bugzilla-daemon at mindrot.org
2025-Oct-13 00:06 UTC
[Bug 3879] New: ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879
Bug ID: 3879
Summary: ssh: pkcs11 key enumeration fails with "pin
required"
Product: Portable OpenSSH
Version: 10.1p1
Hardware: amd64
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: jan.nordholz at mail.de
Created attachment 3911
--> https://bugzilla.mindrot.org/attachment.cgi?id=3911&action=edit
patch to pass interactive mode on to pkcs11 helper
Hi,
starting with 10.1p1, ssh uses ssh-pkcs11-helper, which means that
pkcs11_init() and pkcs11_add_provider() no longer directly go to the
implementations in ssh-pkcs11.c, but now reach the stubs in
ssh-pkcs11-client.c. There pkcs11_init() is a NOP, and
pkcs11_add_provider() is the proxy stub that forks off the helper
subprocess.
Now for regular interactive usage, ssh.c calls
pkcs11_init(!options.batch_mode) (which does nothing), and the
forked-off helper unconditionally calls pkcs11_init(0), meaning the
helper is always running in batch mode and refusing to enumerate the
smartcard keys. This is probably not what was intended - and frankly,
the duplication of function names didn't really help me traverse
this...
I've created a patch that plumbs through the "interactive" mode by
adding another command line parameter to the pkcs11 helper and by
expanding the pkcs11_init() stub in ssh-pkcs11-client.c to do the
necessary thing.
Jan
Log snippet with 10.0:
====debug1: Connection established.
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:
manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription
<OpenSC smartcard framew>
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0:
label <...> manufacturerID <...> model <...> serial
<...>
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug1: have 1 keys
====
Log snippet with 10.1:
====debug1: Connection established.
debug1: pkcs11_start_helper: starting
/usr/lib/openssh/ssh-pkcs11-helper -vvv
debug3: pkcs11_init: called, interactive = 0
debug1: process_add
debug3: process_add: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:
manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription
<OpenSC smartcard framew>
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0:
label <...> manufacturerID <...> model <...> serial
<...>
pin required
debug1: pkcs11_provider_finalize: provider
"/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1 valid 1
debug1: pkcs11_provider_unref: provider
"/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 1
debug1: pkcs11_add_provider: provider
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so returned no keys
debug1: pkcs11_add_provider: no keys; terminate helper
debug1: read eof
====
10.2 with patch applied results in this:
====debug1: Connection established.
debug3: pkcs11_start_helper: start helper for
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug3: pkcs11_start_helper: helper 0 for
"/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" on fd 4 pid 32081
debug3: pkcs11_add_provider: add
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug1: pkcs11_start_helper: starting
/usr/lib/openssh/ssh-pkcs11-helper -vvv -i
debug3: pkcs11_init: called, interactive = 1
debug1: process_add
debug3: process_add: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so:
manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription
<OpenSC smartcard framew>
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0:
label <...> manufacturerID <...> model <...> serial
<...>
debug1: pkcs11_record_key: RSA key: provider
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0 keyid 00
debug2: pkcs11_fetch_keys: provider
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:...
debug1: have 1 keys
====
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-13 00:39 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This was fixed in a different way in openssh-10.2. Can you confirm
whether this release fixed the problem?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-13 00:47 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879 --- Comment #2 from jan.nordholz at mail.de --- Hi, no, 10.2p1 did not fix it for me. I can see nothing in the git diff between V_10_1 and V_10_2 that relates to this - the fixes between those two versions appear to be only related to ssh-keygen (and a little bit of shuffling around, e.g. pkcs11_sign() and pkcs11_key_free()). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-13 01:00 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879 --- Comment #3 from Damien Miller <djm at mindrot.org> --- Ah, I see - you're using PKCS#11 in ssh directly, without going via ssh-agent. Your fix looks good but I just noticed we're lacking regress tests for that particular case. I'll take a stab at writing them and will be able to use your fix to verify that they are working correctly. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-13 01:00 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Blocks| |3880
Referenced Bugs:
https://bugzilla.mindrot.org/show_bug.cgi?id=3880
[Bug 3880] Tracking bug for openssh-10.3
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-13 02:29 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879 --- Comment #4 from Damien Miller <djm at mindrot.org> --- Created attachment 3912 --> https://bugzilla.mindrot.org/attachment.cgi?id=3912&action=edit regress test for ssh using PKCS#11 directly -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-13 02:29 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
Attachment #3911| |ok?(dtucker at dtucker.net)
Flags| |
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-13 05:32 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3911|ok?(dtucker at dtucker.net) |ok+
Flags| |
--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
Comment on attachment 3911
