The documentation for setting up SSH shows how to create
id_ecdsa_sk.pub
/ id_ecdsa_sk
public/private pairs.
This works well when id_ecdsa_sk
is supported, unfortunately it doesn’t work if you have to connect to older servers, and some sites (bitbucket, gitea’s tea
command for e.g.) still don’t support id_ecdsa_sk
So I would like to be able to store an SSH key (RSA) on the nitrokey.
I’ve looked into smart-card support, and spent quite some time to get this working on arch linux, but uploading the key always gave an obscure error.
(in case it helps, running firmware 1.5.0).
$ p11tool \
--admin-login \
--generate-privkey rsa \
--bits 1024 \
--label "MySSH" \
"pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=Default%20Trust"
Error in pkcs11_generate:1434: PKCS #11 error in token
And this:
$ pkcs11-tool \
--module /usr/lib/opensc-pkcs11.so \
-l \
--pin 654321 \
--keypairgen \
--key-type rsa:1024 \
--id 0
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.
However I’m wondering if this is even the most straightforward way of storing SSH-RSA keys.
I saw something about GPG being able to store SSH keys too, are there steps to use SSH-RSA keys on NK3 or some general advice on storing existing SSH keys on the NK3?