Authenticating SSH logins with the Fellowship crypto card

There is a German aphorism that would translate to "ask someone holes into their stomach." If that were true, Werner should have holes in his stomach from my questions — but at last the SSH login with the Fellowship crypto card is working perfectly fine for me.

And I can’t help but find this extremely cool.

Here is what you need to do to get it running for yourself, but please be warned: This is not for the faint-heartet! If words like "shell" "packages" or "compiling" scare you, you probably want to wait a little longer.

  1. make sure that you have installed a recent (>=4000svn) gnupg-agent, gnupg2 and gpgsm. The links are to binary packages that were built yesterday and are running on my system right now. They should work for pretty much any recent Debian-based system.
  2. make sure you have the pinentry program of your choice. Running GNOME myself, pinentry-gtk-2 is my favorite. Debian GNU/Linux packages it in the "pinentry-gtk2" package, so aptitude should do the job for you.
  3. the gnupg-agent package has installed a 90gpg-agent script in your /etc/X11/Xsession.d which you can modify to use the pinentry program of your choice, select longer PIN caching, and enable SSH support. Here is the version of the 90gpg-agent script that I am using right now.
  4. make sure your .gnupg/gpg.conf file contains a "use-agent" and restart your X11 session. When loggin in again now, ps should show the gpg-agent running.

Relax. You are pretty much done now.

When plugging in the card and doing a "gpg –card-status", you should see the normal output. The "ssh-add -l" will show you the fingerprint of the keys it knows about. For the Fellowship crypt card, your output should look somewhat similar to this:

1024 1f:6e:b4:40:1d:99:72:64:13:c5:c2:6b:33:d2:e7:79 cardno:000100000210 (RSA)

With "ssh-add -L" you will get your SSH public key for the Fellowship crypto card. Put it into ".ssh/authorized_keys" on some remote host and you will be able to log into that host only with the Fellowship crypto card.

CAVEAT: All this is still somewhat alpha version. This version of the agent is actually the first capable of caching PINs. Below the surface it works by starting a "scdaemon" process that keeps the card open the entire time. When unplugging/replugging the card, that daemon freaks out and things are confused.

Doing a "pkill scdaemon" three times fixes that problem and things work just fine again. Personally I have put this into a script. Calling the script once after plugging in the card makes this setup extremely stable for me. Your mileage may vary.

Enjoy playing with this — I know I do.

Be Sociable, Share!

About Georg Greve

Georg Greve is a technologist and entrepreneur. Background as a software developer and physicist. Head of product development and Chairman at Vereign AG. Founding president of the Free Software Foundation Europe (FSFE). Previously president and CEO at Kolab Systems AG, a Swiss Open Source ISV. In 2009 Georg was awarded the Federal Cross of Merit on Ribbon by the Federal Republic of Germany for his contributions to Open Source and Open Standards.
This entry was posted in Uncategorized and tagged , , , . Bookmark the permalink.

10 Responses to Authenticating SSH logins with the Fellowship crypto card

  1. Pingback: The Fellowship of FSFE.

  2. jku says:


    > And I can’t help but find this extremely cool.

    Amen. Just encryption and signing are cool — but ssh-auth with a crypto card is wicked. Thanks a lot for the writeup, I couldn’t have done it without your pointers.

    I’m running Ubuntu Edgy, and although the packages are new enough (gpg2 is version 1.9.21 and there are no problems with unplugging/replugging), there were some packaging errors, which are documented in this thread:
    From what I’ve heard, this is fixed in the next release.

  3. segler says:

    i have written a more detailed instruction for ssh logins with smartcards and without on

  4. Alphazo says:

    Can the script be put back online?
    I have SSH working following segler’s instructions. However I’m stuck with the unplugging/replugging issue and have to issue killall -9 scdaemon if I want to see my card back after unplug. I’m running fairly recent version of gnupg & ccid on Archlinux 64-bit:
    - gnupg 1.4.10-2
    - gnupg2 2.0.16-2
    - ccid 1.4.0-2
    - pcsclite 1.6.4-2


  5. Pingback: Hook’s Humble Homepage :: Getting SmartCard reader working under Gentoo and SSH authentication via OpenPGP

  6. Hard Work says:

    If you are here in the quest for one of the best portal how to fix connections for bluetooth audio devices and wireless displays in windows 10 which will proved beneficial for you to sort out all your errors.

  7. Mark says:

    I am looking to buy the crypto card for my business work. And root master Apk free download 2019 for Android updated help me.

  8. Very well written post you share here valuable information you will be share with us, it’s really helpful for me I like to read this article, thank you so much for share this awesome blog More Info just visit and get many more.

  9. helix jump says:

    Thanks for giving this type of platform in which i have seen in

  10. molly says:

    “The five graduates from EMU who took this exam in 2011 were a small group of test-takers compared to the test-groups of accounting graduates from much-larger universities in the state, such as Virginia Tech, James Madison, and William & Mary,” noted Stoltzfus. “But I don’t think our size diminishes our achievement. In fact, it may point to the advantages of the one-on-one attention that our students get.”

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

Spam Protection by WP-SpamFree