"no support for PKCS#11."
Solution: Install a 'portable' version of openssh. This is a very brief, slightly modified, rendition of the excellent tutorial at http://www.gooze.eu/howto/using-openssh-with-smartcards. Every system seems to be a little bit different, this worked for me. Thrice. Skip steps 3 and 4 for Yosemite (10.10)
1. Install tools to read cards:
brew install opensc
2. Test card reader:
pkcs15-tool --list-public-keys
3. Download openssh5.5p1 (maybe you want a newer one, this is what I tested):
curl http://ftp3.usa.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-5.5p1.tar.gz > openssh-5.5p1.tar.gz
tar -xzvf openssh-5.5p1.tar.gz
4. Install:
./configure --prefix=/usr/local/bin/openssl --without-openssl-header-check
make
make install
5. Test (you may have to change the path to the brew-installed opensc libraries):
/usr/local/bin/openssl/bin/ssh -I /usr/local/Cellar/opensc/0.14.0/lib/opensc-pkcs11.so login@xxx.xxx.xxx.xxx
6. Modify $PATH, placing /usr/local/bin/openssl/bin before /usr/bin (or wherever your 'old' ssh is)
7. Open new terminal window, verify that you are now using the 'new' ssh:
which ssh
8. To avoid having to type the -I option, and automatically use the card reader, add this line:
PKCS11Provider /usr/local/Cellar/opensc/0.14.0/lib/opensc-pkcs11.so
to:
/usr/local/bin/openssl/etc/ssh_config
9. Connect:
ssh login@xxx.xxx.xxx.xxx
You can still use your 'old' ssh by including the full path name /usr/bin/ssh.
