About two weeks ago I ordered a SmartCard reader and got it to work. It's really nifty and I now use I use my Fellowship OpenPGP/member card to sign (and encrypt) my e-mail and log via SSH.

Flameeyes has already reported how he got his working under Gentoo and in short my installation just partially deviates from it, but I'll add more how to chose and use it as well.

First things first – getting your hardware. You can safely skip the next paragraph and just pick one from this list.

In Slovenia we're not that hot on SmartCards, so anything else then ActivIdentity is pretty hard to get and for my taste those are too clunky. So what I did was call up the local importer Crea and was completely taken aback by the treatment I got! I know this sounds like an advertisement, but it's not. It's just that rarely never have I met such a competent and friendly service. Not only do they know about GNU/Linux, they test every model they sell on it as well, e-mailed me a bunch of useful links and even suggested a solution that I didn't think of before. This was a trully nice experience :]

Now that we got the HW it's time to set up the system. In my case I had GnuPG already installed and emerged just pcsc-lite and ccid. You need GnuPG for the obvious reason of handling the GPG/PGP keys and while it is reported that many OpenPGP card readers should work with pure GnuPG, for me this didn't prove the case. What I needed to do is to get PCSC-Lite middleware and the CCID driver. Note: USE="pcsc-lite" pulls in the ebuild for sys-apps/pcsc-lite, but you still need to emerge app-crypt/ccid yourself.

So here's the list of the ebuilds I used:

  • sys-apps/pcsc-lite-1.6.1 with USE="hal usb -static" (on HAL vs. USB flags: I have tried both and they both worked flawlessly)
  • app-crypt/gnupg-2.0.15 with USE="bzip2 ldap nls pcsc-lite smartcard -adns -caps -doc -openct -selinux -static" (if you set pcsc-lite Portage automatically pulls in sys-apps/pcsc-lite as a dependancy; no idea why there isn't a flag to do the same for app-crypt/ccid though)
  • app-crypt/ccid-1.3.13-r1(because 1.3.11 doesn't compile) with USE="usb -twinserial"

Note that I had to pull in CCID from the testing branch because the stable didn't manage to compile, the other two are from stable branch. (Update: app-crypt/ccid-1.3.13-r1 is now stable) Also the installation method on other distributions varies of course and the PC/SC middleware package has some other names as well.

The most delicate part of course is getting the key(s) on the card. Probably the best HOWTO resides on Fellowship Wiki – I've followed it with just a few alterations, namely:

  • take into account that you are using GnuPG 2.x, so you don't have to kill the agent while generating subkeys;
  • the HOWTO presumes you already have a few keys, so don't be confused if there's a key extra which you don't have (e.g. the already existing auth key);
  • adding an auth key to the OpenPGP card is not handled by the HOWTO and is done by the addcardkey command in the gpg --edit-key interface. Then when asked which kind of key, you just select Authentication key and you're almost set to log into SSH sessions with it!

If, as me (and Flameeyes), you get problems with gpg-agent and/or scdaemon not running (basically the most common problem), it's easily solved. In my case, I (for KDE4) edited the ~/.kde4/env/gpg-agent-startup.sh file to include this loop:

if [ -x /usr/bin/gpg-agent ]; then
    eval "$(/usr/bin/gpg-agent --daemon --enable-ssh-support)"

The good bit about it is that it works flawlessly throughout KDE and the whole X session – KMail, Dolphin, Kopete, etc. etc.; the caveat though is that if I want to use OpenPGP in a pure TTY (≠ terminal emulator) at the same time I have to kill gpg-agent and run that loop by hand in that TTY. If you happen to mix X with TTY often, you should try Flameeyes' solution with a wrapper. Our methods differ because one's better for one scenario and the other for another – chose whichever suits you better.

As a final treat – authenticating SSH sessions (i.e. logging via SSH with just your OpenPGP card), which is a most cool thing indeed, I followed Greve's instructions, which basically boil down to:

  1. make sure you have created the authentication key on the OpenPGP card as explained above. To check that it's working run gpg --card-status and ssh-add -l and see if the Serial number of the first output matches with cardno. of the second;
  2. run ssh-add -L to see the SSH public key(s) and copy the one which states the (right) cardno. entry;
  3. log onto the server you wish to authenticate to with OpenPGP and paste the SSH public key into ~/.ssh/authorized_keys and there you are!
  4. now log off the server and the next time you SSH to that server you'll be using your OpenPGP key and should at most be asked for your PIN.

This trick with OpenPGP authentication works also with Git over SSH, as e.g. used by Gitorious.

Big help provided by: bremner and others on #GnuPG; ph3-der-loewe, jhelwig and jg71 on #FSFEurope; thiago and rdieter on #KDE and last but not least Flameeyes on his blog and via XMPP.

Flameeyes and me have already decided to update the Fellowship Wiki Card HOWTOs on this matter, but we've still to find time for it.

hook out → sipping Ceylon Vanilla Bourbon tea and either hacking on moo-cow or studying …will see

Related Posts