Use Nitrokey 3 PIV with OpenSC #PKCS11 for SSH

We will use toolbox to build pivy-tool in a Fedora container. Therefore the build should work in any OS where toolbox is available, including OpenSUSE, Arch and of course Fedora.

We have to run the built binary on the host os, though, becase we need the PC/SC Smart Cart Daemon running.

Make sure your Nitrokey has a firmware that supports PIV. At the time of writing you have to install the test firmware for Nitrokey 3.

Install nitropy

Install the latest test firmware.

Pepare the toolbox

Adapbt the following for your OS. Mainly you have to install toolbox and the PC/SC Smart Card Daemon we need later.

# On Fedora (except Silverblue, where toolbox is installed by default)
yum install toolbox pcsc-lite libbsd opensc

# On OpenSUSE
zypper install toolbox pcsc-lite libbsd opensc

# Create the toolbox
# On Fedora you can leave out the image
toolbox create -t pivy --image quay.io/toolbx-images/fedora-toolbox:39
toolbox enter <toolbox-name-from-previous-cmd>

Build pivy-tool from within the toolbox

The following commands are now run within the toolbox. If you have not set the

# Install requirements
sudo yum install pcsc-lite-devel libbsd-devel libedit-devel

# Clone the pivy-tool repo. Do this somewhere in your home directory to make
# it availabe outside of the toolbox
git clone https://github.com/arekinath/pivy

# Build pivy-tool
cd pivy
make

Prepare your Nitrokey

Enter the pivy repository on you hostmachien. Make sure you check for any missing libraries and install them.

cd <pivy repo>
ldd ./pivy-tool
# Look for any missing libraries and install them.

# Generate key
# The output of this command is your public key.
./pivy-tool -a eccp256 generate 9A

Now drop the public key in

~/.ssh/authorized_keys

and make sure you have the correct permissions set.

Using the Nitrokey for SSH

Specify the OpenSC #PKCS11 library

ssh -I /usr/lib64/opensc-pkcs11.so ssh-host.example.com