Staf Wagemakers

Hi, I’m staf…

Protecting your SSH keys with SmartCard-HSM

3 minute read

I use a yubi key for my ssh authentication. But I’ve other ssh keys for my remote services so wanted something that allows me to take a backup of my keys see this post for more information on to backup/restore a SmartCard-HSM

Create your first ssh keypair

Verify your smartcard connection

Insert you smartcard and verify the connection, see my previous post if you need more information about the smartcard initialization

[staf@vicky ~]$ pkcs11-tool -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): Generic Smart Card Reader Interface [Smart Card Reader Interface
  token label        : SmartCard-HSM (UserPIN)
  token manufacturer : www.CardContact.de
  token model        : PKCS#15 emulated
  token flags        : rng, login required, PIN initialized, token initialized
  hardware version   : 24.13
  firmware version   : 1.2
  serial num         : DECM0102331
[staf@vicky ~]$

Create your keypair

Create your ssh key pair and give the a meaningful label

[staf@vicky ~]$ pkcs11-tool --slot 1 --keypairgen --key-type rsa:2048 --label my_ssh_key --login
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
Key pair generated:
Private Key Object; RSA 
  label:      my_ssh_key
  ID:         fca6240eeef8d3156f0c4dfc591b2d938d6104cb
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      my_ssh_key
  ID:         fca6240eeef8d3156f0c4dfc591b2d938d6104cb
  Usage:      encrypt, verify, wrap
[staf@vicky ~]$

Extract your public key

We used PKCS11 to generate the keypair, PKCS15 is designed identify users to applications.

Dump the token content

Dump the token content to get the id of your ssh keypair.

[staf@vicky ~]$ pkcs15-tool -D
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
PKCS#15 Card [SmartCard-HSM]:
        Version        : 0
        Serial number  : DECM0102331
        Manufacturer ID: www.CardContact.de
        Flags          : 

PIN [UserPIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x81A], local, unblock-disabled, initialized, exchangeRefData
        Length         : min_len:6, max_len:15, stored_len:0
        Pad char       : 0x00
        Reference      : 129 (0x81)
        Type           : ascii-numeric
        Tries left     : 3

PIN [SOPIN]
        Object Flags   : [0x1], private
        ID             : 02
        Flags          : [0x9E], local, change-disabled, unblock-disabled, initialized, soPin
        Length         : min_len:16, max_len:16, stored_len:0
        Pad char       : 0x00
        Reference      : 136 (0x88)
        Type           : bcd
        Tries left     : 3

Private EC Key [myfirst_keypair]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x10C], sign, signRecover, derive
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        FieldLength    : 256
        Key ref        : 1 (0x1)
        Native         : yes
        Path           : e82b0601040181c31f0201::
        Auth ID        : 01
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        MD:guid        : {efac9b29-2289-658c-98d1-af5af965d484}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Private RSA Key [my_ssh_key]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 2048
        Key ref        : 2 (0x2)
        Native         : yes
        Path           : e82b0601040181c31f0201::
        Auth ID        : 01
        ID             : fca6240eeef8d3156f0c4dfc591b2d938d6104cb
        MD:guid        : {a272b2ad-ff6f-606c-801a-4153be498018}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Public EC Key [myfirst_keypair]
        Object Flags   : [0x0]
        Usage          : [0x0]
        Access Flags   : [0x2], extract
        FieldLength    : 256
        Key ref        : 0 (0x0)
        Native         : no
        ID             : ae79417e809ed19b9a69d4c14f444462ad0bd66c
        DirectValue    : <present>

Public RSA Key [my_ssh_key]
        Object Flags   : [0x0]
        Usage          : [0x0]
        Access Flags   : [0x2], extract
        ModLength      : 2048
        Key ref        : 0 (0x0)
        Native         : no
        ID             : fca6240eeef8d3156f0c4dfc591b2d938d6104cb
        DirectValue    : <present>

[staf@vicky ~]$

Get the public key

[staf@vicky ~]$ pkcs15-tool --read-ssh-key fca6240eeef8d3156f0c4dfc591b2d938d6104cb
Using reader with a card: Generic Smart Card Reader Interface [Smart Card Reader Interface] (20070818000000000) 00 00
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCWShfPjqh+pU8lCoIhXIXh+cGpSem1iNFH6TuluQQLPiqPIeObCTfqC8q9TjR/2FYzG+3ECdiRr0fiywE9OnzUgJI5oOjXfMwY3xE1PbYBrSvYERofhkEv2ejlyRifN3sbLGSU0V7pX+BNOuiJCquCehPMV9+ehkjbk9hPRFUzL1GywsOkmWUoIzrdjH0dlhPX3TUCdoizWAIdUqg+RX4DCEc52RvaGdX4Tn2THxeffXqFJ/gKkParZSLmOND1iRhtJeJ8CmgAqfD8ReshbcSs231h/QvUl3JaThcrLbPrSQFzVUH+rN+pGlSl722NWyPNPWlwwE+SreTLbQRoWayN my_ssh_key
[staf@vicky ~]$

Configure the remote host

Add the key to the remote host

staf@vicky .ssh]$ vi authorized_keys 
[staf@vicky .ssh]$

Test the connection

Test you ssh connection with the PKCS11 interface:

[staf@vicky ~]$ ssh localhost
Permission denied (publickey,gssapi-keyex,gssapi-with-mic).

