openssh bugs - Mar 2010 - [Bug 1736] New: OpenSSH doesn't seem to work with my MuscleCard PKCS#11 library

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

           Summary: OpenSSH doesn't seem to work with my MuscleCard
                    PKCS#11 library
           Product: Portable OpenSSH
           Version: 5.4p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Smartcard
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: daniel at benoy.name


Here's what I get when I try to use my MuscleCard PKCS#11 library with
SSH:

----------
$ ssh -v -I /usr/local/lib/libmusclepkcs11.so root at jackson
OpenSSH_5.4p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: ssh_set_validator: ignore responder url
debug1: Connecting to jackson [2001:470:1d:160:224:8cff:fe92:3230] port
22.
debug1: Connection established.
debug1: manufacturerID <SCHLUMBERGER> cryptokiVersion 2.11
libraryDescription <SLB PKCS #11 module> libraryVersion 1.0
debug1: label <MuscleCard Applet> manufacturerID <Unknown MFR> model
<Unknown Model> serial <1> flags 0x40d
C_GetAttributeValue failed: 18
debug1: have 1 keys
C_GetAttributeValue failed: 18
debug1: have 2 keys
debug1: identity file /home/dbenoy/.ssh/id_rsa type -1
debug1: identity file /home/dbenoy/.ssh/id_rsa-cert type -1
debug1: identity file /home/dbenoy/.ssh/id_dsa type -1
debug1: identity file /home/dbenoy/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'jackson' is known and matches the RSA host key.
debug1: Found key in /home/dbenoy/.ssh/known_hosts:15
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /usr/local/lib/libmusclepkcs11.so
debug1: Authentications that can continue:
publickey,keyboard-interactive
debug1: Offering public key: /usr/local/lib/libmusclepkcs11.so
debug1: Server accepts key: pkalg ssh-rsa blen 151
Enter PIN for 'MuscleCard Applet': 
C_FindObjects failed (0 nfound): 0
ssh_rsa_sign: RSA_sign failed: error:00000000:lib(0):func(0):reason(0)
debug1: Trying private key: /home/dbenoy/.ssh/id_rsa
debug1: Trying private key: /home/dbenoy/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password: 
----------

This PKCS#11 module works fine with Evolution, Firefox, and prior
versions of SSH which I applied a patch to.

The patch was: http://sites.google.com/site/alonbarlev/openssh-pkcs11 
(Although with that patch I had to use it as 'ssh -#
/usr/local/lib/libmusclepkcs11.so:0:15' for some reason the :0:15 was
important)

Also, my install of OpenSSH works successfully with the OpenSC PKCS#11
library.

So it seems the specific combination of MuscleCard and OpenSSH isn't
working, even though they both work with other software.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #1 from Daniel Benoy <daniel at benoy.name> 2010-03-18
06:19:17 EST ---
FYI: I'm using libmusclepkcs11.so from muscleframework version 1.1.7
from here:
https://alioth.debian.org/projects/muscleplugins/

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

Markus Friedl <markus at openbsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |markus at openbsd.org

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #2 from Markus Friedl <markus at openbsd.org> 2010-03-19
19:05:05 EST ---
what do the following commands print out:

 ssh-keygen -vvvD /usr/local/lib/libmusclepkcs11.so
 pkcs11-tool --module /usr/local/lib/libmusclepkcs11.so -O

do you have the original output from
 ssh -vvv# /usr/local/lib/libmusclepkcs11.so:0:15 xxxxx

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #3 from Markus Friedl <markus at openbsd.org> 2010-03-19
20:47:55 EST ---
Created an attachment (id=1812)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1812)
print out key ID for debugging

Could you please retry ssh -vI ... with this patch and attach
the new output? thanks!

