Using my FSFE crypto card for two-factor ssh authentication

last updated: $Date: 2010/05/23 07:20:27 $

In May 2009 I signed up as a fellow of the European Free Software Foundation. One of the perks is that the membership card is a smart card, which comes preloaded with a gpg key that the FSFE generate for you. The card is discussed at some length on the FSFE wiki.

The card can hold other GPG keys, and as for using them, GPG seems to be smart-card aware, so all I needed was a smart card reader. On the advice I read at http://www.gnupg.org/howtos/card-howto/en/ch02s02.html, I bought an SCM Microsystems SCR335 from Crownhill.

I then used gpg --card-edit and the passwd subcommand to change the user PIN and the admin PIN on the card, as I was advised to do by FSFE.

The card is primarily intended for storing and using GPG keys. En bref, the key is stored on the card by the use of the admin PIN; with only the user PIN, the card can be authorized to perform operations such as signing and encryption using the stored keys. But an RSA operation is an RSA operation, to whatever end it is directed, and so the card is theoretically capable of storing an ssh key and using it, in combination with the user PIN, to perform ssh-authentication operations. The devil is, as ever, in the details; how to get my ssh client to know that it should delegate signing and decryption operations to the card's engine, how to get my ssh client to prompt me for a card PIN instead of a key passphrase, how to make this all work with ssh-agent, and so on.

Back to the drawing board

Now I read around, it's become clearer that I have to use gpg-agent as a stand-in for ssh-agent, which will then present a gpg authentication key in ssh-compatible form. I use gpgkey2ssh, which is part of the gnupg package, to convert the gpg key into a public key form suitable for use in authorized_keys.

This email explains it all in more detail. gpgkey2ssh takes a single argument which is the keyID of the authentication key you want converted (find this with gpg --list-keys).

Buy them from kernelconcepts.de.

Back to Technotes index
Back to main page