SSH CA and OpenPGP card

NIIBE Yutaka gniibe at
Mon Mar 30 03:17:30 CEST 2015

On 03/27/2015 09:36 PM, Bolesław Tokarski wrote:
> ssh-keygen *can* sign a public key with a smartcard. Using a PKCS#11 token.
> However, I see that the OpenPGP card does not natively talk PKCS#11, but
> there's some wrapper library. Am I really forced to use that? Would it work
> correctly or would it break the keys currently on the card?
> Is the PKCS#11 library for OpenPGP card usable?

Scute is a shared library for NSS (Network Security Services) with
scdaemon (of GnuPG) which provides PKCS#11 interface.

But, I'm afraid it doesn't work for OpenSSH.  I mean, the library
interface of NSS doesn't match to the one of OpenSSH.

Well, I think that it's possible for us to write a script using
gpg-connect-agent which asks generating signature by authentication
key of GnuPG.  Then, the script can be used for certificate generation
of OpenSSH (instead of ssh-keygen).

I generated * by ssh-keygen, and examined its content.  It
seems that it's simple concatenation of:

	Public key to be signed
	Key Id
	Options (in ASCII)
	Signing public key of CA

We can use SIGKEY, SETHASH, and PKSIGN commands of gpg-agent to
generate signature and other part can be written by, say Python, or

Ideally, ssh-keygen would have better to talk ssh-agent to ask
signing, though.

More information about the Gnupg-users mailing list