Simplest way to store private SSH (RSA) Keys on NK3?

The documentation for setting up SSH shows how to create / id_ecdsa_sk public/private pairs.

This works well when id_ecdsa_sk is supported, unfortunately it doesn’t work if you have to connect to older servers, and some sites (bitbucket, gitea’s tea command for e.g.) still don’t support id_ecdsa_sk

So I would like to be able to store an SSH key (RSA) on the nitrokey.

I’ve looked into smart-card support, and spent quite some time to get this working on arch linux, but uploading the key always gave an obscure error.

(in case it helps, running firmware 1.5.0).

$ p11tool \
  --admin-login \
  --generate-privkey rsa \
  --bits 1024 \
  --label "MySSH" \

Error in pkcs11_generate:1434: PKCS #11 error in token

And this:

$ pkcs11-tool \
  --module /usr/lib/ \
  -l \
  --pin 654321 \
  --keypairgen \
  --key-type rsa:1024 \
  --id 0

Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)

However I’m wondering if this is even the most straightforward way of storing SSH-RSA keys.

I saw something about GPG being able to store SSH keys too, are there steps to use SSH-RSA keys on NK3 or some general advice on storing existing SSH keys on the NK3?

Update: this worked for me:

pkcs11-tool --login-type so --pin 12345678 --so-pin 12345678 -k --key-type RSA:2048 --slot 0

Although I’m still not sure how to access the generated keys via SSH.

Update: I suspect ArchLinux has some breakage caused by openssl compatibility, compiling OPENSC from source resolves one error but shows another. So I might try OPENSC on a more stable distribution and see if it can be made to work.

According to This wiki page you can use the keys stored via PKCS11 like this :

ssh -I /usr/lib/ user@host

It will try to use every compatible key on the NK3.

To list the public keys you can do :

ssh-keygen -D /usr/lib/ -e

I haven’t tested it with the NK3 but it works with another PKCS11 provider.

I hope it helps :slight_smile: