SSH Private Key via Apex Flex

Hey all,

Please let me know if this post is categorized incorrectly.

I’m looking for a solution to store my SSH private key (ed25519) on my Vivokey Apex Flex, and have Ubuntu 18.04-22.04 then prompt me to scan my Apex via the ACR1252U USB reader when attempting to SSH in order to authenticate.

I am very familiar with Linux, I can recompile the kernel if needed, build whatever modules from source, etc. I just don’t have a lot of experience on the enterprise end using smart cards for SSH auth and what not. Googling has failed me in attempting to look for solutions on the SmartPGP platform. I’ve watched this guys videos but they’re more geared towards signing git commits, and the SSH portion isn’t really described.

Any push in the right direction would be greatly appreciated.

When I use the opensc package from ubuntu, and the tool opensc-explorer within, I get this with my implant on the reader:

root@ubuntu1804:~# opensc-explorer 
OpenSC Explorer version 0.17.0
Using reader with a card: ACS ACR1252 1S CL Reader [ACR1252 Dual Reader PICC] 00 00
unable to select MF: Unsupported INS byte in APDU

Does this happen as soon as you attempt it, before you even tap the Apex? I’m asking because the acr1252 has a built in contact interface meant to interact with an internal sim card, and sometimes software will see this interface first and won’t wait for a tapped contactless picc.

That happens when the chip is resting on the sensor, otherwise it finds no device at all.

I’ve not dug into the PGP stuff to heavily but others here should have some insight… maybe.

https://www.google.com/search?q=ssh+"Unsupported+INS+byte+in+APDU"&oq=ssh+"Unsupported+INS+byte+in+APDU"

Found this…

Follow the rabbit hole, found this;

Seems there might be a limitation of your reader? Seems odd… but possibly?

@StarGate01 … possibly this?

OpenSC uses PKCS#11 and PKCS#15 afaik, which the PGP applet does not support. We might publish a PIV applet with these protocols sometime in the future.

Anyway, the PGP applet together with GnuPG can be used as a SSH key agent as well. First make sure that PGP works with your card, then change the agent. I found some info at SSH authentication.

1 Like

Thanks guys,

@StarGate01 I’ll go ahead and try out that method when I get a moment. I’m curious as to what that guy did in the link that I posted, no prompt being needed just implant being scanned and I assume the key being added to the agent like you suggested.

I’ll report back.

In the video he uses GnuPG to sign git commits. The gpg agent interfaces the PGP applet. He also modiefied the pinentry program to skip entering his passcode to unlock the applet.

1 Like

He appears to use it to both sign the git commits and auth SSH for the push as far as I can tell.

1 Like

Maybe @ajlennon can comment on this directly :slight_smile:

2 Likes

Hi all!

Sorry for radio silence. Had all sorts going on.

Yes indeed I have it setup here to sign my Git commits and authenticate my GitHub pushes :slight_smile:

1 Like

Could you elaborate on how you set up the SSH Auth portion? I’d be really interested to learn.

1 Like

Sorry I keep meaning to revisit this but keep getting sidetracked. Will try and put something helpful together.

2 Likes

That would be wonderful! Thank you!

You may already have this info, but I’ll post it here just in case. I struggled for hours to get SSH working with my Yubikeys. I have a feeling the Apex Flex may be similar. I made myself a guide on how to get it working.

OpenSSH Setup

The correct version of OpenSSH will need to be installed on the client and server machine.

Check OpenSSH version:

ssh -V

I recommend upgrading Ubuntu 18.04 to new versions before attempting this.
I’ve had to completely purge and delete older OpenSSH binaries/files to get this to work on older machines.

Upgrade OpenSSH for Ubuntu 20.04 & 22.04

sudo apt update
Install libfido2 (libfido2)
Ubuntu 20.04 & 22.04:
sudo apt install libfido2-1 libfido2-dev libfido2-doc fido2-tools
Fedora 34 & 35
sudo dnf install libfido2 libfido2-devel fido2-tools
wget -c https://cdn.openbsd.org/pub/OpenBSD/OpenSSH/portable/openssh-9.1p1.tar.gz
tar -xzf openssh-9.1p1.tar.gz
cd openssh-9.1p1/
sudo apt install libpam0g-dev libselinux1-dev libkrb5-dev
./configure --with-kerberos5 --with-md5-passwords --with-pam --with-selinux --with-privsep-path=/var/lib/sshd/ --sysconfdir=/etc/ssh --prefix=/usr –with-security-key-builtin
make
sudo make install

Reboot

Yubikey Setup

On the client machine that contains a Yubikey, run the following command:

ssh-keygen -t ecdsa-sk -O resident -f ~/.ssh/yubikey

You will be prompted to tap the Yubikey and keys will be generated. Move the public key to the server.
Save the private key.

To SSH into the server using the Yubikey, set “PasswordAuthentication no” on the server’s /etc/ssh/sshd_config. Restart SSH service.

From client machine, add the private key to the .ssh folder.

I’ve also read that you do not have to do this. You can add your private key to the SSH agent just by running the following command on the client machine with a Yubikey:

ssh-add -K

To get your public key from the SSH agent, run:

ssh-add -L

NOTE The above 2 commands can only be done with resident keys.

3 Likes

Thanks! I am at the point now where I’m prompted for an authenticator device, but it claims to not be able to find a device.

ssh-keygen -t ecdsa-sk -O resident -f ~/.ssh/apex
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: device not found

I have both a Yubikey attached (for proof of concept) as well as my ACR1252 reader for my Apex. I’m wondering if I’m missing some U2F/FIDO libs.

I’ve verified the reader is is connected and running with pcscd. ssh-keygen apparently has some problem with FIDO

ssh-keygen -vvv -t ed25519-sk -O resident -f ~/.ssh/apex
Generating public/private ed25519-sk key pair.
You may need to touch your authenticator to authorize key generation.
debug3: start_helper: started pid=15144
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/lib/openssh/ssh-sk-helper
debug1: sshsk_enroll: provider "internal", device "(null)", application "ssh:", userid "(null)", flags 0x21, challenge len 0
debug1: sshsk_enroll: using random challenge
debug1: pick_first_device: fido_dev_info_manifest failed: FIDO_ERR_INTERNAL
debug1: ssh_sk_enroll: pick_first_device failed
debug1: sshsk_enroll: provider "internal" returned failure -4
debug1: ssh-sk-helper: Enrollment failed: device not found
debug1: ssh-sk-helper: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -60
debug3: reap_helper: pid=15144
Key enrollment failed: device not found

What firmware is your Yubikey?
To use residential keys you need to have a YubiKey with credential management. This was added with Firmware 5.2.3. I’m using the Yubico 5 NFC.

What happens if you use the follow?
ssh-keygen -t ecdsa-sk -O verify-required
I haven’t used it, but I think that will ask you to set a pin for your card.

I’m getting somewhere here. Using opensc-explorer I get this when I tap my Apex:

opensc-explorer
OpenSC Explorer version 0.20.0
Using reader with a card: ACS ACR1252 1S CL Reader [ACR1252 Dual Reader PICC] 00 00
unable to select MF: Incorrect parameters in APDU
opensc-tool --list-readers
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             ACS ACR1252 1S CL Reader [ACR1252 Dual Reader PICC] 00 00
1    No              ACS ACR1252 1S CL Reader [ACR1252 Dual Reader SAM] 01 00
opensc-tool -n
Using reader with a card: ACS ACR1252 1S CL Reader [ACR1252 Dual Reader PICC] 00 00
Unsupported card

I got it!