EECS 598-2 / Winter 2000
Homework Assignment #4

SSH/Smartcard Integration
2/20/2000, Naomaru Itoi (itoi@eecs.umich.edu)
Revised 3/9/2000
Deadline: 3/14/2000

In this assignment, you are to learn integration of card side and host side programming by implementing a SSH client with smartcard. You are asked to write a Java applet to perform RSA decryption, and to modify the SSH client to call the card. Please submit the binary so that we can test it.

Problem Description
The following steps do not have to be carried out in this order.

  1. Install SSH
    Copy /afs/engin.umich.edu/class/w00/eecs598/002/software/src/src/ssh-1.2.27.tar.gz to your directory, configure, compile and install on your operating system (Solaris 2.6, RedHat 6.1, or OpenBSD 2.6).
  2. Generate a public / private key pair, place the public key on your home directory in iceaxe.
  3. Use sample binary /afs/engin.umich.edu/class/w00/eecs598/002/software/bin/(OS name)/ssh to print out your private key with -K option (e.g., ssh -K login.umich.edu).

    Caution

    Make sure to copy your public key (.ssh/identity.pub) into .ssh/authorized_keys in the host you want to log in.

    For example, I generated a key pair on prom.engin, therefore prom has my private key (identity) and my public key (identity.pub) in ~/.ssh. I copied the public key to soso.eecs:~/.ssh/authorized_keys.

    prom% ./ssh -K soso.eecs.umich.edu
    setting printKey flag...

    ------------printing key
    p:
    ...
    q:
    ...
    1/p mod q:
    ...
    dp:
    ...
    dq:
    ...
    n:
    ...

    ----------------------printing key done

  4. Card initialization
    Write your private key to the card with jR command in pay.
    Caution
    Note that jR command writes the private key to a key number 0x10. When you load this key in your applet by setKeyInstance(), you have to specify this number.
    Write your n of the public key to the file 3f.00/73.68 (sh) on card by sending create APDU and write binary APDU from pay. It should look like this:
    % pay> jR (private key (p, q, 1/p mod q, dp, dq) from ssh -K)
    % pay> f 3f.00
    /* create file "sh" */
    % pay> ic f0 E0 00 00 10
    01 00 73 68 02 01 00 00 FF 00 00 00 00 00 00 00
    /* select */
    % pay> f 73.68
    /* write to "sh" */
    % pay> ic f0 d6 00 00 80
    (public key (n) from ssh -K)
  5. ssh modification
    Now your ssh client (with -s option) should let you log on to iceaxe (or whatever) without typing the password.

    Caution

Submission
Please place the binary of the modified SSH client (ssh) and the applet (Ssh.bin) in your class directory (/afs/engin.umich.edu/class/w00/eecs598/002/uniqname), and send me e-mail with where your files are, and a couple of paragraphs that explain what your program does.
Your programs must be called "ssh", "Ssh.java", and "Ssh.bin".
I welcome Solaris, Linux, and OpenBSD binaries. If it is absolutely necessary, I will accept others, e.g., Windows binary.

Reference

Congratulation, homework #4 is done. As always, send questions to smartcards@umich.edu (I really like receiving questions at smartcards@umich than itoi@eecs because other students can share the information), or talk to us at IRC #smartcards. Obviously, doing more development on ssh/smartcard is more than welcome. For example, ssh with the smartcard on a remote host is an interesting project. If you are interested in doing more, talk to us about potential course projects. Good luck. :)