--> https://bugzilla.mindrot.org/attachment.cgi?id=3911
patch to pass interactive mode on to pkcs11 helper
>+int pkcs11_interactive = 0;
that could be static rather than global?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-13 06:46 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879 --- Comment #6 from jan.nordholz at mail.de --- Hi, sure. I just copied over from ssh-pkcs11.c - the one there could be made static, too, I guess. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-13 08:08 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879
Colin Watson <cjwatson at debian.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |cjwatson at debian.org
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-14 05:05 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879 --- Comment #7 from Damien Miller <djm at mindrot.org> --- Are you entering your PIN via ssh-askpass? I don't immediately see how this could work otherwise... -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-14 06:39 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879
--- Comment #8 from jan.nordholz at mail.de ---
No,
I assume the "Enter PIN for '<CARD>':" prompt I'm
using is coming from
ssh-pkcs11.c:pksc11_login_slot():
==== 239 if (si->token.flags &
CKF_PROTECTED_AUTHENTICATION_PATH)
240 verbose("Deferring PIN entry to reader
keypad.");
241 else {
242 snprintf(prompt, sizeof(prompt), "Enter PIN for
'%s': ",
243 si->token.label);
244 if ((pin = read_passphrase(prompt,
RP_ALLOW_EOF)) == NULL) {
245 debug_f("no pin specified");
246 return (-1); /* bail out */
247 }
248 }
249 rv = provider->function_list->C_Login(si->session,
type, (u_char *)pin,
250 (pin != NULL) ? strlen(pin) : 0);
====
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-15 23:39 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879 --- Comment #9 from Damien Miller <djm at mindrot.org> --- Created attachment 3914 --> https://bugzilla.mindrot.org/attachment.cgi?id=3914&action=edit Link ssh against ssh-pkcs11.o directly Actually, I think this approach might be better. ssh-pkcs11-client.c is mostly meant for non-interactive cases. PIN entry might work if there's a tty around (or ssh-askpass), but it doesn't have stdin/out attached. ssh-pkcs11.c, has the same API. I think it makes more sense to use this directly in ssh and ssh-keygen, which we similarly fixed in 10.2) We have the -client/-helper system mostly for ssh-agent, where we don't want a potentially-hostile PKCS11 module added via the agent socket getting access to ssh-agent's address space, which may contain private keys. For ssh this concern doesn't exist, as the PKCS11Provider must be specified on the commandline or in the config file -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-16 07:00 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879
Mantas M. [grawity] <grawity at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |grawity at gmail.com
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-16 15:30 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879 --- Comment #10 from Colin Watson <cjwatson at debian.org> --- I applied the above patch to a branch of the Debian package (details in https://bugs.debian.org/1117720#64). One user reported:> On the upside, I was prompted for a PIN and login completed > successfully; however, it did drop some (apparently harmless) messages > before requesting the PIN: > > > ssh [hostname redacted] > failed to fetch key > failed to fetch key > failed to fetch key > failed to fetch key > failed to fetch key > failed to fetch key > failed to fetch key-- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-16 21:39 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879 --- Comment #11 from jan.nordholz at mail.de --- Hi, the only reason pkcs11_fetch_x509_pubkey() fails without printing an error() on its own is if pkcs11_record_key() fails, and the only reason for that one to fail without printing an error is if the key is already known - which doesn't constitute an error worth printing at all (and "failed to fetch" is even just wrong). So maybe this error() in pkcs11_fetch_certs() can be dropped? Here's my log snippet: ====debug1: pkcs11_record_key: RSA key: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0 keyid 00 debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:... debug1: have 1 keys debug1: pkcs11_record_key: RSA key: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0 keyid 01 debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:... debug1: have 2 keys debug1: pkcs11_record_key: RSA key: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0 keyid 02 debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: RSA SHA256:... debug1: have 3 keys debug1: pkcs11_record_key: RSA key: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0 keyid 00 debug1: pkcs11_record_key: Already seen this key at provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0 keyid 00 failed to fetch key from x.509 cert debug1: pkcs11_record_key: RSA key: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0 keyid 02 debug1: pkcs11_record_key: Already seen this key at provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0 keyid 02 failed to fetch key from x.509 cert ==== -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Oct-16 22:16 UTC
[Bug 3879] ssh: pkcs11 key enumeration fails with "pin required"
https://bugzilla.mindrot.org/show_bug.cgi?id=3879
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #12 from Damien Miller <djm at mindrot.org>
---> failed to fetch key
I'd already committed a fix for this to the master branch but I just
cherry-picked it, and the linking fix to the V_10_2 branch too.
The master branch now also has the new ssh-pkcs11.sh test, so we
shouldn't regress like this again.
Thanks all.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.