thr3ads.net - openssh unix dev - OpenSSH 6.3p1 Smartcard-Support [Dec 2013]

If this information is useful, please help other people find it:
Share via:

Benjamin Fras

2013-Dec-11 09:28 UTC

OpenSSH 6.3p1 Smartcard-Support

Hi there,

has anybody managed to get the eToken Pro Anywhere work with SSH? I'm using
the latest SafeNetAuthentication drivers available for Ubuntu 64bit (8.3) and
everything is working just fine except for ssh. I can use the eToken for logging
in, openvpn, rdestkop, etc. but it seems ssh does not recognize the device
properly. The command "ssh -I /usr/lib/libeToken.so.8 user at
hostname" is accessing the eToken somehow, as indicated by the blinking
led. But it doesn't ask for a pin and thus the connection is aborted due to
"no authentication methods available".

If you have any ideas please let me know. I've already spent hours of trying
and nothing actually worked.

Thanks in advance,

Ben

Damien Miller

2013-Dec-11 10:25 UTC

head link

OpenSSH 6.3p1 Smartcard-Support

On Wed, 11 Dec 2013, Benjamin Fras wrote:
> Hi there,
>
> has anybody managed to get the eToken Pro Anywhere work with SSH? I'm
> using the latest SafeNetAuthentication drivers available for Ubuntu
> 64bit (8.3) and everything is working just fine except for ssh. I
> can use the eToken for logging in, openvpn, rdestkop, etc. but it
> seems ssh does not recognize the device properly. The command "ssh
> -I /usr/lib/libeToken.so.8 user at hostname" is accessing the eToken
> somehow, as indicated by the blinking led. But it doesn't ask for
> a pin and thus the connection is aborted due to "no authentication
> methods available".
You'll need to post at least a debug trace if you want help.

-d

Benjamin Fras

2013-Dec-11 11:23 UTC

head link

AW: OpenSSH 6.3p1 Smartcard-Support

Hi,

thanks for your reply. Please find attached the debug trace of the
openssh-client:

ssh -I /usr/lib/libeToken.so -p 222 10.0.0.41 -vvv

OpenSSH_6.4, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /usr/local/etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 10.0.0.41 [10.0.0.41] port 222.
debug1: Connection established.
debug1: manufacturerID <SafeNet, Inc.> cryptokiVersion 2.20
libraryDescription <SafeNet eToken PKCS#11> libraryVersion 8.3
debug1: label <eToken> manufacturerID <SafeNet, Inc.> model
<eToken> serial <0052787c> flags 0x60d
no keys
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/benjaminfras/.ssh/id_rsa" as a RSA1
public key
debug1: identity file /home/benjaminfras/.ssh/id_rsa type 1
debug1: identity file /home/benjaminfras/.ssh/id_rsa-cert type -1
debug1: identity file /home/benjaminfras/.ssh/id_dsa type -1
debug1: identity file /home/benjaminfras/.ssh/id_dsa-cert type -1
debug1: identity file /home/benjaminfras/.ssh/id_ecdsa type -1
debug1: identity file /home/benjaminfras/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.4
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.9p1
Debian-5ubuntu1.1
debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH_5*
debug2: fd 3 setting O_NONBLOCK
debug3: put_host_port: [10.0.0.41]:222
debug3: load_hostkeys: loading entries for host "[10.0.0.41]:222" from
file "/home/benjaminfras/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file
/home/benjaminfras/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01 at
openssh.com,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-sha2-nistp521-cert-v01 at
openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 at
openssh.com,ecdsa-sha2-nistp384-cert-v01 at
openssh.com,ecdsa-sha2-nistp521-cert-v01 at
openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01
at openssh.com,ssh-dss-cert-v01 at openssh.com,ssh-rsa-cert-v00 at
openssh.com,ssh-dss-cert-v00 at openssh.com,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at
openssh.com,aes256-gcm at
openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc
at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at
openssh.com,aes256-gcm at
openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc
at lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64-etm at openssh.com,umac-128-etm at
openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at
openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at
openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at
openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com,hmac-sha1-etm at
openssh.com,umac-64-etm at openssh.com,umac-128-etm at
openssh.com,hmac-sha2-256-etm at openssh.com,hmac-sha2-512-etm at
openssh.com,hmac-ripemd160-etm at openssh.com,hmac-sha1-96-etm at
openssh.com,hmac-md5-96-etm at openssh.com,hmac-md5,hmac-sha1,umac-64 at
openssh.com,umac-128 at
openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at
openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib at openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc
at lysator.liu.se
debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc
at lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at
openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160
at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at
openssh.com,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160
at openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: none,zlib at openssh.com
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA 3a:84:54:ef:16:55:52:27:d5:c4:cf:bd:9d:e8:0a:ac
debug3: put_host_port: [10.0.0.41]:222
debug3: put_host_port: [10.0.0.41]:222
debug3: load_hostkeys: loading entries for host "[10.0.0.41]:222" from
file "/home/benjaminfras/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file
/home/benjaminfras/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug3: load_hostkeys: loading entries for host "[10.0.0.41]:222" from
file "/home/benjaminfras/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file
/home/benjaminfras/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys
debug1: Host '[10.0.0.41]:222' is known and matches the ECDSA host key.
debug1: Found key in /home/benjaminfras/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/benjaminfras/.ssh/id_rsa (0x85d3b0),
debug2: key: /home/benjaminfras/.ssh/id_dsa ((nil)),
debug2: key: /home/benjaminfras/.ssh/id_ecdsa ((nil)),
debug1: Authentications that can continue: publickey
debug3: start over, passed a different list publickey
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/benjaminfras/.ssh/id_rsa
debug3: send_pubkey_test
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey
debug1: Trying private key: /home/benjaminfras/.ssh/id_dsa
debug3: no such identity: /home/benjaminfras/.ssh/id_dsa: No such file or
directory
debug1: Trying private key: /home/benjaminfras/.ssh/id_ecdsa
debug3: no such identity: /home/benjaminfras/.ssh/id_ecdsa: No such file or
directory
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey).

