Hi,
I’m having some issues with ssh -I, when I use the gemalto smartcard, I can get access to the authentication key.
$ ssh -I opensc-pkcs11.so $HOST
Enter PIN for 'User PIN (OpenPGP card)':
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-131-generic i686)
When i use the nitro card, it fails
$ ssh -I opensc-pkcs11.so $HOST
Enter PIN for 'User PIN (OpenPGP card)':
C_Login failed: 164
sign_and_send_pubkey: signing failed: error in libcrypto
no such identity: /home/yah/.ssh/id_ecdsa: No such file or directory
no such identity: /home/yah/.ssh/id_ed25519: No such file or directory
no such identity: /home/yah/.ssh/id_xmss: No such file or directory
I can see the nitrocard and the authentication subkey
$ gpg --card-status |head
Reader ...........: Nitrokey Nitrokey Pro (00000000000000000000629F) 00 00
Application ID ...: D27600012401030300050000629F0000
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 0000629F
$ cat /tmp/t3
ssh-rsa ..
...
URY/yWYoE2Q/ZjSAWH8yeyjxxNAF/X34VvD5xU+ooalEqBFIp5G0n Authentication key
[yah@kermit ~]$ ssh-keygen -l -f /tmp/t3
2048 SHA256:+JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs Authentication key (RSA)
But when I use ssh -I, it fails
$ ssh -I opensc-pkcs11.so $HOST -vvv
OpenSSH_7.7p1, OpenSSL 1.1.0h 27 Mar 2018
debug1: Reading configuration data xxxxxxxx
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname xxxx is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to xxxxxx port 22.
debug1: Connection established.
debug1: provider opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framework> libraryVersion 0.18
debug1: provider opensc-pkcs11.so slot 0: label <User PIN (OpenPGP card)> manufacturerID <ZeitControl> model <PKCS#15 emulate> serial <00050000629f> flags 0x4040d
debug1: have 1 keys
debug1: have 2 keys
debug1: provider opensc-pkcs11.so slot 1: label <User PIN (sig) (OpenPGP card)> manufacturerID <ZeitControl> model <PKCS#15 emulate> serial <00050000629f> flags 0x4040d
debug1: have 3 keys
...
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: RSA SHA256:+JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs opensc-pkcs11.so
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:+JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs
debug3: sign_and_send_pubkey: RSA SHA256:+JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs
Enter PIN for 'User PIN (OpenPGP card)':
C_Login failed: 164
sign_and_send_pubkey: signing failed: error in libcrypto
The client uses the right key, +JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs, so there should not be any issues
I’m using archlinux. thanks
yah