SSH CA and OpenPGP card
Bolesław Tokarski
boleslaw.tokarski at gmail.com
Mon Mar 30 14:46:22 CEST 2015
Hello,
Thanks for taking the time to examine that. I guess that I'd need to dig
deeper. Or ask the OpenSSH guys.
Best regards,
Bolesław Tokarski
2015-03-30 3:17 GMT+02:00 NIIBE Yutaka <gniibe at fsij.org>:
> On 03/27/2015 09:36 PM, Bolesław Tokarski wrote:
> > ssh-keygen *can* sign a public key with a smartcard. Using a PKCS#11
> token.
> > However, I see that the OpenPGP card does not natively talk PKCS#11, but
> > there's some wrapper library. Am I really forced to use that? Would it
> work
> > correctly or would it break the keys currently on the card?
> >
> > Is the PKCS#11 library for OpenPGP card usable?
>
> Scute is a shared library for NSS (Network Security Services) with
> scdaemon (of GnuPG) which provides PKCS#11 interface.
>
> But, I'm afraid it doesn't work for OpenSSH. I mean, the library
> interface of NSS doesn't match to the one of OpenSSH.
>
> Well, I think that it's possible for us to write a script using
> gpg-connect-agent which asks generating signature by authentication
> key of GnuPG. Then, the script can be used for certificate generation
> of OpenSSH (instead of ssh-keygen).
>
> I generated *-cert.pub by ssh-keygen, and examined its content. It
> seems that it's simple concatenation of:
>
> Header
> Public key to be signed
> Key Id
> Options (in ASCII)
> Signing public key of CA
> Signature
>
> We can use SIGKEY, SETHASH, and PKSIGN commands of gpg-agent to
> generate signature and other part can be written by, say Python, or
> something.
>
> Ideally, ssh-keygen would have better to talk ssh-agent to ask
> signing, though.
> --
>
> _______________________________________________
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
> http://lists.gnupg.org/mailman/listinfo/gnupg-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: </pipermail/attachments/20150330/4eec86a2/attachment.html>
More information about the Gnupg-users
mailing list