Authenticating SSH logins with the Fellowship crypto card

There is a German aphorism that would translate to "ask someone holes into their stomach." If that were true, Werner should have holes in his stomach from my questions — but at last the SSH login with the Fellowship crypto card is working perfectly fine for me.

And I can’t help but find this extremely cool.

Here is what you need to do to get it running for yourself, but please be warned: This is not for the faint-heartet! If words like "shell" "packages" or "compiling" scare you, you probably want to wait a little longer.

  1. make sure that you have installed a recent (>=4000svn) gnupg-agent, gnupg2 and gpgsm. The links are to binary packages that were built yesterday and are running on my system right now. They should work for pretty much any recent Debian-based system.
  2. make sure you have the pinentry program of your choice. Running GNOME myself, pinentry-gtk-2 is my favorite. Debian GNU/Linux packages it in the "pinentry-gtk2" package, so aptitude should do the job for you.
  3. the gnupg-agent package has installed a 90gpg-agent script in your /etc/X11/Xsession.d which you can modify to use the pinentry program of your choice, select longer PIN caching, and enable SSH support. Here is the version of the 90gpg-agent script that I am using right now.
  4. make sure your .gnupg/gpg.conf file contains a "use-agent" and restart your X11 session. When loggin in again now, ps should show the gpg-agent running.

Relax. You are pretty much done now.

When plugging in the card and doing a "gpg –card-status", you should see the normal output. The "ssh-add -l" will show you the fingerprint of the keys it knows about. For the Fellowship crypt card, your output should look somewhat similar to this:

1024 1f:6e:b4:40:1d:99:72:64:13:c5:c2:6b:33:d2:e7:79 cardno:000100000210 (RSA)

With "ssh-add -L" you will get your SSH public key for the Fellowship crypto card. Put it into ".ssh/authorized_keys" on some remote host and you will be able to log into that host only with the Fellowship crypto card.

CAVEAT: All this is still somewhat alpha version. This version of the agent is actually the first capable of caching PINs. Below the surface it works by starting a "scdaemon" process that keeps the card open the entire time. When unplugging/replugging the card, that daemon freaks out and things are confused.

Doing a "pkill scdaemon" three times fixes that problem and things work just fine again. Personally I have put this into a script. Calling the script once after plugging in the card makes this setup extremely stable for me. Your mileage may vary.

Enjoy playing with this — I know I do.

Be Sociable, Share!

5 comments to Authenticating SSH logins with the Fellowship crypto card

Leave a Reply




You can use these HTML tags

<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>