If you have a look at line 8, you'll see that no keys were found. I'm
wondering why. I assume that the Safnet driver is not behaving the way as
expected from the pkcs11-helper, which is used by openssh-client (please correct
me if I'm wrong).

Ben 

-----Urspr?ngliche Nachricht-----> Von:Damien Miller <djm at mindrot.org <mailto:djm at mindrot.org>
>
> Gesendet: Mit 11 Dezember 2013 11:24
> An: Benjamin Fras <benjaminfras at netbens.de <mailto:benjaminfras at
netbens.de> >
> CC: openssh-unix-dev at mindrot.org <mailto:openssh-unix-dev at
mindrot.org>
> Betreff: Re: OpenSSH 6.3p1 Smartcard-Support
> 
> 
> 
> On Wed, 11 Dec 2013, Benjamin Fras wrote:
> 
> > Hi there,
> >
> > has anybody managed to get the eToken Pro Anywhere work with SSH?
I'm
> > using the latest SafeNetAuthentication drivers available for Ubuntu
> > 64bit (8.3) and everything is working just fine except for ssh. I
> > can use the eToken for logging in, openvpn, rdestkop, etc. but it
> > seems ssh does not recognize the device properly. The command
"ssh
> > -I /usr/lib/libeToken.so.8 user at hostname" is accessing the
eToken
> > somehow, as indicated by the blinking led. But it doesn't ask for
> > a pin and thus the connection is aborted due to "no
authentication
> > methods available".
> 
> You'll need to post at least a debug trace if you want help.
> 
> -d
> 
>

Benjamin Fras

2013-Dec-11 14:20 UTC

head link

AW: AW: OpenSSH 6.3p1 Smartcard-Support

Hi,

This is the output of the pkcs11-tool using the safenet-lib

pkcs11-tool --module /usr/lib/libeToken.so -O

Using slot 0 with a present token (0x0)
Certificate Object, type = X.509 cert
  label:      411ef289-88cf-4f38-89b1-5e8691f6cb8a
  ID:         1f67fd84c675af27
Certificate Object, type = X.509 cert
  label:      {E670E946-633C-4956-83B0-5EB67A3A5EAE}
  ID:         e93a991dca5b2939

