bugzilla-daemon at bugzilla.mindrot.org
2016-Jan-22 12:01 UTC
[Bug 2530] New: Client does not differentiate between more keys on Smart card, signs always with first one
https://bugzilla.mindrot.org/show_bug.cgi?id=2530 Bug ID: 2530 Summary: Client does not differentiate between more keys on Smart card, signs always with first one Product: Portable OpenSSH Version: 7.1p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: Smartcard Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Based on the report in our bugzilla [1] (though on older version and with different use case), I can reproduce the same behaviour with two different key pairs on smartcard (opencryptoki softtoken), when only the second is accepted. This is caused by the fact, that when the public key is read from the card, its CKA_ID is not stored alongside with the public key and ssh later does not know which key use for signing (use the first one implicitly, since it is first result of search). So far, the key is identified by its pkcs11 provider library [2] and by flag SSHKEY_FLAG_EXT [3], which is obviously not enough (see the self-explaining comment /* XXX */ [2]). Fortunately, similar question was asked before by different people and there is RFC7512 describing PKCS#11 URI scheme, which quite suits these needs. It can overgrow into ugly monstrosity, but for our case should be enough to note the id (CKA_ID) in scheme. Integration of this idea into openssh would require some changes, which are more complex to do them without discussion as a patch for bugzilla. If you feel this would be useful, I would like to hear upstream acknowledgement. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1280422 [2] https://github.com/openssh/openssh-portable/blob/master/ssh.c#L1994 [3] https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c#L541 [4] https://tools.ietf.org/html/rfc7512 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-11 01:46 UTC
[Bug 2530] Client does not differentiate between more keys on Smart card, signs always with first one
https://bugzilla.mindrot.org/show_bug.cgi?id=2530 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- The upstream bug link looks wrong, it points to "Review Request: rpg - RPM Package Generator" that doesn't appear ssh-related to all -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Feb-11 08:19 UTC
[Bug 2530] Client does not differentiate between more keys on Smart card, signs always with first one
https://bugzilla.mindrot.org/show_bug.cgi?id=2530 --- Comment #2 from Jakub Jelen <jjelen at redhat.com> --- Sorry, the link should be [1]. I have no idea how did it happened. The original case, as it is described above, seems to be working with upstream version. For the first time I managed to create two keys with the same ID, which is obviously wrong configuration. I didn't want to comment again until I will get the answer from our tester who reported the issue with certificates. It might be the same problem and then this is not a bug or something different and I will update you as soon as I will know more. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1299994 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Sep-02 11:54 UTC
[Bug 2530] Client does not differentiate between more keys on Smart card, signs always with first one
https://bugzilla.mindrot.org/show_bug.cgi?id=2530 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #3 from Jakub Jelen <jjelen at redhat.com> --- Sorry, this is not a bug in openssh. The report was very vague and it showed up as a problem in different part of the chain. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:09 UTC
[Bug 2530] Client does not differentiate between more keys on Smart card, signs always with first one
https://bugzilla.mindrot.org/show_bug.cgi?id=2530 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #4 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Reasonably Related Threads
- safenet eToken 5100 pkcs11 bug(?)
- [Bug 2817] New: Add support for PKCS#11 URIs (RFC 7512)
- [Bug 2429] New: ssh-keygen ignores keys that have CKA_ID == 0
- [Bug 1773] PKCS#11 authentication fails with "xmalloc: zero size" for some certificates.
- [PATCH] sshd: Add pkcs11 support for HostKey.