It doesn’t seem to work.
First I generate a key:
pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type EC:secp256r1 --id 2 --label "SSH Key"
Then I get the pubkey:
pkcs15-tool --read-public-key 2 > eckey.pub
#cat eckey.pub:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPDJy6vEmcsjUoRovCW8ZNifKUYev
XIEiSORGp1MLXXsY1OcaQohZfMYMZ//z7rVvfOBP6HXciEEo0PxoLoWtKw==
-----END PUBLIC KEY-----
Convert that to OpenSSH format:
ssh-keygen -i -m PKCS8 -f eckey.pub
Output:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDwycurxJnLI1KEaLwlvGTYnylGHr1yBIkjkRqdTC117GNTnGkKIWXzGDGf/8+61b3zgT+h13IhBKND8aC6FrSs=
Place that in the authorized_keys file on a modern (Ubuntu 16.04) machine. Try to SSH with the HSM and it fails:
$ ssh -o "PKCS11Provider opensc-pkcs11.so" root@server
C_GetAttributeValue failed: 18
no keys
root@server's password:
The regular way of getting an SSH key also doesnt work with an EC key:
$ pkcs15-tool --verbose --read-ssh-key 2
Using reader with a card: Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
Connecting to card in reader Nitrokey Nitrokey HSM (010000000000000000000000) 00 00...
Using card driver SmartCard-HSM.
Trying to find a PKCS#15 compatible card...
Found SmartCard-HSM!
Reading ssh key with ID '2'
How do I use an EC key with OpenSSH? (Issue here as well: github.com/OpenSC/OpenSC/issues/803)