nitrokey pro smartcard

yah_6 · 2018-08-17 22:18:56

Hi,
I'm trying to access the authentication subkey but it is not working.

i can list the card

$ gpg --card-status

Reader ...........: 20A0:4108:00000000000000000000629F:0
Application ID ...: D27600012401030300050000629F0000
Version ..........: 3.3
Manufacturer .....: ZeitControl

but when i try to read the key, it fails

$ ssh-keygen -D opensc-pkcs11.so -e
cannot read public key from pkcs11

when i try ssh-add, it fails too

$ eval `ssh-agent`
Agent pid 13961
$ ssh-add -s opensc-pkcs11.so
Enter passphrase for PKCS#11: 
Could not add card "opensc-pkcs11.so": agent refused operation
$

i tried the key's passphrase, and the cards admin and user passwords, but no cigar. do you guys have any suggestions. i want to use the key so that i can ssh w/o having to keep the ssh key on the actual filesystem.

thanks

yah

Last edited by yah_6 (2018-08-18 21:10:28)

jasonwryan · 2018-08-17 22:32:47

Please use code tags when pasting to the boards: https://wiki.archlinux.org/index.php/Co … s_and_code

yah_6 · 2018-08-18 21:14:13

i apologize for the lack of tags. i continue to have the same issue. i also tried a gemalto card, and had no luck either.

$ gpg --card-status

Reader ...........: Gemalto USB Shell Token V2 00 00
Application ID ...: D2760001240102000005000003720000
Version ..........: 2.0

[yah@kermit ~]$ gpg-agent 
gpg-agent[3717]: gpg-agent running and available
[yah@kermit ~]$ ssh-keygen -D /usr/lib64/pkcs11/opensc-pkcs11.so 
cannot read public key from pkcs11

any ideas will be greatly appreciated. thanks

R00KIE · 2018-08-18 21:57:56

I've been wanting to play with a gpg card for a while but I haven't had the time yet so what follows is based on my limited experience.

Did you setup the card properly? Did you follow any guide/tutorial and tried to setup the card or were you expecting it to work out of the box?

Is that the only output you get? Do post full text output, obviously you can redact specific information like serial numbers but don't omit general information as it could help debug the problem.

As an example, with my gpg card + reader I get the following:

> gpg --card-status
Reader ...........: 04E6:[reader serial number]:0
Application ID ...: D2760001240102010005[redacted serial]
Version ..........: 2.1
Manufacturer .....: ZeitControl
Serial number ....: [redacted serial]
Name of cardholder: [not set]
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 0
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

My card is "clean", I have no keys stored there, I did play with it a little bit before but the last thing I have done was a reset. Like I said I didn't have much time to play with it yet but as an example it should help get the ball rolling. Do say which tutorials/guides you tried to follow as that might help people with more experience than me identify any outdated/wrong/not applicable information.

yah_6 · 2018-08-19 03:27:46

The Gemalto card is working

I got the authentication public key and copied it to my test host, and then I was able to connect to the host in question.

$  pkcs15-tool   --read-ssh-key 3
Using reader with a card: Gemalto USB Shell Token V2 00 00
..
...
4/Q+EHiFD39DOo2e7r4gUn+raZr9SI2IxGAkVEfoHH Authentication key

$ ssh -I opensc-pkcs11.so $HOST
Enter PIN for 'User PIN (OpenPGP card)': 
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-131-generic i686)

When I try the nitrokey card, it fails

$  pkcs15-tool   --read-ssh-key 3
Using reader with a card: Nitrokey Nitrokey Pro (00000000000000000000629F) 00 00
..
..
/MVK/YN8vZ8incpUe2Vi142IAiokI28rGO99c+S5amU70qrY6a5PtjAoAVEZDHki3lA56KJmqUK++URY/yWYoE2Q/ZjSAWH8yeyjxxNAF/X34VvD5xU+ooalEqBFIp5G0n Authentication key

$ ssh -I opensc-pkcs11.so $HOST 
Enter PIN for 'User PIN (OpenPGP card)': 
C_Login failed: 164
sign_and_send_pubkey: signing failed: error in libcrypto
no such identity: /home/yah/.ssh/id_ecdsa: No such file or directory
no such identity: /home/yah/.ssh/id_ed25519: No such file or directory
no such identity: /home/yah/.ssh/id_xmss: No such file or directory


$ ssh -I opensc-pkcs11.so $HOST -vvv

debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:+JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs
debug3: sign_and_send_pubkey: RSA SHA256:+JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs
Enter PIN for 'User PIN (OpenPGP card)': 
C_Login failed: 164
sign_and_send_pubkey: signing failed: error in libcrypto
debug1: Offering public key: RSA SHA256:McmPHE3NmNzPxvWIZ1hG54/g+G4D8n+gR0YwE+Td5No opensc-pkcs11.so
debug3: send_pubkey_test
debug3: send packet: type 50

The client uses the correct key , it matches the sha256 from the ssh -vvv output. below is the public key's 256 hash

$ ssh-keygen -l -f /tmp/t3
2048 SHA256:+JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs Authentication key (RSA)

wonder why nitrokey is not working and gemalto is. is opensc-pkcs11.so the wrong library to use?

thanks,

yah

R00KIE · 2018-08-19 09:42:50

I remember seeing something about some cards (or card readers) having a different access method/protocol and that you would need to do some setup to make things work, I don't think that is the problem since you seem to be able to access the card with gpg but it's worth keeping that in mind.

You still haven't posted the full redacted output of 'gpg --card-status' of both cards so anyone can actually try to figure out if something is not working. This is not a common topic that people can just guess what's wrong, you have to provide as much information as possible.

yah_6 · 2018-08-19 15:53:22

Sorry for the delay and thanks for your patience. Attached is the output you requested

$ gpg --card-status
Reader ...........: Nitrokey Nitrokey Pro (00000000000000000000629F) 00 00
Application ID ...: D27600012401030300050000629F0000
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 0000629F
Name of cardholder: xxx xxx
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 0 0 3
Signature counter : 4
Signature key ....: C677 B9F5 8547 25F9 FC37  C075 7C26 C7BE 9D46 06E0
      created ....: 2018-08-17 20:31:18
Encryption key....: EAA1 6359 25B7 C9AB 7124  0FEE 6402 A85D A7B6 8A04
      created ....: 2018-08-17 20:31:18
Authentication key: 0B31 72B5 E998 36E6 1944  6843 AE8E 26B8 24EF D5D6
      created ....: 2018-08-17 20:31:18
General key info..: [none]
$ 

$ gpg --card-status

Reader ...........: Gemalto USB Shell Token V2 00 00
Application ID ...: D2760001240102000005000003720000
Version ..........: 2.0
Manufacturer .....: ZeitControl
Serial number ....: 00000372
Name of cardholder: xxx xxx
Language prefs ...: de
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 32 32 32
PIN retry counter : 3 0 3
Signature counter : 4
Signature key ....: DBF6 E3DC CEA9 5E7A BF47  A970 8964 9EAF 6327 6DCD
      created ....: 2018-08-18 20:47:03
Encryption key....: 66E2 9669 632F 1005 20DD  D18C B599 88B5 6828 34A5
      created ....: 2018-08-18 20:47:03
Authentication key: E3BB 677A CB63 260E C75B  B666 3D5C C654 75B3 D683
      created ....: 2018-08-18 20:47:03
General key info..: pub  rsa2048/89649EAF63276DCD 2018-08-18 xxxxx
sec>  rsa2048/89649EAF63276DCD  created: 2018-08-18  expires: 2019-08-18
                                card-no: 0005 00000372
ssb>  rsa2048/3D5CC65475B3D683  created: 2018-08-18  expires: 2019-08-18
                                card-no: 0005 00000372
ssb>  rsa2048/B59988B5682834A5  created: 2018-08-18  expires: 2019-08-18
                                card-no: 0005 00000372
$