 
-----Urspr?ngliche Nachricht-----> Von:Damien Miller <djm at mindrot.org <mailto:djm at mindrot.org>
>
> Gesendet: Mit 11 Dezember 2013 12:48
> An: Benjamin Fras <benjaminfras at netbens.de <mailto:benjaminfras at
netbens.de> >
> CC: openssh-unix-dev at mindrot.org <mailto:openssh-unix-dev at
mindrot.org>
> Betreff: Re: AW: OpenSSH 6.3p1 Smartcard-Support
> 
> On Wed, 11 Dec 2013, Benjamin Fras wrote:
> 
> > 
> > Hi,
> > thanks for your reply. Please find attached the debug trace of the
openssh-c
> > lient:
> > ssh -I /usr/lib/libeToken.so -p 222 10.0.0.41 -vvv
> > OpenSSH_6.4, OpenSSL 1.0.1c 10 May 2012
> > debug1: Reading configuration data /usr/local/etc/ssh_config
> > debug2: ssh_connect: needpriv 0
> > debug1: Connecting to 10.0.0.41 [10.0.0.41] port 222.
> > debug1: Connection established.
> > debug1: manufacturerID <SafeNet, Inc.> cryptokiVersion 2.20
libraryDescripti
> > on <SafeNet eToken PKCS#11> libraryVersion 8.3
> > debug1: label <eToken> manufacturerID <SafeNet, Inc.>
model <eToken> serial
> > <0052787c> flags 0x60d
> > no keys
> 
> ???? The PKCS#11 library is being loaded and initialised, but isn't
> returning any keys to OpenSSH. 
> 
> Can you use something like opensc's pkcs11-tool to list the objects
> on your card? I.e. pkcs11-tool --module /path/to/pkcs11.so -O
> 
> -d
> 
>

Benjamin Fras

2013-Dec-11 14:49 UTC

head link

AW: OpenSSH 6.3p1 Smartcard-Support

Hi,

I've downloaded the latest snapshot and now it works like a charm :-))!
Thank you guys, you are great! You made my day.

