How do I configure SSH to use Purism's OpenPGP Smart Card?

Hardware Librem 5
1

Hello everyone,

Is it possible to configure SSH to utilize Purism’s OpenPGP Smart Card?

Thank you all so much for any help!

2 Likes
2

For SSH client or for SSH server (in either case from the perspective of the Librem 5)?

In any case, it seems like a fair question.

1 Like
3

In my instance, I want to be able to utilize the smart card to connect to another device using SSH.

1 Like
4

This is from my collected hints and tricks for using the L5, topic #52 says:

52 Using the OpenPGP card for outbound SSH

   Export the SSH pub key from the card with

   $ gpg --export-ssh-key guru > export-ssh-key-guru.pub

   and add it on the remote server(s) to ~/.ssh/authorized_keys

   To use the RSA key directly from the OpenPGP card, i.e. the PIN
   is used todo connect by SSH to remote server, we set in ~/.bashrc:

   # for GnuPG
   #
   export GNUPGHOME=/home/purism/.gnupg
   export GPG_TTY=$(tty)

   # for SSH using the private key from the OpenPGP card
   #
   export SSH_AUTH_SOCK="$(gpgconf --list-dirs agent-ssh-socket)"
   export ua=ftp51246-2575596@www.unixarea.de
   # tell the gpg-agent our current GPG_TTY
   gpg-connect-agent updatestartuptty /bye
   #
   # end of mods for GnuPG

   ATTENTION: Do not login twice at the same time into the L5 because a pinentry
   dialog will appear in the second session and its shell will fight with
   the pinentry for the chars keyed in.


   To ensure that after unlocking the card with the PIN and authenticating,
   that the card is locked again we have in /etc/ssh/ssh_config a modificatuion
   and in ~/.ssh/config

   Host *
        # note: this needs in /etc/ssh/ssh_config:  PermitLocalCommand yes
        #
        LocalCommand gpgconf --reload scdaemon

   As test, the following command should ask for the PIN and login:

   purism@pureos:~$ ssh xxxxxxxxxxxxxxxx@www.unixarea.de
   You have new mail.
   Last login: Fri May 17 18:20:08 2024 from 62.216.210.229
   unixarea
   Sat May 18 14:28:23 CEST 2024
   xxxxxxxxxxxxxxxx@sh4-5:~$

   The /usr/bin/scp sets PermitLocalCommand=no and so ignores the above
   LocalCommand. I've compiled Debian's openssh_8.4p1.orig.tar.gz
   with

   $ cd openssh-8.4p1/
   $ ./configure --prefix /usr
   $ make

   and copied ~/openssh-8.4p1/scp to /usr/bin/scp
3 Likes