Yegor Ievlev
2019-Jan-24 22:23 UTC
Using rsa-sha2-256 with a YubiKey or a different smart card
Is it currently possible to use rsa-sha2-256 or rsa-sha2-512 with a key stored on a PIV or OpenPGP smart card, like a YubiKey? OpenSC itself appears to support SHA-2 signatures, but I can't find information about SSH support.
Damien Miller
2019-Jan-25 02:05 UTC
Using rsa-sha2-256 with a YubiKey or a different smart card
On Fri, 25 Jan 2019, Yegor Ievlev wrote:> Is it currently possible to use rsa-sha2-256 or rsa-sha2-512 with a > key stored on a PIV or OpenPGP smart card, like a YubiKey? OpenSC > itself appears to support SHA-2 signatures, but I can't find > information about SSH support.probably, why don't you try it and report back?
Jakub Jelen
2019-Jan-25 09:18 UTC
Using rsa-sha2-256 with a YubiKey or a different smart card
On Fri, 2019-01-25 at 01:23 +0300, Yegor Ievlev wrote:> Is it currently possible to use rsa-sha2-256 or rsa-sha2-512 with a > key stored on a PIV or OpenPGP smart card, like a YubiKey? OpenSC > itself appears to support SHA-2 signatures, but I can't find > information about SSH support.Yes, it works fine with my Yubikey 4 (certainly PIV and I also think that OpenPGP worked).>From OpenSC point of view, the SHA2 is not a problem, because OpenSSHalready passes in the hash so internally, it is just the same CKM_RSA_PKCS PKCS#11 mechanism with longer data (32 or 64 bytes instead of 20 bytes used for SHA1). Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc.