bugzilla-daemon at mindrot.org
2020-Aug-26 08:45 UTC
[Bug 3202] New: Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202
Bug ID: 3202
Summary: Ed25519 key on HSM is not getting listed in ssh-add -l
command
Product: Portable OpenSSH
Version: 8.2p1
Hardware: ARM64
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-add
Assignee: unassigned-bugs at mindrot.org
Reporter: ranjan.kumar at thalesgroup.com
Created attachment 3442
--> https://bugzilla.mindrot.org/attachment.cgi?id=3442&action=edit
Logs that shows detailed output of each command with cryptoki log and
dmesg.
Steps to Reproduce:
1.Install OpenSSH
2.Install SafeNet LunaClient and setup NTLS.
3.Generate Edward 25519 and RSA Key using SafeNet ckdemo utility.
4.Run below commands:
a.)eval `ssh-agent -P "/usr/safenet/lunaclient/lib/*" -s`
b.)ssh-add -s /usr/safenet/lunaclient/lib/libcklog2.so
c.)ssh-add -l
Actual Output:
2048 SHA256:r/7tkup1Bb76UDVgs5GDfTDvKpTVhhM0SWNY+Mja2Xg Generated RSA
Public Key (RSA)
Expected Output: Both RSA And Ed25519 key should be listed.
5.Create Ed25519 key using ssh-keygen command on HSM: ssh-keygen -t
ed25519 -D /usr/safenet/lunaclient/lib/libcklog2.so
Actual Output:
Enter PIN for 'ranjan':
skipping unsupported key type
failed to fetch key
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAABAQCTt5YbM8CVbfAhjhu5QeQJ/P8To47dWjw2oeb2lRycZkW/UmgRdT+wd/i1nqwMaiPhNHW40ivI90ta2KFNGfx+hQAXgFn+UWpFeTDsHbvSCnO0vQh4s8EHPw89Fr4Sl9NXgTZNIbzEOjE7KiPy85zmoBY8rr06jhA4xK7ig3Bq6zkj9AoW/H+ph+F7v3uyeaJVqNbD3SjMbdf8kt9UAlQczHtKdaJm/akH5HlWa38+wDwQsTAnFvbSmiM6/nYcD8f5PA1/tCr5JdsrhhLplYIrfh3Xf/ZBAubYESKeOy1QNR3U4TXSklPVrkPPlx7qpynMS1emVgzen2Fonkga8V4t
Generated RSA Public Key
Expected Output:Ed25519 Key Should be generated
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-27 09:32 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Keywords| |pkcs11
CC| |jjelen at redhat.com
--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
The support for Ed25519 keys is very fresh in PKCS #11 so not even all
pksc11 libraries caught up. But as we have RSA and ECDSA, adding
Ed25519 should not be that hard. I would like to have a look into that
eventually.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-27 09:54 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #2 from Ranjan <ranjan.kumar at thalesgroup.com> --- Thanks Jakub. We have many customers who want to use ED25519,so can you please tell when we can expect the support for this will be avaiable? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-28 03:05 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
OpenSSH won't implement this until we have some way to test, preferably
both hardware and a software (softhsm or similar) target to test
against.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Aug-28 09:41 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #4 from Jakub Jelen <jjelen at redhat.com> --- (In reply to Damien Miller from comment #3)> OpenSSH won't implement this until we have some way to test, > preferably both hardware and a software (softhsm or similar) target > to test against.SoftHSM supports Ed25519 keys already [0] (with some follow-up fixes to match final PKCS #11 3.0 specs) and for OpenSC we have patches pending (tested with NitroKey with Gnuk applet) [1] so if anyone is interested to work on this, there are enough possibilities. [0] https://github.com/opendnssec/SoftHSMv2/pull/324 [1] https://github.com/OpenSC/OpenSC/pull/1960 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Sep-02 07:40 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #5 from Ranjan <ranjan.kumar at thalesgroup.com> --- We have several customers interested in ED25519 keys to use with SSH where the keys are generated on HSM. If you can provide support in OpenSSH then we can test and verify it on our end with HSM. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-13 12:57 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #6 from Ranjan <ranjan.kumar at thalesgroup.com> --- Hi,Is there any update on this? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-15 01:12 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #7 from Damien Miller <djm at mindrot.org> --- No update - we still do not have an ability to test it ourselves. Offers to test it on our behalf are kind but unfortunately not practical for development. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Oct-15 13:03 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #8 from Jakub Jelen <jjelen at redhat.com> --- (In reply to Damien Miller from comment #7)> No update - we still do not have an ability to test it ourselves.Whats wrong with the SoftHSM implementation I mentioned earlier? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Jun-01 04:18 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202
gl041188 at gmail.com changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |gl041188 at gmail.com
URL| |https://glong.net
Assignee|unassigned-bugs at mindrot.org |gl041188 at gmail.com
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Jun-01 04:29 UTC
[Bug 3202] Ed25519 key on HSM is not getting listed in ssh-add -l command
https://bugzilla.mindrot.org/show_bug.cgi?id=3202 --- Comment #9 from gl041188 at gmail.com --- ssh/guanlong_huang_rsa -- You are receiving this mail because: You are watching someone on the CC list of the bug.
Possibly Parallel Threads
- [PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
- [PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
- [Bug 2474] New: Enabling ECDSA in PKCS#11 support for ssh-agent
- [PATCH] ssh-pkcs11: allow providing unconditional pin code for PKCS11
- [Bug 2924] New: Order a limited host keys list in client based on the known hosts