SSH CA and OpenPGP card

Bolesław Tokarski boleslaw.tokarski at
Mon Mar 30 14:46:22 CEST 2015


Thanks for taking the time to examine that. I guess that I'd need to dig
deeper. Or ask the OpenSSH guys.

Best regards,
Bolesław Tokarski

2015-03-30 3:17 GMT+02:00 NIIBE Yutaka <gniibe at>:

> On 03/27/2015 09:36 PM, Bolesław Tokarski wrote:
> > ssh-keygen *can* sign a public key with a smartcard. Using a PKCS#11
> token.
> > However, I see that the OpenPGP card does not natively talk PKCS#11, but
> > there's some wrapper library. Am I really forced to use that? Would it
> work
> > correctly or would it break the keys currently on the card?
> >
> > Is the PKCS#11 library for OpenPGP card usable?
> Scute is a shared library for NSS (Network Security Services) with
> scdaemon (of GnuPG) which provides PKCS#11 interface.
> But, I'm afraid it doesn't work for OpenSSH.  I mean, the library
> interface of NSS doesn't match to the one of OpenSSH.
> Well, I think that it's possible for us to write a script using
> gpg-connect-agent which asks generating signature by authentication
> key of GnuPG.  Then, the script can be used for certificate generation
> of OpenSSH (instead of ssh-keygen).
> I generated * by ssh-keygen, and examined its content.  It
> seems that it's simple concatenation of:
>         Header
>         Public key to be signed
>         Key Id
>         Options (in ASCII)
>         Signing public key of CA
>         Signature
> We can use SIGKEY, SETHASH, and PKSIGN commands of gpg-agent to
> generate signature and other part can be written by, say Python, or
> something.
> Ideally, ssh-keygen would have better to talk ssh-agent to ask
> signing, though.
> --
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150330/4eec86a2/attachment.html>

More information about the Gnupg-users mailing list