Please let me know if this post is categorized incorrectly.
I’m looking for a solution to store my SSH private key (ed25519) on my Vivokey Apex Flex, and have Ubuntu 18.04-22.04 then prompt me to scan my Apex via the ACR1252U USB reader when attempting to SSH in order to authenticate.
I am very familiar with Linux, I can recompile the kernel if needed, build whatever modules from source, etc. I just don’t have a lot of experience on the enterprise end using smart cards for SSH auth and what not. Googling has failed me in attempting to look for solutions on the SmartPGP platform. I’ve watched this guys videos but they’re more geared towards signing git commits, and the SSH portion isn’t really described.
Any push in the right direction would be greatly appreciated.
When I use the opensc package from ubuntu, and the tool opensc-explorer within, I get this with my implant on the reader:
root@ubuntu1804:~# opensc-explorer
OpenSC Explorer version 0.17.0
Using reader with a card: ACS ACR1252 1S CL Reader [ACR1252 Dual Reader PICC] 00 00
unable to select MF: Unsupported INS byte in APDU
Does this happen as soon as you attempt it, before you even tap the Apex? I’m asking because the acr1252 has a built in contact interface meant to interact with an internal sim card, and sometimes software will see this interface first and won’t wait for a tapped contactless picc.
OpenSC uses PKCS#11 and PKCS#15 afaik, which the PGP applet does not support. We might publish a PIV applet with these protocols sometime in the future.
Anyway, the PGP applet together with GnuPG can be used as a SSH key agent as well. First make sure that PGP works with your card, then change the agent. I found some info at SSH authentication.
@StarGate01 I’ll go ahead and try out that method when I get a moment. I’m curious as to what that guy did in the link that I posted, no prompt being needed just implant being scanned and I assume the key being added to the agent like you suggested.
In the video he uses GnuPG to sign git commits. The gpg agent interfaces the PGP applet. He also modiefied the pinentry program to skip entering his passcode to unlock the applet.
You may already have this info, but I’ll post it here just in case. I struggled for hours to get SSH working with my Yubikeys. I have a feeling the Apex Flex may be similar. I made myself a guide on how to get it working.
OpenSSH Setup
The correct version of OpenSSH will need to be installed on the client and server machine.
Check OpenSSH version:
ssh -V
I recommend upgrading Ubuntu 18.04 to new versions before attempting this.
I’ve had to completely purge and delete older OpenSSH binaries/files to get this to work on older machines.
You will be prompted to tap the Yubikey and keys will be generated. Move the public key to the server.
Save the private key.
To SSH into the server using the Yubikey, set “PasswordAuthentication no” on the server’s /etc/ssh/sshd_config. Restart SSH service.
From client machine, add the private key to the .ssh folder.
I’ve also read that you do not have to do this. You can add your private key to the SSH agent just by running the following command on the client machine with a Yubikey:
ssh-add -K
To get your public key from the SSH agent, run:
ssh-add -L
NOTE The above 2 commands can only be done with resident keys.
Thanks! I am at the point now where I’m prompted for an authenticator device, but it claims to not be able to find a device.
ssh-keygen -t ecdsa-sk -O resident -f ~/.ssh/apex
Generating public/private ecdsa-sk key pair.
You may need to touch your authenticator to authorize key generation.
Key enrollment failed: device not found
I have both a Yubikey attached (for proof of concept) as well as my ACR1252 reader for my Apex. I’m wondering if I’m missing some U2F/FIDO libs.
What firmware is your Yubikey?
To use residential keys you need to have a YubiKey with credential management. This was added with Firmware 5.2.3. I’m using the Yubico 5 NFC.
What happens if you use the follow?
ssh-keygen -t ecdsa-sk -O verify-required
I haven’t used it, but I think that will ask you to set a pin for your card.
I’m getting somewhere here. Using opensc-explorer I get this when I tap my Apex:
opensc-explorer
OpenSC Explorer version 0.20.0
Using reader with a card: ACS ACR1252 1S CL Reader [ACR1252 Dual Reader PICC] 00 00
unable to select MF: Incorrect parameters in APDU
opensc-tool --list-readers
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes ACS ACR1252 1S CL Reader [ACR1252 Dual Reader PICC] 00 00
1 No ACS ACR1252 1S CL Reader [ACR1252 Dual Reader SAM] 01 00
opensc-tool -n
Using reader with a card: ACS ACR1252 1S CL Reader [ACR1252 Dual Reader PICC] 00 00
Unsupported card