R00KIE · 2018-08-19 16:07:43

The 'PIN retry counter' for the nitrokey is '0 0 3' and for the gemalto it is '3 0 3', without knowing better I'd say the card/keys are locked because of too many wrong pin tries, you should be able to reset that though since the admin pin is not locked.

yah_6 · 2018-08-19 18:27:03

Thanks for the tip. For some reason, I missed that. I'll give it a try

yah_6 · 2018-08-19 18:36:36

No luck. I tried it and failed and the counter was decremented with the failure

$  ssh -I opensc-pkcs11.so $HOST
Enter PIN for 'User PIN (OpenPGP card)': 
C_Login failed: 257
sign_and_send_pubkey: signing failed: error in libcrypto
no such identity: /home/yah/.ssh/id_ecdsa: No such file or directory
no such identity: /home/yah/.ssh/id_ed25519: No such file or directory
no such identity: /home/yah/.ssh/id_xmss: No such file or directory
xxx@xxxxx's password: 

$ gpg --card-status
Reader ...........: Nitrokey Nitrokey Pro (00000000000000000000629F) 00 00
Application ID ...: D27600012401030300050000629F0000
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 0000629F
Name of cardholder: xxxx
Language prefs ...: en
Sex ..............: unspecified
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: not forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 64 64 64
PIN retry counter : 1 0 3
Signature counter : 4
Signature key ....: C677 B9F5 8547 25F9 FC37  C075 7C26 C7BE 9D46 06E0
      created ....: 2018-08-17 20:31:18
Encryption key....: EAA1 6359 25B7 C9AB 7124  0FEE 6402 A85D A7B6 8A04
      created ....: 2018-08-17 20:31:18
Authentication key: 0B31 72B5 E998 36E6 1944  6843 AE8E 26B8 24EF D5D6
      created ....: 2018-08-17 20:31:18
General key info..: [none]

i'll run more tests. thanks

R00KIE · 2018-08-19 20:00:01

You should be able to try/test the password directly with gpg, until you confirm it works with gpg leave ssh out of the way. Are the passwords the same for both cards? If not does the one for the nitrokey contain any localized characters that might be passed incorrectly somewhere along the software chain to the card? Try changing the password to something simple, test it works and if it does change it back to what you have now.

The counters should decrement for every wrong try so the first number should start at 3 just like on the gemalto card, since your admin key is not expired I think you should be able to reset all counters, that's the direction I was trying to point you at.

yah_6 · 2018-08-20 20:41:48

thanks for the info. it works now. for some reason, it started working after removed and then inserted back the smartcard. after I did that, i was able to sign, and i use ssh, but the gpg --card status failed.

$ gpg --sign --armor -u 7C26C7BE9D4606E0  hosts
File 'hosts.asc' exists. Overwrite? (y/N) y

$ ssh -I opensc-pkcs11.so xxx.xxx
Enter PIN for 'User PIN (OpenPGP card)': 
Last login: Mon Aug 20 15:37:27 2018 from xxxx.xxx

$ gpg --card-status
gpg: selecting openpgp failed: No such device
gpg: OpenPGP card not available: No such device

Arch Linux

#1 2018-08-17 22:18:56

nitrokey pro smartcard

#2 2018-08-17 22:32:47

Re: nitrokey pro smartcard

#3 2018-08-18 21:14:13

Re: nitrokey pro smartcard

#4 2018-08-18 21:57:56

Re: nitrokey pro smartcard

#5 2018-08-19 03:27:46

Re: nitrokey pro smartcard

#6 2018-08-19 09:42:50

Re: nitrokey pro smartcard

#7 2018-08-19 15:53:22

Re: nitrokey pro smartcard

#8 2018-08-19 16:07:43

Re: nitrokey pro smartcard

#9 2018-08-19 18:27:03

Re: nitrokey pro smartcard

#10 2018-08-19 18:36:36

Re: nitrokey pro smartcard

#11 2018-08-19 20:00:01

Re: nitrokey pro smartcard

#12 2018-08-20 20:41:48

Re: nitrokey pro smartcard

Board footer