Hello, Thanks for taking the time to examine that. I guess that I'd need to dig deeper. Or ask the OpenSSH guys.
Best regards, Bolesław Tokarski 2015-03-30 3:17 GMT+02:00 NIIBE Yutaka <gni...@fsij.org>: > On 03/27/2015 09:36 PM, Bolesław Tokarski wrote: > > ssh-keygen *can* sign a public key with a smartcard. Using a PKCS#11 > token. > > However, I see that the OpenPGP card does not natively talk PKCS#11, but > > there's some wrapper library. Am I really forced to use that? Would it > work > > correctly or would it break the keys currently on the card? > > > > Is the PKCS#11 library for OpenPGP card usable? > > Scute is a shared library for NSS (Network Security Services) with > scdaemon (of GnuPG) which provides PKCS#11 interface. > > But, I'm afraid it doesn't work for OpenSSH. I mean, the library > interface of NSS doesn't match to the one of OpenSSH. > > Well, I think that it's possible for us to write a script using > gpg-connect-agent which asks generating signature by authentication > key of GnuPG. Then, the script can be used for certificate generation > of OpenSSH (instead of ssh-keygen). > > I generated *-cert.pub by ssh-keygen, and examined its content. It > seems that it's simple concatenation of: > > Header > Public key to be signed > Key Id > Options (in ASCII) > Signing public key of CA > Signature > > We can use SIGKEY, SETHASH, and PKSIGN commands of gpg-agent to > generate signature and other part can be written by, say Python, or > something. > > Ideally, ssh-keygen would have better to talk ssh-agent to ask > signing, though. > -- > > _______________________________________________ > Gnupg-users mailing list > Gnupg-users@gnupg.org > http://lists.gnupg.org/mailman/listinfo/gnupg-users >
_______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
