Hi,
I tested the Nitrokey on 4 different computers (2x Fedora, 1x Ubuntu, 1x Arch linux) for SSH authentication via gpg-agent and always run into the same issue:
SSH-Publickey authentication works after plugging the Nitrokey into the PC and then after around 3 minutes, it completely stops working. I tried multiple factory-resets (via gpg --edit-card) but the problem is always the same, across all computers and Linux distributions.
I did set up my new Nitrokey 3 as a GPG Smartcard for use with gpg-agent for SSH in multiple different ways:
- RSA2048 keys generated on the device
- RSA4096 keys generated on PC and transferred via keytocard
- ED25519 keys generated on the device
- ED25519 keys generated on PC and transferred via keytocard
Example:
plugging the Nitrokey in
~ ❯ ssh root@[REDACTED]
// PIN is requested and entered
root@[REDACTED]:~# echo "IT WORKS!"
After 2-4 minutes of waiting without touching anything on the computer:
~ ❯ ssh root@[REDACTED]
// No Pin dialog, nothing. The Nitrokey blinks green for a split second and then:
sign_and_send_pubkey: signing failed for RSA "cardno:000F_[REDACTED]" from agent: agent refused operation
The Nitrokey still answers to gpg --card-status sometimes !
~ ❯ lang=c gpg --card-status
Reader ...........: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Application ID ...: D276000124010304000FAEEF95980000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: Nitrokey
Serial number ....: [REDACTED]
Name of cardholder: [REDACTED]
Language prefs ...: [REDACTED]
Salutation .......: [REDACTED]
URL of public key : [nicht gesetzt]
Login data .......: [nicht gesetzt]
Signature PIN ....: zwingend
Key attributes ...: rsa4096 rsa4096 rsa4096
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
UIF setting ......: Sign=off Decrypt=off Auth=off
Signature key ....: 2BDE [REDACTED]
created ....: 2024-01-24 20:18:43
Encryption key....: 8828 [REDACTED]
created ....: 2024-01-24 20:18:43
Authentication key: 9384 [REDACTED]
created ....: 2024-01-24 20:20:17
General key info..: pub rsa4096/0x9B[REDACTED] 2024-01-24 [REDACTED] <[REDACTED]@[REDACTED].[REDACTED]>
sec> rsa4096/0x9B[REDACTED] erzeugt: 2024-01-24 verfällt: niemals
Kartennummer:[REDACTED]
ssb> rsa4096/0x56[REDACTED] erzeugt: 2024-01-24 verfällt: niemals
Kartennummer:[REDACTED]
ssb> rsa4096/0x8B1[REDACTED] erzeugt: 2024-01-24 verfällt: niemals
Kartennummer:[REDACTED]
Either removing the Nitrokey and plugging it back in or re-starting pcscd immediately resolves the problem. But then it also only works for about 2-4 minutes and the same problem occurs again. A Yubikey 5 AND a GnuPG SmartCard with external Card-Reader using the exact same setup does work reliably on all 4 computers. So fa, only the Nitrokey is kinda unusable for me as a GPG Smartcard for SSH public-key authentication. And it’s 100% consistend. After 2-4 minutes, it completely stops working.
Hardware: Nitrokey 3A NFC
Operating-Systems: Fedora 38, Fedora 39, Arch Linux, Ubuntu 23.10
(probably) Interesting Configuration-Files:
~/.gnupg/gpg-agent.conf
enable-ssh-support
ttyname $GPG_TTY
default-cache-ttl-ssh 34560000 #Tested different values. Doesn't make any difference!
max-cache-ttl-ssh 34560000 #Doesn't make any difference!
pinentry-program /usr/bin/pinentry-qt
~/.gnupg/scdaemon.conf
disable-ccid
pcsc-shared
~/.config/fish/config.fish (Shell-Configuration)
set -x GPG_TTY (tty)
set -x SSH_AUTH_SOCK (gpgconf --list-dirs agent-ssh-socket)
gpgconf --launch gpg-agent
Does someone have an idea? In that state, the Nitrokey is not usable for me and using it as a GPG smartcard was the only reason, I bought it (not interested in FIDO or anything else).
Additional information, that might be helpful for troubleshooting:
~ ❯ nitropy nk3 version
Command line tool to interact with Nitrokey devices 0.4.45
v1.6.0
~❯ nitropy nk3 status
Command line tool to interact with Nitrokey devices 0.4.45
UUID: [REDACTED]
Firmware version: v1.6.0
Init status: ok
Free blocks (int): 29
Free blocks (ext): 465
Variant: LPC55
❯ nitropy nk3 test
Command line tool to interact with Nitrokey devices 0.4.45
Found 1 Nitrokey 3 device(s):
- Nitrokey 3 at /dev/hidraw0
Running tests for Nitrokey 3 at /dev/hidraw0
[1/5] uuid UUID query SUCCESS [REDACTED]
[2/5] version Firmware version query SUCCESS v1.6.0
[3/5] status Device status SUCCESS Status(init_status=<InitStatus: 0>, ifs_blocks=29, efs_blocks=465, variant=<Variant.LPC55: 1>)
Running SE050 test: |
[4/5] se050 SE050 SKIPPED Testing SE050 functionality is not supported by the device
Please press the touch button on the device ...
Please press the touch button on the device ...
[5/5] fido2 FIDO2 SUCCESS
5 tests, 4 successful, 1 skipped, 0 failed
Summary: 1 device(s) tested, 1 successful, 0 failed
Any suggestions or help is appreciated. If this doesn’t work reliably, the Nitrokey unfortunately is at no use for me at all.
greetings,
Koren23