Nitrokey - PIV
  Download PDF

Authentication with a Nitrokey / PIV

In this How-To we will configure a user in WebADM for using a PIV key. We need a WebADM server already configured.

1. Import the Inventory

We need to create an inventory file like this:

"PIV Device","<ID1>","PIV Nitrokey","","PublicKey=<pub_key1>","Valid"
"PIV Device","<ID2>","PIV Nitrokey","","PublicKey=<pub_key2>","Valid"
"PIV Device","<ID3>","PIV Nitrokey","","PublicKey=<pub_key3>","Valid"

For my test, I have a Nitrokey Start with a PIV certificate and I use gpg2 --card-edit for the management of the Nitrokey. Please follow this documentation Nitrokey - Installation.

We need to extract the public key. I do it with pkcs15-tool:

-bash-4.2# pkcs15-tool --read-public-key 03
Using reader with a card: Nitrokey Start
-----END PUBLIC KEY-----

We can create a file called nitrokey.csv with the serial number as ID and the right public key:

"PIV Device","67090940","PIV NitroKey","","PublicKey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwiBZ8g4yHliKPSr/Kg4EcAJLHch+Kh6w6emzn9ZRxSfrBofSO45x17oi7UsG8OIrBRMIVTgXOzqMbTwnnPjkpep9dKe4FHEMaPEvNYhAwHDMGVhbYBcf7Ru3CsCM9NPqmbjeV/+zGsMxq8XbZLKPdoW4EjtneTpqD8ummip1ZBTuaFXGi3D/SDxAWTy3DlA+QtU5E2HpU7tZghi5ygiy9przQct/pMCNX8WJgkLC58g/UtnVeClkh2GGalFrODR2hY0lhWQYhzNH5FzIBmEENcPucSwB7/r0abV9hdW52qWXECGBIjKAXrA16n/4QsFJNlPJaysl5Pv4ZBqM86jogwIDAQAB","Valid"

We import the file. Under the the Import tab, we click on Import Inventory File:

We choose the nitrokey.csv file and click on Import:

Now, the PIV key is present in the inventory:

2. Assign the Nitrokey

We select the user in the LDAP tree on the left and add a UNIX Account extension:

We click on Proceed:

We Extend Object:

We click on SSH Publick Key Server:

We click on Register / Unregister SSH Key:

We select Register a hardware key (Inventoried), enter the Serial Number (Reference) and Register:

Now, the PIV key is well registered.

3. Test with SSH

We’ll try with a CentOS 7 as an ssh server.

We install and configure spankey_client on it:

[root@centos7-client ~]# yum install
[root@centos7-client ~]# yum clean all
[root@centos7-client ~]# yum install spankey_client -y
[root@centos7-client ~]# /opt/spankey/bin/setup 
Enter one of your running WebADM node IP or hostname []:
Do you want to enable SpanKey Client for OpenSSH server (y/n)? [N]: y
Do you want to enable SpanKey Client NSS plugin (y/n)? [Y]: 
Do you want to register SpanKey Client logrotate script (y/n)? [Y]: 
Do you want SpanKey Client to be automatically started at boot (y/n)? [Y]: 

    Primary OpenOTP service URL is: ''
    Secondary OpenOTP service URL is: 'NONE'
    Enable SpanKey Client for OpenSSH server: 'YES'
    Enable SpanKey Client NSS plugin: 'YES'
    Register SpanKey Client logrotate script: 'YES'
    SpanKey Client must be automatically started at boot: 'YES'

Do you confirm (y/n)?: y

Applying SpanKey Client settings from default configuration files... Ok
Retrieving WebADM CA certificate from host ''... Ok
The setup needs now to request a signed 'SpanKey' client certificate.
This request should show up as pending in your WebADM interface and an administrator must accept it.
Waiting for approbation... Ok
Updating entry 'client_id' in file '/opt/spankey/conf/spankey.conf'... Ok
Updating file '/etc/ssh/sshd_config'... Ok
Updating file '/etc/nsswitch.conf'... Ok
Updating file '/etc/pam.d/password-auth'... Ok
Registering SpanKey Client service...
Registering SpanKey Client service... Ok
Adding logrotate script... Ok

SpanKey Client has successfully been setup.

IMPORTANT: Do not forget to perform the following actions before you exit this session:
 - Start SpanKey (/opt/spankey/bin/spankey start)
 - Restart 'sshd'
 - Restart 'nscd'

[root@centos7-client ~]# 

For the ssh client, we use a mac mini. We configure it for using the smartcard:

[LO@Mac-mini ~]$ brew install opensc

We try the authentication:

[LO@Mac-mini ~]$ ssh -I test-user@
Enter PIN for 'User PIN (OpenPGP card)': 

Session recording is disabled.
Audit logs recording is disabled.
Session lock is disabled.
Session's max duration is unlimited.

[test-user@centos7-client ~]$ pwd
[test-user@centos7-client ~]$ exit

>>>> Session's duration was aprox 42 seconds <<<<

Connection to closed.

I’m connected to the server with a user from the LDAP database and authenticated with my PIV key.