Modern Aventra MyEID cards support 4096 bit keys, but unfortunately this does not work out of box with ThinLinc. To use these keys OpenSC 0.20 is required, and we're currently on 0.19. Right now you're getting a "Smart card malfunction" error and this in the log: > 2020-12-04T10:31:24: SSH agent request: SSH2_AGENTC_SIGN_REQUEST > 2020-12-04T10:31:24: Preparing signature operation... > 2020-12-04T10:31:24: Finding certificate with serial 765e71693d6c3e1054350f5339968f8484a710c6 > 2020-12-04T10:31:24: Getting certificates for slot 0 > 2020-12-04T10:31:24: Getting certificate with id 25825104 > 2020-12-04T10:31:24: Certificate found > 2020-12-04T10:31:24: Logging in... > 2020-12-04T10:31:24: Querying user for passphrase... > 2020-12-04T10:31:26: Finding private key... > 2020-12-04T10:31:26: Signing data... > 2020-12-04T10:31:26: Signature operation failed (84) > 2020-12-04T10:31:27: SSH agent response: Failed to produce signature Using an updated OpenSC with PKCS11_MODULE works just fine though, so we just need to upgrade our bundled OpenSC. Also note that smaller key sizes using these new cards work just fine as is.
OpenSC got upgraded on bug 7764, so this should work now.
Confirmed on Fedora 34 with a 4096 bit key on a 4.5.5 card. Doesn't work with ThinLinc 4.13.0, but works fine with the current build.
Tested with client build 2205 and can confirm that 4096 bit keys now works for Aventra 4.5 cards. Tested on the following dists: ✓ Fedora 33 ✓ Windows 10 ✓ macos 11 The relnotes also look good.
