💾 Archived View for sdf.org › beni › tech › nitrokeyssh.gmi captured on 2023-12-28 at 16:42:54. Gemini links have been rewritten to link to archived content
-=-=-=-=-=-=-
We will use toolbox to build pivy-tool in a Fedora container. Therefore the build should work in any OS where toolbox is available, including OpenSUSE, Arch and of course Fedora.
We have to run the built binary on the host os, though, becase we need the PC/SC Smart Cart Daemon running.
Make sure your Nitrokey has a firmware that supports PIV. At the time of writing you have to install the test firmware for Nitrokey 3.
Install the latest test firmware.
Adapbt the following for your OS. Mainly you have to install toolbox and the PC/SC Smart Card Daemon we need later.
# On Fedora (except Silverblue, where toolbox is installed by default) yum install toolbox pcsc-lite libbsd opensc # On OpenSUSE zypper install toolbox pcsc-lite libbsd opensc # Create the toolbox # On Fedora you can leave out the image toolbox create -t pivy --image quay.io/toolbx-images/fedora-toolbox:39 toolbox enter <toolbox-name-from-previous-cmd>
The following commands are now run within the toolbox. If you have not set the
# Install requirements sudo yum install pcsc-lite-devel libbsd-devel libedit-devel # Clone the pivy-tool repo. Do this somewhere in your home directory to make # it availabe outside of the toolbox git clone https://github.com/arekinath/pivy # Build pivy-tool cd pivy make
Enter the pivy repository on you hostmachien. Make sure you check for any missing libraries and install them.
cd <pivy repo> ldd ./pivy-tool # Look for any missing libraries and install them. # Generate key # The output of this command is your public key. ./pivy-tool -a eccp256 generate 9A
Now drop the public key in
~/.ssh/authorized_keys
and make sure you have the correct permissions set.
Specify the OpenSC #PKCS11 library
ssh -I /usr/lib64/opensc-pkcs11.so ssh-host.example.com