openssh bugs - Mar 2020 - [Bug 3141] New: ssh ignores IdentitiesOnly for PKCS11Provider

https://bugzilla.mindrot.org/show_bug.cgi?id=3141

            Bug ID: 3141
           Summary: ssh ignores IdentitiesOnly for PKCS11Provider
           Product: Portable OpenSSH
           Version: 8.1p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: keil at dfn-cert.de

I'm using SSH with a token storing my keys. Trying to limit the tried
indentities with IdentitiesOnly and IdentityFiles works as long as I'm
using the ssg-agent. But if I instead configure the token with
PKCS11Provider, ssh ignores IdentitiesOnly and tries all identities
present on the token.

My config includes

Host *
IdentitiesOnly yes
IdentityFile ~/.ssh/token.pub
PKCS11Provider /usr/lib/libeTPkcs11.so

There are no host specific entries for any of these.

If I now try to ssh to any system, the output of ssh -vvv shows that it
loads the provider and counts the keys. Later it prints

debug1: Will attempt key: /usr/lib64/libeTPkcs11.so RSA SHA256:...
token
debug1: Will attempt key: /usr/lib64/libeTPkcs11.so RSA SHA256:...
token
debug1: Will attempt key: /usr/lib64/libeTPkcs11.so RSA SHA256:...
token

for all identities on the token. The hashes are distinct, so it's not
printing the same multiple times.

Doing the same with adding the provider to ssh-agent and removing the
PKCS11Provider key, shows only one key as attempted.

I may be way off here, but the code in sshconnect2:pubkey_prepare
around line 1592 seems to iterate the files list limiting itself to
external keys. For each external key it iterates the files list again
using the same filter. As it finds the same key again it compares the
two and thus adds it to the preferred list. Running this in gdb shows
the two keys id and id2 pointing to the same address when adding the
key to the preferred list. It looks like it might be iterating the
external keys and trying to find a matching IdentityFile to apply the
IdentitiesOnly filter but fails to do so. But as I said, that might be
a misinterpretation and not related.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3141

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
                 CC|                            |djm at mindrot.org
             Status|NEW                         |ASSIGNED
   Attachment #3372|                            |ok?
              Flags|                            |

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Created attachment 3372
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3372&action=edit
check PKCS#11 keys against non-PKCS#11 keys only

I think you analysis is correct. Can you please try this patch?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3141

--- Comment #2 from keil at dfn-cert.de ---
Yes, that does it. Only the keys present as IdentityFiles are now
attempted.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3141

Facio2020 <ivan.2019.ifv at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ivan.2019.ifv at gmail.com

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3141

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
   Attachment #3372|ok?                         |ok?(dtucker at dtucker.net)
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3141

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3372|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3141

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3117


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3117
[Bug 3117] Tracking bug for 8.3 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3141

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|ASSIGNED                    |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
That fix has been committed and will be included in the OpenSSH 8.3
release - thanks!

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3141

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3141

Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ahmedsayeed1982 at yahoo.com

--- Comment #5 from Ahmed Sayeed <ahmedsayeed1982 at yahoo.com> ---
The glibc regular expression code mishandles regular expressions such
as:

   .*((.)\2){2}$ https://www.webb-dev.co.uk/services/navona-trains/

as it does not backtrack enough to find a match that satisfies the
back-references when they are used twice.
http://www.compilatori.com/computers/latest-car-deals/
To reproduce the problem, compile and run the attached file
backrefbug.c. It will exit with status 2, whereas the correct exit
status is 0.
 http://www.acpirateradio.co.uk/computers/latest-car-deals/
This bug was originally reported against GNU 'grep' here:
The glibc regular expression code mishandles regular expressions such
as:

   .*((.)\2){2}$ http://www.logoarts.co.uk/computers/latest-car-deals/

as it does not backtrack enough to find a match that satisfies the
back-references when they are used twice.

To reproduce the problem, compile and run the attached file
backrefbug.c. It will exit with status 2, whereas the correct exit
status is 0. http://www.slipstone.co.uk/computers/latest-car-deals/

This bug was originally reported against GNU 'grep' here:
The glibc regular expression code mishandles regular expressions such
as: http://embermanchester.uk/computers/latest-car-deals/

   .*((.)\2){2}$

as it does not backtrack enough to find a match that satisfies the
back-references when they are used twice.
http://connstr.net/computers/latest-car-deals/

To reproduce the problem, compile and run the attached file
backrefbug.c. It will exit with status 2, whereas the correct exit
status is 0. http://joerg.li/computers/latest-car-deals/

This bug was originally reported against GNU 'grep' here:
The glibc regular expression code mishandles regular expressions such
as:

   .*((.)\2){2}$ http://www.jopspeech.com/computers/latest-car-deals/

as it does not backtrack enough to find a match that satisfies the
back-references when they are used twice.
 http://www.wearelondonmade.com/computers/latest-car-deals/
To reproduce the problem, compile and run the attached file
backrefbug.c. It will exit with status 2, whereas the correct exit
status is 0.
 https://waytowhatsnext.com/crypto/crypto-world/
This bug was originally reported against GNU 'grep' here:
The glibc regular expression code mishandles regular expressions such
as:
http://www.iu-bloomington.com/crypto/latest-coins/
   .*((.)\2){2}$

as it does not backtrack enough to find a match that satisfies the
back-references when they are used twice.
https://komiya-dental.com/crypto/alt-coins/

To reproduce the problem, compile and run the attached file
backrefbug.c. It will exit with status 2, whereas the correct exit
status is 0. http://www-look-4.com/computers/latest-car-deals/

This bug was originally reported against GNU 'grep' here:

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.