

Ask HN: iPhone PKCS#11 SSH-key "SmartCard" over Bluetooth? - JoelJacobson

I would like to use my iPhone as a security token, to generate and store my SSH private keys.<p>Whenever I would like to connect to a remote server via SSH, the SSH program would communicate with the iPhone, requiring me to press a key on the iPhone display, thus verifying I am the one who requested the authentication and not some malicious user controlling my computer.<p>Smartcards are an option, but its nicer to use something you always carry with you.<p>I am thinking something like:<p>ssh-add -s iPhone.so<p>And then the iPhone.so module would connect to the iPhone over Bluetooth or Wifi or perhaps via the cable.<p>Does anyone know if there is any open source project working on this already? Otherwise I'm thinking of working on it.
======
nickf
I'd say it's not a bad idea - oddly enough I've tried to do it the other way
around (using a physical PKCS#11-compatible token on iOS devices). There are
CAC-type smartcard readers that operate over Bluetooth, but they're big and
expensive.

A couple of thoughts: Is there a reason you wouldn't use a 'real' hard-token
like an eToken or similar? Yes, they need USB - but they're small and
resilient. I generally have my keys on my all the time!

There's a project out there called LSM-PKCS11 that basically has encrypted
storage 'boxes' (files) that are accessed via PKCS#11 via a daemon-client
system over TCP. It might not be too hard to port the daemon to iOS. Somewhere
to start, maybe? <http://www.clizio.com/lsmpkcs11.html>

------
Piskvorrr
This may be of interest: doesn't seem to be Android-specific, and is open-
source, so porting to iOS shouldn't be _extremely_ hard.
[http://www.mnxsolutions.com/security/two-factor-ssh-with-
goo...](http://www.mnxsolutions.com/security/two-factor-ssh-with-google-
authenticator.html)

Edit: it seems that the functionality already exists for iPhones; not sure
whether this requires communicating with a third-party (Google) server in
addition to your device and the target.

~~~
JoelJacobson
This requires modifications to the server. I want to use normal public/private
keys, without any special configuration, but instead of storing the private
key in ~/.ssh/id_rsa, I want to store it in my iPhone, and authenticate via
the PKCS#11 protocol.

This would mean 2-factor security for all my servers and services relying on
SSH, such as git, without any modifications on the server side.

You would push a button on the iPhone to verify you want to authenticate,
instead of typing in digits like with Google Authenticator, which is a bit of
a hassle.

