SSH CA and OpenPGP card
gniibe at fsij.org
Mon Mar 30 03:17:30 CEST 2015
On 03/27/2015 09:36 PM, Bolesław Tokarski wrote:
> ssh-keygen *can* sign a public key with a smartcard. Using a PKCS#11 token.
> However, I see that the OpenPGP card does not natively talk PKCS#11, but
> there's some wrapper library. Am I really forced to use that? Would it work
> correctly or would it break the keys currently on the card?
> Is the PKCS#11 library for OpenPGP card usable?
Scute is a shared library for NSS (Network Security Services) with
scdaemon (of GnuPG) which provides PKCS#11 interface.
But, I'm afraid it doesn't work for OpenSSH. I mean, the library
interface of NSS doesn't match to the one of OpenSSH.
Well, I think that it's possible for us to write a script using
gpg-connect-agent which asks generating signature by authentication
key of GnuPG. Then, the script can be used for certificate generation
of OpenSSH (instead of ssh-keygen).
I generated *-cert.pub by ssh-keygen, and examined its content. It
seems that it's simple concatenation of:
Public key to be signed
Options (in ASCII)
Signing public key of CA
We can use SIGKEY, SETHASH, and PKSIGN commands of gpg-agent to
generate signature and other part can be written by, say Python, or
Ideally, ssh-keygen would have better to talk ssh-agent to ask
More information about the Gnupg-users