With the PKCS11 interface enabled:

[staf@vicky ~]$ ssh -o "PKCS11Provider opensc-pkcs11.so" localhost
C_GetAttributeValue failed: 18
Enter PIN for 'SmartCard-HSM (UserPIN)': 
Last login: Thu Dec  3 09:55:23 2015 from ::1
gpg-agent[17327]: enabled debug flags: command cache ipc
gpg-agent: a gpg-agent is already running - not starting a new one
gpg-agent: secmem usage: 0/32768 bytes in 0 blocks
[staf@vicky ~]$

Update your ssh_config

Add PKCS11Provider opensc-pkcs11.so to your ~/.ssh/config or your global ssh_config

staf@vicky ~]$ cd .ssh/
[staf@vicky .ssh]$ vim config
PKCS11Provider opensc-pkcs11.so
[staf@vicky .ssh]$

** Have fun … **

Leave a comment

You may also enjoy

Using OpenTofu/Terraform to create a disposable Tails virtual machine

1 minute read

OpenTofu

OpenTofu

Terraform or OpenTofu (the open-source fork supported by the Linux Foundation) is a nice tool to setup the infrastructure on different cloud environments. There is also a provider that supports libvirt.

If you want to get started with OpenTofu there is a free training available from the Linux foundation:

I also joined the talk about OpenTofu and Infrastructure As Code, in general, this year in the Virtualization and Cloud Infrastructure DEV Room at FOSDEM this year:

Read more...

Lookat 2.1.0rc1 released

less than 1 minute read

lookat 2.1.0rc1

Lookat 2.1.0rc1 is the latest development release of Lookat/Bekijk, a user-friendly Unix file browser/viewer that supports colored man pages.

The focus of the 2.1.0 release is to add ANSI Color support.


 

News

8 Jun 2025 Lookat 2.1.0rc1 Released

Lookat 2.1.0rc1 is the first release candicate of Lookat 2.1.0

ChangeLog

Lookat / Bekijk 2.1.0rc1
  • ANSI Color support

Read more...

#eXit : Goodbye twitter. Hi Mastodon…

less than 1 minute read

Plushtodon

I decided to leave twitter.
 
Yes, this has something to do with the change of ownership, the name change to x, …
 
There is only 1 X to me, and that’s X.org

Twitter has become a platform that doesn’t value #freedomofspeech anymore.

My account even got flagged as possible spam to “factchecking” #fakenews

The mean reason is that there is a better alternative in the form of the Fediverse #Fediverse is the protocol that Mastodon uses.

It allows for a truly decentralised social media platform.

It allows organizations to set up their own Mastodon instance and take ownership and accountability for their content and accounts.

Mastodon is a nice platform; you probably feel at home there.

People who follow me on twitter can continue to follow me at Mastodon if they want.

https://mastodon.social/@stafwag

I’ll post this message a couple of times to twitter before I close my twitter account, so people can decide if they want to follow me on Mastodon …or not ;-).

Have fun!

Read more...

docker-stafwag-unbound v2.1.0 released: Use unbound as an DNS-over-TLS resolver and authoritative DNS server

4 minute read

Unbound

Unbound is a popular DNS resolver, that has native DNS-over-TLS support.
 

Unbound and Stubby were among the first resolvers to implement DNS-over-TLS.

I wrote a few blog posts on how to use Stubby on GNU/Linux and FreeBSD.

The implementation status of DNS-over-TLS and other DNS privacy options is available at: https://dnsprivacy.org/.

See https://dnsprivacy.org/implementation_status/ for more details.

It’s less known that it can also be used as authoritative DNS server (aka a real DNS server). Since I discovered this feature and Unbound got native DNS-over-TLS support I started to it as my DNS server.

I created a docker container for it a couple of years back to use it as an authoritative DNS server.

I recently updated the container, the latest version (2.1.0) is available at: https://github.com/stafwag/docker-stafwag-unbound

ChangeLog

Version 2.1.0

Upgrade to debian:bookworm

  • Updated BASE_IMAGE to debian:bookworm
  • Add ARG DEBIAN_FRONTEND=noninteractive
  • Run unbound-control-setup to generate the default certificate
  • Documentation updated

Read more...