[Pcsclite-muscle] Directly using RSA key of a smartcard

Michael Conrad mike at nrdvana.net
Fri Jun 23 08:40:39 PDT 2023


On 6/23/23 07:57, David Woodhouse wrote:
> On Wed, 2023-06-21 at 13:08 -0400, Michael Conrad wrote:
>> Thanks, and if you want some stackexchange credit I have the question at
>>
>> https://unix.stackexchange.com/questions/749431/is-there-a-tool-that-can-perform-direct-rsa-decryption-with-a-yubikey
> I've just spotted from the preamble on your StackExchange question that
> what you asked about here isn't what you want to do at all :)
>
>> The use case I'm looking for is that I walk up to a headless server
>> and "unlock" it using a hardware key, where scripts on the server
>> recognize that I've plugged it in and automatically use it without a
>> pin or password or additional factors.
> I think you want http://opensc.github.io/pam_pkcs11/doc/pam_pkcs11.html
>
> Make your own CA for pam_pkcs11 to trust. Generate a key on the Yubikey
> and a corresponding cert signed with your CA. Configure pam_pkcs11
> accordingly.

I'm pretty sure PAM isn't what I want actually.  Remember its a 
*headless* server so the only logging in would be over SSH.  The point 
of the yubikey is to unlock a cache of secrets after machine reboot, by 
anyone holding the key, which is kept separate from the server.  So in 
other words, I could unlock it with passwords from remote, and (in a 
yet-unrealized future) it could be unlocked automatically by a key 
server if it passes some checks, but if I'm not around and the internet 
is down, I'd like anyone in the office to be able to grab the yubikey 
out of a physically locked drawer and unlock the server after a reboot 
simply by plugging it into a USB port and nothing else.  And, this 
"locking" is not just an auth check, it needs to guard against 
extracting data from physical theft of the server.  (but, we don't 
encrypt the entirety of the server because that's a different hassle.  
We just encrypt the sensitive parts.)  The AES key I would be decrypting 
would get passed to ZFS to unlock a sub-volume, and maybe also store 
some applications' keys to remote services if they aren't in the 
encrypted volume.  I have some other vague ideas for using this that 
would be nice not needing root permissions.

Basically, the thing that sent me on this quest was that ZFS only 
supports *one* unlock method (as opposed to LUKS that holds the AES key 
itself and allows you to unlock that AES key using a variety of methods 
that you can change after the fact, including yubikeys) and so I was 
trying to come up with some scripts that would do a similar thing as 
LUKS.  I started with gpg, but it brings a lot of extra baggage with it, 
and I was thinking "RSA is pretty basic, there must be a way to do this 
without all the extra certificate keyring baggage".  The end result of 
the scripting will be one command that says "encrypt this small secret 
with whatever key is plugged in right now" and a second script that says 
"can the key plugged in right now successfully decrypt my small 
secret".  The second one needs to run without any interactive steps 
because it will be called from a udev rule. Also, if people already have 
yubikeys that they use for other purposes, I'd like to use their 
existing RSA key rather than overwrite it.

I think the best lead so far is this example from PyCKS11: 
https://github.com/LudovicRousseau/PyKCS11/blob/master/samples/encrypt.py

(So far I haven't had much luck getting the python modules to work, or 
even getting half the yubikey software to work, and I might have to come 
back when I have more time)

Meanwhile, thanks everyone for all the advice!  This is way more than 
what I could find googling.

-Mike





More information about the pcsclite-muscle mailing list