Hi, I am not sure if this the right place for the question. Sorry if not ... My System: SuSE 9.2 OpenSSH 3.9p1 I have trouble to use a Smartcard with openssh. If i try to connect directly to the Smartcard, it fails: ssh -I 0:45 localhost card-etoken.c:175:etoken_check_sw: required access right not granted card-etoken.c:631:do_compute_signature: returning with: Security status not satisfied card-etoken.c:175:etoken_check_sw: required access right not granted card-etoken.c:631:do_compute_signature: returning with: Security status not satisfied card-etoken.c:175:etoken_check_sw: required access right not granted card-etoken.c:631:do_compute_signature: returning with: Security status not satisfied sec.c:53:sc_compute_signature: returning with: Security status not satisfied pkcs15-sec.c:285:sc_pkcs15_compute_signature: sc_compute_signature() failed: Security status not satisfied sc_pkcs15_compute_signature() failed: Security status not satisfied ssh_rsa_sign: RSA_sign failed: error:00000000:lib(0):func(0):reason(0) This is happen because openssh never prompt for the pin. If I use the openssh-agent and ssh-add everything works well. ssh-add -s 0 ssh localhost :) --> Have a lot of fun The question now: Does Smartcards only work, if I use the ssh-agent or should the "ssh -I 0:45 localhost" command also work???? Thanks for help Boris
Boris von Alten Blaskowitz wrote:> Hi, > > I am not sure if this the right place for the question. Sorry if not ...as the error comes from opensc the opensc mailing list might have been more appropriate> > My System: > SuSE 9.2 > OpenSSH 3.9p1 > > I have trouble to use a Smartcard with openssh. If i try to connect > directly to the Smartcard, it fails: > > ssh -I 0:45 localhost > > card-etoken.c:175:etoken_check_sw: required access right not granted > card-etoken.c:631:do_compute_signature: returning with: Security status > not satisfied card-etoken.c:175:etoken_check_sw: required access right > not granted card-etoken.c:631:do_compute_signature: returning with: > Security status not satisfied card-etoken.c:175:etoken_check_sw: > required access right not granted > card-etoken.c:631:do_compute_signature: returning with: Security status > not satisfied sec.c:53:sc_compute_signature: returning with: Security > status not satisfied pkcs15-sec.c:285:sc_pkcs15_compute_signature: > sc_compute_signature() failed: Security status not satisfied > sc_pkcs15_compute_signature() failed: Security status not satisfied > ssh_rsa_sign: RSA_sign failed: error:00000000:lib(0):func(0):reason(0) > > This is happen because openssh never prompt for the pin. > > If I use the openssh-agent and ssh-add everything works well. > ssh-add -s 0 > ssh localhost > > :) --> Have a lot of fun > > > The question now: > Does Smartcards only work, if I use the ssh-agent or should the "ssh -I > 0:45 localhost" command also work????with the current design the use of the agent is strongly recommended Nils
Hi Nils, I know it comes from opensc. But as far as I know opensc is not responssible. Because openssh should ask the user for the pin and set the smartcard in the right condition. Is this correct? I have I bad feeling with the ssh-agent. For example: A intruder can send every kind of data(email text) during a user session to the ssh-agent and this will be signed . If the user set not time limit. (I am not validate this topic yet. So it is just an idea ...) Another is, that root kan switch to my account and has also access to my ssh-keys on the smartcard. I would prefer, not to use the ssh-agent. SSH or OpenSC, depending who is responssible, should ask me directly for the PIN for every new connection. I already made a hack and it works fine. But I am not sure about sideeffects. So what do you think?? Boris Nils Larsch wrote:> Boris von Alten Blaskowitz wrote: > >> Hi, >> >> I am not sure if this the right place for the question. Sorry if not ... > > > as the error comes from opensc the opensc mailing list might have > been more appropriate > >> >> My System: >> SuSE 9.2 >> OpenSSH 3.9p1 >> >> I have trouble to use a Smartcard with openssh. If i try to connect >> directly to the Smartcard, it fails: >> >> ssh -I 0:45 localhost >> >> card-etoken.c:175:etoken_check_sw: required access right not granted >> card-etoken.c:631:do_compute_signature: returning with: Security >> status not satisfied card-etoken.c:175:etoken_check_sw: required >> access right not granted card-etoken.c:631:do_compute_signature: >> returning with: Security status not satisfied >> card-etoken.c:175:etoken_check_sw: required access right not granted >> card-etoken.c:631:do_compute_signature: returning with: Security >> status not satisfied sec.c:53:sc_compute_signature: returning with: >> Security status not satisfied >> pkcs15-sec.c:285:sc_pkcs15_compute_signature: sc_compute_signature() >> failed: Security status not satisfied sc_pkcs15_compute_signature() >> failed: Security status not satisfied ssh_rsa_sign: RSA_sign failed: >> error:00000000:lib(0):func(0):reason(0) >> >> This is happen because openssh never prompt for the pin. >> >> If I use the openssh-agent and ssh-add everything works well. >> ssh-add -s 0 >> ssh localhost >> >> :) --> Have a lot of fun >> >> >> The question now: >> Does Smartcards only work, if I use the ssh-agent or should the "ssh >> -I 0:45 localhost" command also work???? > > > with the current design the use of the agent is strongly recommended > > Nils > > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev > >
On Sat, Apr 02, 2005 at 05:08:35PM +0200, Boris von Alten Blaskowitz wrote:> I have I bad feeling with the ssh-agent. For example: > A intruder can send every kind of data(email text) during a user > session to the ssh-agent and this will be signed .Check out the -c parameter to ssh-add, -agent will verify each signature when you add keys with it, however..> Another is, that root kan switch to my account and has also access > to my ssh-keys on the smartcard...if you do not trust the host system through which you are sending your PIN code to the card, you should take care of that issue first. //Peter
Maybe Matching Threads
- OpenSSH 6.3p1 Smartcard-Support
- safenet eToken 5100 pkcs11 bug(?)
- Error: failed to assign device...VT-d isn''t enabled properly(?)
- opensc smartcard support does not work
- [Bug 1773] PKCS#11 authentication fails with "xmalloc: zero size" for some certificates.