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #4 from Daniel Benoy <daniel at benoy.name> 2010-03-20
00:01:49 EST ---
Created an attachment (id=1813)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1813)
Debug command output

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #5 from Daniel Benoy <daniel at benoy.name> 2010-03-20
00:02:12 EST ---
(In reply to comment #2)
> what do the following commands print out:
> 
>  ssh-keygen -vvvD /usr/local/lib/libmusclepkcs11.so
>  pkcs11-tool --module /usr/local/lib/libmusclepkcs11.so -O
attached.
> do you have the original output from
>  ssh -vvv# /usr/local/lib/libmusclepkcs11.so:0:15 xxxxx
'fraid not :(

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #6 from Daniel Benoy <daniel at benoy.name> 2010-03-20
00:16:28 EST ---
Created an attachment (id=1814)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1814)
Debug command output 2

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

Daniel Benoy <daniel at benoy.name> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1814|application/octet-stream    |text/plain
          mime type|                            |

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #7 from Daniel Benoy <daniel at benoy.name> 2010-03-20
00:17:47 EST ---
(In reply to comment #3)
> Created an attachment (id=1812)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1812)
[details]
> print out key ID for debugging
> 
> Could you please retry ssh -vI ... with this patch and attach
> the new output? thanks!
Attached.  I believe this is the line you're looking for:

pkcs11_rsa_private_encrypt/20: 24b1986496cb599e52da591ff46c98cd8dd74418

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

jmpoure at free.fr changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jmpoure at free.fr

--- Comment #8 from jmpoure at free.fr 2010-04-08 23:36:09 EST ---
Muscle cards are highly experimental under GNU/Linux. It is recommended
to use a traditional PKI card, compatible with OpenSC. This will work
out of the box. You can try the FEITIAN PKI card for example, but there
are other cards. Avoid Muscle cards.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #9 from Daniel Benoy <daniel at benoy.name> 2010-04-09
00:42:00 EST ---
I have an aladdin etoken which I'm using in the meantime until this bug
gets fixed.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #10 from Markus Friedl <markus at openbsd.org> 2010-04-09
05:46:32 EST ---
could you please try
PKCS11SPY=/usr/local/lib/libmusclepkcs11.so
export PKCS11SPY

and then
% ssh -vvvI /usr/local/lib/pkcs11-spy.so host

pkcs11 spy should be part of opensc

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #11 from Daniel Benoy <daniel at benoy.name> 2010-04-09
06:21:06 EST ---
Created an attachment (id=1829)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1829)
Debug command output 3

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #12 from Markus Friedl <markus at openbsd.org> 2010-04-09
17:13:24 EST ---
Created an attachment (id=1835)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1835)
don't add attribut 'sign=true' when looking up the private rsa key

Could you please try this?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #13 from Daniel Benoy <daniel at benoy.name> 2010-04-09
23:41:41 EST ---
It worked! :D

Thanks :)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

Markus Friedl <markus at openbsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1835|0                           |1
        is obsolete|                            |

--- Comment #14 from Markus Friedl <markus at openbsd.org> 2010-04-13
07:40:49 EST ---
Created an attachment (id=1836)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1836)
try to find private key object w/CKA_SIGN first, retry w/o

Thanks. Could you please try this, too? this should both
work with the MUSCLE card and the E-Token.

thanks, -m

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

Markus Friedl <markus at openbsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1836|0                           |1
        is obsolete|                            |

--- Comment #15 from Markus Friedl <markus at openbsd.org> 2010-04-13
08:10:32 EST ---
Created an attachment (id=1837)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1837)
really try to find private key object w/CKA_SIGN first, retry w/o   

this one should work

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

--- Comment #16 from Daniel Benoy <daniel at benoy.name> 2010-04-14
03:50:07 EST ---
(In reply to comment #15)
> Created an attachment (id=1837)
 --> (https://bugzilla.mindrot.org/attachment.cgi?id=1837)
[details]
> really try to find private key object w/CKA_SIGN first, retry w/o   
> 
> this one should work
Yep!  It worked with both my MUSCLE card and my Aladdin eToken Pro 32k
via OpenSC.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
             Blocks|                            |1708
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

--- Comment #17 from Damien Miller <djm at mindrot.org> 2010-04-23
11:04:48 EST ---
Markus has committed the fix in attachment #1837. It will be in OpenSSH
5.6.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1736

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #18 from Damien Miller <djm at mindrot.org> 2011-01-24
12:33:48 EST ---
Move resolved bugs to CLOSED after 5.7 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.