bugzilla-daemon at mindrot.org
2020-Aug-26 08:45 UTC
[Bug 3202] New: Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 Bug ID: 3202 Summary: Ed25519 key on HSM is not getting listed in ssh-add -l command Product: Portable OpenSSH Version: 8.2p1 Hardware: ARM64 OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-add Assignee: unassigned-bugs at mindrot.org Reporter: ranjan.kumar at thalesgroup.com Created attachment 3442 --> https://bugzilla.mindrot.org/attachment.cgi?id=3442&action=edit Logs that shows detailed output of each command with cryptoki log and dmesg. Steps to Reproduce: 1.Install OpenSSH 2.Install SafeNet LunaClient and setup NTLS. 3.Generate Edward 25519 and RSA Key using SafeNet ckdemo utility. 4.Run below commands: a.)eval `ssh-agent -P "/usr/safenet/lunaclient/lib/*" -s` b.)ssh-add -s /usr/safenet/lunaclient/lib/libcklog2.so c.)ssh-add -l Actual Output: 2048 SHA256:r/7tkup1Bb76UDVgs5GDfTDvKpTVhhM0SWNY+Mja2Xg Generated RSA Public Key (RSA) Expected Output: Both RSA And Ed25519 key should be listed. 5.Create Ed25519 key using ssh-keygen command on HSM: ssh-keygen -t ed25519 -D /usr/safenet/lunaclient/lib/libcklog2.so Actual Output: Enter PIN for 'ranjan': skipping unsupported key type failed to fetch key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCTt5YbM8CVbfAhjhu5QeQJ/P8To47dWjw2oeb2lRycZkW/UmgRdT+wd/i1nqwMaiPhNHW40ivI90ta2KFNGfx+hQAXgFn+UWpFeTDsHbvSCnO0vQh4s8EHPw89Fr4Sl9NXgTZNIbzEOjE7KiPy85zmoBY8rr06jhA4xK7ig3Bq6zkj9AoW/H+ph+F7v3uyeaJVqNbD3SjMbdf8kt9UAlQczHtKdaJm/akH5HlWa38+wDwQsTAnFvbSmiM6/nYcD8f5PA1/tCr5JdsrhhLplYIrfh3Xf/ZBAubYESKeOy1QNR3U4TXSklPVrkPPlx7qpynMS1emVgzen2Fonkga8V4t Generated RSA Public Key Expected Output:Ed25519 Key Should be generated -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-27 09:32 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Keywords| |pkcs11 CC| |jjelen at redhat.com --- Comment #1 from Jakub Jelen <jjelen at redhat.com> --- The support for Ed25519 keys is very fresh in PKCS #11 so not even all pksc11 libraries caught up. But as we have RSA and ECDSA, adding Ed25519 should not be that hard. I would like to have a look into that eventually. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-27 09:54 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #2 from Ranjan <ranjan.kumar at thalesgroup.com> --- Thanks Jakub. We have many customers who want to use ED25519,so can you please tell when we can expect the support for this will be avaiable? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-28 03:05 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #3 from Damien Miller <djm at mindrot.org> --- OpenSSH won't implement this until we have some way to test, preferably both hardware and a software (softhsm or similar) target to test against. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-28 09:41 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #4 from Jakub Jelen <jjelen at redhat.com> --- (In reply to Damien Miller from comment #3)> OpenSSH won't implement this until we have some way to test, > preferably both hardware and a software (softhsm or similar) target > to test against.SoftHSM supports Ed25519 keys already [0] (with some follow-up fixes to match final PKCS #11 3.0 specs) and for OpenSC we have patches pending (tested with NitroKey with Gnuk applet) [1] so if anyone is interested to work on this, there are enough possibilities. [0] https://github.com/opendnssec/SoftHSMv2/pull/324 [1] https://github.com/OpenSC/OpenSC/pull/1960 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Sep-02 07:40 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #5 from Ranjan <ranjan.kumar at thalesgroup.com> --- We have several customers interested in ED25519 keys to use with SSH where the keys are generated on HSM. If you can provide support in OpenSSH then we can test and verify it on our end with HSM. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-13 12:57 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #6 from Ranjan <ranjan.kumar at thalesgroup.com> --- Hi,Is there any update on this? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-15 01:12 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #7 from Damien Miller <djm at mindrot.org> --- No update - we still do not have an ability to test it ourselves. Offers to test it on our behalf are kind but unfortunately not practical for development. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-15 13:03 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #8 from Jakub Jelen <jjelen at redhat.com> --- (In reply to Damien Miller from comment #7)> No update - we still do not have an ability to test it ourselves.Whats wrong with the SoftHSM implementation I mentioned earlier? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Jun-01 04:18 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 gl041188 at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |gl041188 at gmail.com URL| |https://glong.net Assignee|unassigned-bugs at mindrot.org |gl041188 at gmail.com -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jun-01 04:29 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #9 from gl041188 at gmail.com --- ssh/guanlong_huang_rsa -- You are receiving this mail because: You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- [PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
- [PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
- [Bug 2474] New: Enabling ECDSA in PKCS#11 support for ssh-agent
- [PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
- [Bug 2924] New: Order a limited host keys list in client based on the known hosts