bugzilla-daemon at mindrot.org
2020-Nov-19 20:20 UTC
[Bug 3234] New: SSH does not read pkcs11-based private key.
https://bugzilla.mindrot.org/show_bug.cgi?id=3234
Bug ID: 3234
Summary: SSH does not read pkcs11-based private key.
Product: Portable OpenSSH
Version: 8.4p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: Smartcard
Assignee: unassigned-bugs at mindrot.org
Reporter: mishaad051 at gmail.com
When I try to connect to a server via ssh, which has the public key
authentication enabled, my key is rejected and I am asked to use
another authentication method.
System SSH version:
OpenSSH_8.4p1, OpenSSL 1.1.1h 22 Sep 2020
ssh some-user at some-server -vvv -I ~/pkcs11-libs/librtpkcs11ecp.so:
https://termbin.com/ehn7
Token is detected and works for other purposes.
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -T
Available slots:
Slot 0 (0x0): Aktiv Rutoken ECP 00 00
token label : token1
token manufacturer : Aktiv Co.
token model : Rutoken ECP
token flags : login required, rng, SO PIN to be changed, token
initialized, PIN initialized, user PIN to be changed
hardware version : 20.5
firmware version : 23.2
serial num : 3b7558b7
pin min/max : 6/32
Whereas, using OpenSSH v8.2p1 allowed me to connect with key written in
token:
/home/some-user/ssh8.2/bin/ssh some-user at some-server -I
/usr/lib/librtpkcs11ecp.so -vvv
https://termbin.com/7uy3
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-19 20:21 UTC
[Bug 3234] SSH does not read pkcs11-based private key.
https://bugzilla.mindrot.org/show_bug.cgi?id=3234
Inferno_geek <mishaad051 at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mishaad051 at gmail.com
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-19 23:18 UTC
[Bug 3234] SSH does not read pkcs11-based private key.
https://bugzilla.mindrot.org/show_bug.cgi?id=3234
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Does "ssh-keygen -D /path/pkcs11.so" show the keys?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-20 09:35 UTC
[Bug 3234] SSH does not read pkcs11-based private key.
https://bugzilla.mindrot.org/show_bug.cgi?id=3234
Jakub Jelen <jjelen at redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |jjelen at redhat.com
--- Comment #2 from Jakub Jelen <jjelen at redhat.com> ---
The log says it has different amount of keys in OpenSSH 8.4. Can you
get the list of objects with the following command?
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-20 10:45 UTC
[Bug 3234] SSH does not read pkcs11-based private key.
https://bugzilla.mindrot.org/show_bug.cgi?id=3234 --- Comment #3 from Inferno_geek <mishaad051 at gmail.com> --- (In reply to Damien Miller from comment #1)> Does "ssh-keygen -D /path/pkcs11.so" show the keys?~/ssh8-2/bin/ssh-keygen -D ~/pkcs11-libs/librtpkcs11ecp.so | nc termbin.com 9999 https://termbin.com/g3fo ssh-keygen -D ~/pkcs11-libs/librtpkcs11ecp.so | nc termbin.com 9999 https://termbin.com/9avs -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-20 10:45 UTC
[Bug 3234] SSH does not read pkcs11-based private key.
https://bugzilla.mindrot.org/show_bug.cgi?id=3234 --- Comment #4 from Inferno_geek <mishaad051 at gmail.com> --- (In reply to Jakub Jelen from comment #2)> The log says it has different amount of keys in OpenSSH 8.4. Can you > get the list of objects with the following command? > > pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -Opkcs11-tool --module ~/pkcs11-libs/librtpkcs11ecp.so -O 2>&1 | nc termbin.com 9999 https://termbin.com/pvsa -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-22 23:06 UTC
[Bug 3234] SSH does not read pkcs11-based private key.
https://bugzilla.mindrot.org/show_bug.cgi?id=3234 --- Comment #5 from Damien Miller <djm at mindrot.org> --- Are you using IdentitiesOnly in your ~/.ssh/config? In fixing bug #3141, ssh will no longer attempt all PKCS#11 keys when this option is active. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-22 23:15 UTC
[Bug 3234] SSH does not read pkcs11-based private key.
https://bugzilla.mindrot.org/show_bug.cgi?id=3234 --- Comment #6 from Inferno_geek <mishaad051 at gmail.com> --- (In reply to Damien Miller from comment #5)> Are you using IdentitiesOnly in your ~/.ssh/config? In fixing bug > #3141, ssh will no longer attempt all PKCS#11 keys when this option > is active.I removed the line and I was able to connect via key on token. Thank you. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-25 03:06 UTC
[Bug 3234] SSH does not read pkcs11-based private key.
https://bugzilla.mindrot.org/show_bug.cgi?id=3234
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WORKSFORME
Status|NEW |RESOLVED
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Mar-03 22:52 UTC
[Bug 3234] SSH does not read pkcs11-based private key.
https://bugzilla.mindrot.org/show_bug.cgi?id=3234
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #7 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.