For various reasons, I need to secure access to some resources using two-factor authentication, and thus have been looking at smartcards. These little devices store digital keys and certificates, protected by a passphrase, and calculate digital signatures on-device. Hence the two factors: possession of the card, and knowledge of the password.
This sort of scheme is widely used by government agencies and large corporations (and largely reliant on Windows, too), but I wanted to find the low cost way in for the small operator using open source.
The best starting point for Linux is the OpenSC project. It supports a reasonably broad array of devices, and is well supported by Linux distributions. Using command line tools you can create keys and certificates, as you would in OpenSSL for web servers and so on, and then upload them to the smartcard.
Although OpenSSH source code has support for OpenSC, it is not compiled in by default in Debian and derived distributions. Unfortunately this means a bit of recompilation to get SSH supporting OpenSC. When that's done, you have an SSH implementation that can use an RSA key from your smartcard, and best of all, you can add this key to the ssh-agent like you would with regular keys.
I ordered two devices, which seemed to have the best support from OpenSC, the Axalto Cryptoflex E-Gate, and an Aladdin eToken. I got these from UsaSmartCard, who have a special section in their catalogue for Open Source compatible products. Both these cards have a USB interface built-in, I didn't want to be toting around an extra card reader in addition to the tokens themselves.
While both the devices worked as advertised under Linux, the experience has been a lot less fruitful under Mac OS 10.5 Leopard. There is a port of the OpenSC project for Mac OS, called SCA. The promise of the integration is great: you can use the on-device keys with apps like Safari and Mail, but there is a change in the way that the daemon responsible for talking to the smartcards (pcscd) works on Leopard, which means OpenSC won't recognise the cards.
With some fiddling, I have managed to force the Cryptoflex device to work with Mac. Unfortunately the Leopard/Darwin source for OpenSSH has diverged significantly enough from the upstream OpenSSH, that I couldn't apply the OpenSC patches. Not having ssh-agent work with the smartcard is a significant nuisance for me, as it's the easiest way to patch in the extra security to deployment processes.
The Aladdin eToken just plain didn't work on Leopard. There is a report that Aladdin are working on Leopard drivers, however.
I think a small number of mainly US federal smart cards will work out of the box on Leopard, though I've seen a few complaints about these on the Apple forums. It loooks unfortunately like smartcard support slipped through the net a bit.
Smartcard support is relatively straightforward on Linux. On Mac OS 10.5, it looks like some waiting is in order before things will work properly.