SSH Private Key via Apex Flex

Hey all,

Please let me know if this post is categorized incorrectly.

I’m looking for a solution to store my SSH private key (ed25519) on my Vivokey Apex Flex, and have Ubuntu 18.04-22.04 then prompt me to scan my Apex via the ACR1252U USB reader when attempting to SSH in order to authenticate.

I am very familiar with Linux, I can recompile the kernel if needed, build whatever modules from source, etc. I just don’t have a lot of experience on the enterprise end using smart cards for SSH auth and what not. Googling has failed me in attempting to look for solutions on the SmartPGP platform. I’ve watched this guys videos but they’re more geared towards signing git commits, and the SSH portion isn’t really described.

Any push in the right direction would be greatly appreciated.

When I use the opensc package from ubuntu, and the tool opensc-explorer within, I get this with my implant on the reader:

root@ubuntu1804:~# opensc-explorer 
OpenSC Explorer version 0.17.0
Using reader with a card: ACS ACR1252 1S CL Reader [ACR1252 Dual Reader PICC] 00 00
unable to select MF: Unsupported INS byte in APDU

Does this happen as soon as you attempt it, before you even tap the Apex? I’m asking because the acr1252 has a built in contact interface meant to interact with an internal sim card, and sometimes software will see this interface first and won’t wait for a tapped contactless picc.

That happens when the chip is resting on the sensor, otherwise it finds no device at all.

I’ve not dug into the PGP stuff to heavily but others here should have some insight… maybe.

https://www.google.com/search?q=ssh+"Unsupported+INS+byte+in+APDU"&oq=ssh+"Unsupported+INS+byte+in+APDU"

Found this…

Follow the rabbit hole, found this;

Seems there might be a limitation of your reader? Seems odd… but possibly?

@StarGate01 … possibly this?

OpenSC uses PKCS#11 and PKCS#15 afaik, which the PGP applet does not support. We might publish a PIV applet with these protocols sometime in the future.

Anyway, the PGP applet together with GnuPG can be used as a SSH key agent as well. First make sure that PGP works with your card, then change the agent. I found some info at SSH authentication.

1 Like

Thanks guys,

@StarGate01 I’ll go ahead and try out that method when I get a moment. I’m curious as to what that guy did in the link that I posted, no prompt being needed just implant being scanned and I assume the key being added to the agent like you suggested.

I’ll report back.

In the video he uses GnuPG to sign git commits. The gpg agent interfaces the PGP applet. He also modiefied the pinentry program to skip entering his passcode to unlock the applet.

1 Like

He appears to use it to both sign the git commits and auth SSH for the push as far as I can tell.

1 Like

Maybe @ajlennon can comment on this directly :slight_smile:

2 Likes

Hi all!

Sorry for radio silence. Had all sorts going on.

Yes indeed I have it setup here to sign my Git commits and authenticate my GitHub pushes :slight_smile:

1 Like

Could you elaborate on how you set up the SSH Auth portion? I’d be really interested to learn.