Posted on Wed 01 April 2020
In Общие вопросы.
tags: setup ssh openpgp pgp smartcard
A bit more secure way to log-in to the remote server with ssh using st-link v.2 as an OpenPGP smartcard.
Accordig to the great articles: article1, article2
Prepare the system for PGP using
sudo apt update
sudo apt install -y wget gnupg2 gnupg-agent dirmngr cryptsetup scdaemon pcscd secure-delete hopenpgp-tools yubikey-personalization
sudo apt install opensc-pkcs11
sudo apt install monkeysphere
sudo apt-get install opensc pcscd paperkey haveged gnupg2 gnupg-agent pinentry-curses libccid scdaemon libksba8 libpth20
sudo apt install opensc
Prepare the system for the firmaware compilation
sudo apt install gcc-arm-none-eabi
sudo apt install libnewlib-arm-none-eabi
sudo apt install openocd
Get and compile the firmware v.1:
sudo cp /usr/share/openocd/scripts/target/stm32f1x.cfg /usr/share/openocd/scripts/target/cks32f1x.cfg
sudo sed -i 's/0x1ba01477/0x2ba01477/' /usr/share/openocd/scripts/target/cks32f1x.cfg
git clone https://salsa.debian.org/gnuk-team/gnuk/gnuk.git
cd gnuk/
git submodule update --init
git checkout STABLE-BRANCH-1-0
cd src
./configure --vidpid="234b:0000" --enable-keygen
make
Flash the firmware to the device
openocd -f interface/stlink-v2.cfg -f target/cks32f1x.cfg -c 'init; reset init; stm32f1x unlock 0; program ./gnuk.elf verify reset exit'
Lock the device memory
openocd -f interface/stlink-v2.cfg -f target/cks32f1x.cfg -c init -c "reset halt" -c "stm32f1x lock 0" -c reset -c exit
Generate the key on the device:
gpg --card-edit
gpg/card> admin
gpg/card> generate
It would take time, so we can import existing key:
cp id_rsa id_rsa.tmp
chmod 600 id_rsa.tmp
ssh-keygen -p -N "" -m pem -f id_rsa.tmp
pem2openpgp temporary_id < id_rsa.tmp | gpg --import
gpg -K