OpenPGP card: local authentication with PAM Very simple!Īs an aside: Comments that you need scute for PKCS#11 support are now outdated. ssh-add -L will list its fingerprint for insertion into authorized_keys. Try just ssh-add -s /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so if you’ve put a key in the auth slot with GPG. Now, however, the OpenSC project now supports the OpenPGP card as a PKCS#11 and PKCS#15 card, which means it works natively with ssh-agent as well. Traditionally, this was only done by using the ssh agent emulation mode of gnupg-agent. You can store the private part of your ssh key on the card. OpenPGP card: remote authentication with ssh Of course, this is already pretty great to enhance your GPG security, but there’s a lot more that you can do with this card to add two-factor authentication (2FA) to a lot of other areas. The official GnuPG smart card howto is 10 years old, and although it has some good background, I’d suggest using the FSFE instructions instead.Īs you’ll see in a bit, most of this information also pertains to the OpenPGP mode of the Yubikey Neo. The FSF Europe hands these out to people and has a lot of good information about them online, including some HOWTOs. In a fairly rare move for smartcards, this card supports 4096-byte RSA keys most are restricted to 2048-byte keys. There is more information in my original post. The concept is that the private key portions of the keys used for these items are stored only on the card, can never be extracted from the card, and the cryptographic operations are performed on the card. Generally speaking, by the way, you want GPG2 for use with smartcards.īasically, this card contains three slots: decryption, signing, and authentication slots. It is a single-application card focused on use with GPG. The OpenPGP card is well-known as one of the first smart cards to work well on Linux. For this review, I will focus on the OpenPGP card and the Yubikey NEO, since the Cardomatic Smartcard-HSM is not supported by the gpg version in Jessie.īoth cards are produced by people with strong support for the Free Software ecosystem and have strong cross-platform support with source code. This post is already huge, so I am not going to dive into - much - specific commands, but I am linking to many sources with detailed instructions. After my first post about smartcards under Linux, I thought I would share some information I’ve been gathering.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |