Bug 535373 – Unable to use SmartCard with gnome-keyring for ssh

After an evaluation, GNOME has moved from Bugzilla to GitLab. Learn more about GitLab.
No new issues can be reported in GNOME Bugzilla anymore.
To report an issue in a GNOME project, go to GNOME GitLab.
Do not go to GNOME Gitlab for: Bluefish, Doxygen, GnuCash, GStreamer, java-gnome, LDTP, NetworkManager, Tomboy.

Bug 535373 - Unable to use SmartCard with gnome-keyring for ssh


Summary:	Unable to use SmartCard with gnome-keyring for ssh


Status:	RESOLVED FIXED

Product:	gnome-keyring
Classification:	Core
Component:	general
Version:	git master
Hardware:	Other FreeBSD

Importance:	Normal normal
Target Milestone:	---
Assigned To:	GNOME keyring maintainer(s)
QA Contact:	GNOME keyring maintainer(s)

URL:
Whiteboard:

Depends on:	775981
Blocks:

Reported:	2008-05-29 00:21 UTC by Kevin Oberman
Modified:	2018-03-10 08:46 UTC

See Also:
GNOME target:	---
GNOME version:	---

Description Kevin Oberman 2008-05-29 00:21:50 UTC

I use a USB token to access many work systems. This is supported by OpenSSH as a build-time option. It provides an interface to OpenSC, the open-source SmartCard support package. gnome-keyring lacks support for SmartCards which use the same software and standards as the USB tokens. (They are effectively a SmartCard and reader in one package.)

All code is available in OpenSSH-portable, but you may need to re-write if you need it under GPL. (Of course, OpenSSH is already in the system with a BSD license, so you may want ot just use the code and leave the BSD license. IANAL.

When it is included, the code to get hte passsphrase will need the ability to request a PIN for the SMartCard instead of the pass phrase. (The dialog could either provide a radio button to select or have two entry lines if a SmartCard is present.)

OpenSSH-portable needs to be configured with --with-opensc to work with SmartCards and is dependent on OpenSC (and, probably, OpenCT).

Comment 1 Stef Walter 2009-03-05 03:31:28 UTC

It'd be really awesome if openssh supported PKCS#11 then gnome-keyring could simply be one of many PKCS#11 providers, and the various drivers for these smart cards would still work.

Comment 2 misc 2013-12-21 14:33:46 UTC

It seems that openssh now support pkcs#11 
https://bugzilla.mindrot.org/show_bug.cgi?id=1371

Comment 3 Kevin Oberman 2013-12-22 03:48:30 UTC

Yes, indeed it dos and has for a few years, but gnome-keyring seems to still lack support. I would think that this might be easily implemented at this time so that I would no longer need to turn off ssh in hte daemon and manually do an ssh-add every time.

Comment 4 Tim Starling 2015-11-25 05:29:36 UTC

To be specific, it would be nice if the SSH agent operations ADD_SMARTCARD_KEY, REMOVE_SMARTCARD_KEY and ADD_SMARTCARD_KEY_CONSTRAINED were implemented. The fact that gnome-keyring is a PKCS#11 provider does not help.

Comment 5 Stef Walter 2016-12-12 13:00:01 UTC

 gnome-keyring should just wrap stock ssh-agent to solve this problem:

https://bugzilla.gnome.org/show_bug.cgi?id=775981

Comment 6 Daiki Ueno 2018-03-10 08:46:33 UTC

I haven't really tested this, but it should work now given that bug 775981 landed.  Feel free to reopen if it is not the case.