openssh bugs - Feb 2019 - [Bug 2974] New: PKCS11Provider should support "none"

https://bugzilla.mindrot.org/show_bug.cgi?id=2974

            Bug ID: 2974
           Summary: PKCS11Provider should support "none"
           Product: Portable OpenSSH
           Version: 7.9p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: imorgan at nas.nasa.gov

Currently, there is no way for users to disable use of PKCS11Provider
if
it is set in the system-wide configuration file. This can create
problems when attempting to connect to a system that does not trust the
keys from the smartcard and the card offers too many keys. Adding
support for PKCS11Provider=none would alleviate this issue.
The problem scenario is as follows:

        1) Unconditional use of PKCS11Provider is enabled in the
          system-wide ssh_config file.
        2) A smartcard with multiple keys is left in the reader.
        3) A user attempts to ssh to a system that does not trust any
of
          the keys provided by the smartcard.

Under these circumstances, the ssh attempt may fail due to too many
authentication failures.

A similar problem can occur when a user leaves the smartcard in the
reader and cronjobs running as a differnt user (such as root) attemtp
to
use ssh to transfer files etc.

Supporting setting PKCS11Provider to "none" would provide a simple way
to avoid these problems. An alternative approach would be to provide
some means to specify the slot to use from the smartcard, and thus
reduce the number of keys offered.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2974

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |pkcs11
                 CC|                            |jjelen at redhat.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2974

--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
Created attachment 3247
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3247&action=edit
proposed patch

I attached the proposed patch, that address also few issues around that
I noticed while checking this option:

 * The manual page did not list the ECDSA keys that got supported
recently
 * The -G option was dumping the undocumented option smartcarddevice
instead of pkcs11provider

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2974

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
hah, I just committed a basically identical patch for readconf.c. I'll
commit Jakub's manual fix too

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2974

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |2915
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
I ended up committing a slightly larger rewording of the PKCS11Provider
directive. Thanks for the report and patch


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=2915
[Bug 2915] Tracking bug for 8.0 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2974

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.