Announcement

Collapse
No announcement yet.

Ssh login with keys on a smartcard?

Collapse
This topic is closed.
X
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Ssh login with keys on a smartcard?

    I recently got an OpenPGP smartcard, mostly so that I can use it for ssh logins. Problem is, I can't get ssh logins to work to work in my Kubuntu laptop.

    The card and reader (072f:90cc Advanced Card Systems, Ltd ACR38 SmartCard Reader) work on my Debian desktop and Arch also on the desktop and also on the laptop when I booted Debian 9 on it.

    Basically the problem is simply this: when I issue ssh-add -l, I just get a simple response "The agent has no identities". Everything should be setup correctly, I've disabled the ssh-agent support in gnome-keyring, then removed the whole thing. Not sure why it was there in Kubuntu in any case. ssh-agent is also not running. gpg-agent is running and has the option enable-ssh-support. Environment variable SSH_AUTH_SOCK points to $HOME/.gnupg/S.gpg-agent.ssh. GPG_TTY is also set and I run gpg-connect-agent updatestartuptty /bye from shell startup files.

    I currently suspect scdaemon is the problem, it puts this in its log:

    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 <- GETATTR $AUTHKEYID
    2018-09-08 10:38:42 scdaemon[15987] DBG: enter: apdu_connect: slot=0
    2018-09-08 10:38:42 scdaemon[15987] DBG: leave: apdu_connect => sw=0x1000f
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 -> S $AUTHKEYID OPENPGP.3
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 -> OK
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 <- GETATTR SERIALNO
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 -> S SERIALNO D27600012401030300050000656A0000
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 -> OK
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 <- READKEY OPENPGP.3
    2018-09-08 10:38:42 scdaemon[15987] app_readkey failed: No public key
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 -> ERR 100663305 No public key <SCD>
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 <- RESTART
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 -> OK
    2018-09-08 10:38:42 scdaemon[15987] DBG: enter: apdu_get_status: slot=0 hang=0
    2018-09-08 10:38:42 scdaemon[15987] DBG: leave: apdu_get_status => sw=0x0 status=7 changecnt=2
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 <- GETATTR $AUTHKEYID
    2018-09-08 10:38:42 scdaemon[15987] DBG: enter: apdu_connect: slot=0
    2018-09-08 10:38:42 scdaemon[15987] DBG: leave: apdu_connect => sw=0x1000f
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 -> S $AUTHKEYID OPENPGP.3
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 -> OK
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 <- GETATTR SERIALNO
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 -> S SERIALNO D27600012401030300050000656A0000
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 -> OK
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 <- READKEY OPENPGP.3
    2018-09-08 10:38:42 scdaemon[15987] app_readkey failed: No public key
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 -> ERR 100663305 No public key <SCD>
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 <- RESTART
    2018-09-08 10:38:42 scdaemon[15987] DBG: chan_5 -> OK

    So, somehow it's missing or expecting a public key. No idea why or what, other systems don't have this issue. I guess scdaemon could be too old in Xenial (2.1.11 vs. 2.1.18 in Debian 9) for this card or reader but no idea really. Or maybe the kernel should be updated for newer drivers. Any other ideas anybody?
    Tags: None
    • Top
    • Bottom
    #2
    So, as it often happens once one writes down the situation, I soon found the probable answer. In scdaemon's changelog I found this:

    2016-11-25 NIIBE Yutaka <gniibe@fsij.org>

    scd: Support OpenPGP card V3 for RSA.
    + commit b89e63e5c326af71470124b410e6429cbd2b5c43
    * scd/app-openpgp.c (struct app_local_s): Remove max_cmd_data and
    max_rsp_data fields as Extended Capabilities bits are different.
    (get_cached_data) Use extcap.max_certlen_3.
    (get_one_do): Don't use exmode=1.
    (determine_rsa_response): New.
    (get_public_key, do_genkey): Call determine_rsa_response.
    (do_sign): Use keyattr[0].rsa.n_bits / 8, instead of max_rsp_data.
    (do_auth): Use keyattr[2].rsa.n_bits / 8, instead of max_rsp_data.
    (do_decipher): Likewise with Use keyattr[1].rsa.n_bits / 8.
    (show_caps): Remove max_cmd_data and max_rsp_data.
    (app_select_openpgp): Likewise.

    The OpenPGP card I have V3.3 and those changes went into gnupg (and scdaemon) 2.1.17 while Xenial has 2.1.11. I looked for a PPA with updated gnupg package but didn't find one. Also it seems I can't easily build a newer GnuPG from source, it needs some newer libraries not present in Xenial. The easiest way is probably updating to Kubuntu 18.04 LTS. I made a quick try with live 18.04 and the card and reader worked there.
    • Top
    • Bottom

    Comment

    Previous template Next
    Working...
    X