This crate paves the way for convenient handling of #OpenPGP card User PINs, for users whose threat model allows persisting the PIN locally on the host computer.
If a User PIN is stored, applications can obtain it via this crate, and perform cryptographic operations without prompting the user for PIN entry.
Currently org.freedesktop.Secret is supported for storage.
This SSH agent explores an absolutely streamlined UX for doing ssh backed by OpenPGP card-based key material.
After persisting the User PIN once, like this: "$ openpgp-card-state put --user-pin 123456 0000:01234567", the ssh agent can be used without any user interaction.
Except for the persisted PINs, this agent is entirely stateless, and can pick up new cards on the fly.
It uses cards via PC/SC shared mode.
You can plug in a new card that the ssh-agent has never seen before, and it will pick up its authentication key material on the fly, for any subsequent ssh authentication.
As long as the User PIN for the card is available via openpgp-card-state, new cards will be automatically used by the ssh-agent. No configuration or restart required.
Add comment