Any device with an OpenPGP applet
	based on the [OpenPGP card specification] should be supported, which includes
	at least the following:

	* [OpenPGP Card V2.1](https://g10code.com/p-card.html)
	* [Nitrokey](https://www.nitrokey.com/)
	* [Yubico YubiKeys](https://www.yubico.com/products/yubikey-hardware/)

	## Setup

	1. Ensure that your smart card/hardware token is properly set up and loaded
	with at least an authentication key.

	The initial setup cannot be carried out under Chrome OS and does take some
	time. There are plenty of guides available covering the process, among
	them the ones by
	[Yubico](https://www.yubico.com/support/knowledge-base/categories/articles/use-yubikey-openpgp/),
	[ageis](https://gist.github.com/ageis/14adc308087859e199912b4c79c4aaa4) and
	[drduh](https://github.com/drduh/YubiKey-Guide). The key generation part
	should not depend on the particular brand of smart card or hardware token.

	2. Install the [Smart Card Connector app] from the Chrome Web Store.

	This app implements the [PC/SC API] that is used to communicate with the
	OpenPGP applet. Other apps and extensions can connect to it and request
	permission to access the card or token, which has to be granted on first use.

	3. Launch [Secure Shell], add a new connection to your server and set the SSH
	relay server options to `--ssh-agent=gsc`.

	If you want to be able to use the key on the card or token also on the
	server, you can enable agent forwarding as usual by adding `-A` to the SSH
	arguments. Note: Only forward SSH agents to trusted servers.

	4. If `~/.ssh/authorized_keys` on your server does not yet contain the public
	key associated with the authentication key on the card or token, add a new
	line to it with the key in OpenSSH format.

	Under Linux, you can retrieve the public key in the correct format from the
	card via:
	```console
	$ ssh-add -L
	ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDHuUmPhKRpI2fHHyikgpW
	yLHckziThJXQ7UDupl7k3pw5Ue9qXjmuMRJJ5moGOtjSB3EnCFvve6Ym6J1
	...
	qQ== cardno:000601234567
	```

	Secure Shell also prints the public keys of all connected cards and tokens
	to the console when you connect to a server. To see the key, click on
	'Connect' and wait for an error to be shown because the key has not been
	added yet. Then, press Ctrl+Shift+J to bring up the developer tools and
	navigate to the 'Console' tab, where the public key will be shown.

	6. Click on 'Connect' (or press 'R' to reconnect if you already clicked
	'Connect' in the previous step) and enter your smart card PIN when asked.
	PIN entry works as in any other terminal (no characters shown while typing,
	copy & paste supported).

	If you use the smart card SSH agent for the first time, Smart Card Connector
	will show a dialog asking you whether to grant Secure Shell access to the
	Smart Card Connector app. Accept and you should get logged in to the server.

	## Caching the smart card PIN (optional)

	After the correct smart card PIN is entered for the first time during an SSH
	session, the user has the option to cache it. The PIN will remain in the cache
	until either the SSH session is disconnected or the screen is locked.

	As the PIN will not be preserved through reconnects, this feature is mostly
	meant to make agent forwarding (SSH Arguments: `-A`) a more pleasant experience.
	Note however that using agent forwarding with a smart card that does not require
	physical confirmation for every connection attempt may pose a security risk when
	connected to a malicious server.

	The PIN cache is encrypted with a random [WebCrypto] AES key that is marked as
	non-extractable. While this might mean that it cannot be exfiltrated by e.g.
	an arbitrary read vulnerability on machines with hardware-backed WebCrypto key
	storage, the nature of JavaScript makes it so that no definite security
	guarantees can be given. If in doubt, do not use this feature.

	[OpenPGP card specification]: https://gnupg.org/ftp/specs/OpenPGP-smart-card-application-2.0.pdf
	[PC/SC API]: https://en.wikipedia.org/wiki/PC/SC
	[Secure Shell]: https://chrome.google.com/webstore/detail/iodihamcpbpeioajjeobimgagajmlibd
	[Smart Card Connector app]: https://chrome.google.com/webstore/detail/khpfeaanjngmcnplbdlpegiifgpfgdco
	[Yubico]: https://www.yubico.com/support/knowledge-base/categories/articles/use-yubikey-openpgp/
	[WebCrypto]: https://en.wikipedia.org/wiki/Web_cryptography_API