Tadas Sasnauskas Tech/Engineering Blog

SSH Authentication using Lithuanian Personal Identity Card

Disclaimer

I have absolutely no idea what I am doing. Smartcards, PKCS 11 and other related technology is greek to me. Do not try this in any kind of serious setting, this is for test and entertainment purposes only.

Background

Since 2009 Lithuanian Personal Identity cards are equipped with contact chips allowing it to be used as digital signature devices.

Card and computer software seems to be provided by a Polish company PWPW S.A. That includes Linux support as well. It even appears that the company has violated GPL terms of OpenSC project while developing the software.

Weirdly there’s other part of the software which is Firefox browser extension provided by Dokobit.

Usage of the Lithuanian Personal Identity Card

It’s not exactly popular - but given you have a smart card reader (e.g. Gemalto CT40) and correctly installed software (Lithuanian gov guide here) it’s possible to authenticate on various government websites and electronically request all kinds of services, submit requests, do taxes and similar. Most residents usually use online banking accounts to access these services instead of smart card authentication. The main gov portal website is called E-Government Gateway.

Previously mentioned company Dokobit provides document signing web application the PKCS 11 functionality of the card.

SSH

Now it’s no news that SSH authentication can be done using PKCS 11 cryptographic tokens. And usually it’s being done with dedicated products like YubiKey or similar. What is slightly less common (and less documented) is use of ID cards for that.

Apparently the whole trick is providing correct pkcs11 library module to get public ssh keys and during authentication.

In case Polish Personal Identity Card it is /usr/lib/eidklient/libpkcs11_sig_x64.so (source). In case of Estonian E-Residency card it is /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so (source).

Now, after little digging through that PWPW S.A. provided software I found it is:

/usr/lib64/pwpw-card-pkcs11.so

Command to get SSH public key(s) is:

ssh-keygen -D /usr/lib64/pwpw-card-pkcs11.so

In my case it outputs 2 keys. Absolutely no idea why.

After copying those keys to remote machine, I was able to ssh using:

ssh -I /usr/lib64/pwpw-card-pkcs11.so user@remote-machine

It did ask for 8 digit pin code in the console. So session looked a bit like this:

user@local-machine ~ $ ssh -I /usr/lib64/pwpw-card-pkcs11.so user@remote-machine
Enter PIN for 'Crypto2 (PIN)':
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.4.0-84-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
Last login: Mon Oct 18 23:33:33 2021 from xx.xx.xx.xx
user@remote-machine:~$

To make things a little more convenient, pkcs11 provide can be specified in user ssh config:

Host *
     PKCS11Provider /usr/lib64/pwpw-card-pkcs11.so

Practicality

While it’s a neat trick - it’s probably not a good idea. Card is easily blocked after 3 incorrect PIN attempts. And re-setting PIN involves going to your local gov office which handles passports and ID cards. And I’m still unsure if existing certificates do not get destroyed when re-setting the PIN. Unlike purpose created tokens for this - Lithuanian Personal Identity Card chip/protocol is not documented and unsupported by open source projects like OpenSC.

In conclusion - don’t do it. At least not until card is fully documented and supported by the OpenSC project.