SSH CA and OpenPGP card
boleslaw.tokarski at gmail.com
Mon Mar 30 14:46:22 CEST 2015
Thanks for taking the time to examine that. I guess that I'd need to dig
deeper. Or ask the OpenSSH guys.
2015-03-30 3:17 GMT+02:00 NIIBE Yutaka <gniibe at fsij.org>:
> On 03/27/2015 09:36 PM, Bolesław Tokarski wrote:
> > ssh-keygen *can* sign a public key with a smartcard. Using a PKCS#11
> > However, I see that the OpenPGP card does not natively talk PKCS#11, but
> > there's some wrapper library. Am I really forced to use that? Would it
> > correctly or would it break the keys currently on the card?
> > Is the PKCS#11 library for OpenPGP card usable?
> Scute is a shared library for NSS (Network Security Services) with
> scdaemon (of GnuPG) which provides PKCS#11 interface.
> But, I'm afraid it doesn't work for OpenSSH. I mean, the library
> interface of NSS doesn't match to the one of OpenSSH.
> Well, I think that it's possible for us to write a script using
> gpg-connect-agent which asks generating signature by authentication
> key of GnuPG. Then, the script can be used for certificate generation
> of OpenSSH (instead of ssh-keygen).
> I generated *-cert.pub by ssh-keygen, and examined its content. It
> seems that it's simple concatenation of:
> Public key to be signed
> Key Id
> Options (in ASCII)
> Signing public key of CA
> We can use SIGKEY, SETHASH, and PKSIGN commands of gpg-agent to
> generate signature and other part can be written by, say Python, or
> Ideally, ssh-keygen would have better to talk ssh-agent to ask
> signing, though.
> Gnupg-users mailing list
> Gnupg-users at gnupg.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Gnupg-users