Read nitrokey from daemon for user


I’ve written a service (with root privileges) which connects to ssh server available on the network, and creates
mount points to access sftp via fuse to share files. There is no user action required, all goes automatic.

I would like to know how I can use nitrokey for this. I know on the nkey keys are stored which are usable for ssh authentication. Now I’ve got some questions:

a. how does my daemon “know” to which user the nitrokey belongs. Linux is a multiuser system, and (espec. with multiseat) more users can use the system at the same time.

b. how do I read the right key from the nkey? Which call (from api) do I have to use? Or do I have to connect to another daemon which handles these usb devices?

Stef Bon


If you would like to use the smart card keys in OpenPGP style, I recommend to use some CCID backend, like GPGME. There are also PKCS#11 and PKCS#15 standards, which you might find interesting and use them via OpenSC. All should be described on our documentation pages:

Smart cards are recognizable by their serial number and authenticable via PINs (User/Admin). There should be no problem with connecting to a wrong smart card, since you should not know its PIN (in worst case you would use up all 3 PIN attempts for User, which is recoverable while knowing Admin PIN). There are some hardware isolation techniques, like containerization. Maybe UDEV rules would help too.