To login using a smart card, the card key must be extracted and put into ~/.ssh/authorized_keys. This can be done using pkcs15-tool and is described in the TAG, section 9.7.4. However, there are several steps that must be done manually. At Karlstad, I created a script that makes this task easier. The idea is that root logins and executes a command, providing the username. The script then creates the authorized_keys. We should consider shipping this, or a similiar, script.
Created attachment 272 [details]
Created attachment 340 [details]
Updated tl-get-cert, handles passwdaliases
Created attachment 345 [details]
This script is installed on the demo system. It's in english, has better support for running as ordinary user, plus saves the user DN in ~/.thinlinc/user-dn.
Created attachment 346 [details]
Created attachment 430 [details]
Latest tl-get-cert, fetched from eudemo
I think that before shipping such a script, we should rewrite it so that it uses pkcs11-tool instead of pkcs15-tool. Something like:
pkcs11-tool -r --id 45 -y cert
However, this means that we must also use tl-certtool --pubkey, then mangle it to Python format. While we are at it, we should probably also rewritten the shell script as a Python one.
Created attachment 434 [details]
Code from Pierre that mangles to SSH format.
Also, we should perhaps support feeding the script with a certificate on file, instead of calling pkcs11-tool. Also check if the code overlaps with tl-ldap-certalias.
This is a bit hacky compared to using something like tl-ldap-certalias, so I don't think this method is something we want to recommend. We also haven't seen any interest for something like this in the fourteen years this bug has been open.