Ben
 
-----Urspr?ngliche Nachricht-----> Von:Markus Friedl <mfriedl at gmail.com <mailto:mfriedl at
gmail.com> >
> Gesendet: Mit 11 Dezember 2013 12:47
> An: Benjamin Fras <benjaminfras at netbens.de <mailto:benjaminfras at
netbens.de> >
> CC: Damien Miller <djm at mindrot.org <mailto:djm at mindrot.org>
>; openssh-unix-dev at mindrot.org <mailto:openssh-unix-dev at
mindrot.org>
> Betreff: Re: OpenSSH 6.3p1 Smartcard-Support
> 
> ssh(1) cannot find the public keys via PKCS#11.
> please try the latest snapshot.
> 
> 
> Am 11.12.2013 um 12:23 schrieb Benjamin Fras <benjaminfras at netbens.de
<mailto:benjaminfras at netbens.de> >:
> 
> > Hi,
> > 
> > thanks for your reply. Please find attached the debug trace of the
openssh-client:
> > 
> > ssh -I /usr/lib/libeToken.so -p 222 10.0.0.41 -vvv
> > 
> > OpenSSH_6.4, OpenSSL 1.0.1c 10 May 2012
> > debug1: Reading configuration data /usr/local/etc/ssh_config
> > debug2: ssh_connect: needpriv 0
> > debug1: Connecting to 10.0.0.41 [10.0.0.41] port 222.
> > debug1: Connection established.
> > debug1: manufacturerID <SafeNet, Inc.> cryptokiVersion 2.20
libraryDescription <SafeNet eToken PKCS#11> libraryVersion 8.3
> > debug1: label <eToken> manufacturerID <SafeNet, Inc.>
model <eToken> serial <0052787c> flags 0x60d
> > no keys
> > debug3: Incorrect RSA1 identifier
> > debug3: Could not load "/home/benjaminfras/.ssh/id_rsa" as a
RSA1 public key
> > debug1: identity file /home/benjaminfras/.ssh/id_rsa type 1
> > debug1: identity file /home/benjaminfras/.ssh/id_rsa-cert type -1
> > debug1: identity file /home/benjaminfras/.ssh/id_dsa type -1
> > debug1: identity file /home/benjaminfras/.ssh/id_dsa-cert type -1
> > debug1: identity file /home/benjaminfras/.ssh/id_ecdsa type -1
> > debug1: identity file /home/benjaminfras/.ssh/id_ecdsa-cert type -1
> > debug1: Enabling compatibility mode for protocol 2.0
> > debug1: Local version string SSH-2.0-OpenSSH_6.4
> > debug1: Remote protocol version 2.0, remote software version
OpenSSH_5.9p1 Debian-5ubuntu1.1
> > debug1: match: OpenSSH_5.9p1 Debian-5ubuntu1.1 pat OpenSSH_5*
> > debug2: fd 3 setting O_NONBLOCK
> > debug3: put_host_port: [10.0.0.41]:222
> > debug3: load_hostkeys: loading entries for host
"[10.0.0.41]:222" from file
"/home/benjaminfras/.ssh/known_hosts"
> > debug3: load_hostkeys: found key type ECDSA in file
/home/benjaminfras/.ssh/known_hosts:1
> > debug3: load_hostkeys: loaded 1 keys
> > debug3: order_hostkeyalgs: prefer hostkeyalgs:
ecdsa-sha2-nistp256-cert-v01 at openssh.com
<mailto:ecdsa-sha2-nistp256-cert-v01 at openssh.com>
,ecdsa-sha2-nistp384-cert-v01 at openssh.com
<mailto:ecdsa-sha2-nistp384-cert-v01 at openssh.com>
,ecdsa-sha2-nistp521-cert-v01 at openssh.com
<mailto:ecdsa-sha2-nistp521-cert-v01 at openssh.com>
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
> > debug1: SSH2_MSG_KEXINIT sent
> > debug1: SSH2_MSG_KEXINIT received
> > debug2: kex_parse_kexinit:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01 at openssh.com
<mailto:ecdsa-sha2-nistp256-cert-v01 at openssh.com>
,ecdsa-sha2-nistp384-cert-v01 at openssh.com
<mailto:ecdsa-sha2-nistp384-cert-v01 at openssh.com>
,ecdsa-sha2-nistp521-cert-v01 at openssh.com
<mailto:ecdsa-sha2-nistp521-cert-v01 at openssh.com>
,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa-cert-v01 at
openssh.com <mailto:ssh-rsa-cert-v01 at openssh.com> ,ssh-dss-cert-v01 at
openssh.com <mailto:ssh-dss-cert-v01 at openssh.com> ,ssh-rsa-cert-v00 at
openssh.com <mailto:ssh-rsa-cert-v00 at openssh.com> ,ssh-dss-cert-v00 at
openssh.com <mailto:ssh-dss-cert-v00 at openssh.com> ,ssh-rsa,ssh-dss
> > debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com
<mailto:aes128-gcm at openssh.com> ,aes256-gcm at openssh.com
<mailto:aes256-gcm at openssh.com>
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc
at lysator.liu.se <mailto:rijndael-cbc at lysator.liu.se>
> > debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm at openssh.com
<mailto:aes128-gcm at openssh.com> ,aes256-gcm at openssh.com
<mailto:aes256-gcm at openssh.com>
,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc
at lysator.liu.se <mailto:rijndael-cbc at lysator.liu.se>
> > debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com
<mailto:hmac-md5-etm at openssh.com> ,hmac-sha1-etm at openssh.com
<mailto:hmac-sha1-etm at openssh.com> ,umac-64-etm at openssh.com
<mailto:umac-64-etm at openssh.com> ,umac-128-etm at openssh.com
<mailto:umac-128-etm at openssh.com> ,hmac-sha2-256-etm at openssh.com
<mailto:hmac-sha2-256-etm at openssh.com> ,hmac-sha2-512-etm at
openssh.com <mailto:hmac-sha2-512-etm at openssh.com> ,hmac-ripemd160-etm
at openssh.com <mailto:hmac-ripemd160-etm at openssh.com>
,hmac-sha1-96-etm at openssh.com <mailto:hmac-sha1-96-etm at openssh.com>
,hmac-md5-96-etm at openssh.com <mailto:hmac-md5-96-etm at openssh.com>
,hmac-md5,hmac-sha1,umac-64 at openssh.com <mailto:umac-64 at openssh.com>
,umac-128 at openssh.com <mailto:umac-128 at openssh.com>
,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
<mailto:hmac-ripemd160 at openssh.com> ,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: hmac-md5-etm at openssh.com
<mailto:hmac-md5-etm at openssh.com> ,hmac-sha1-etm at openssh.com
<mailto:hmac-sha1-etm at openssh.com> ,umac-64-etm at openssh.com
<mailto:umac-64-etm at openssh.com> ,umac-128-etm at openssh.com
<mailto:umac-128-etm at openssh.com> ,hmac-sha2-256-etm at openssh.com
<mailto:hmac-sha2-256-etm at openssh.com> ,hmac-sha2-512-etm at
openssh.com <mailto:hmac-sha2-512-etm at openssh.com> ,hmac-ripemd160-etm
at openssh.com <mailto:hmac-ripemd160-etm at openssh.com>
,hmac-sha1-96-etm at openssh.com <mailto:hmac-sha1-96-etm at openssh.com>
,hmac-md5-96-etm at openssh.com <mailto:hmac-md5-96-etm at openssh.com>
,hmac-md5,hmac-sha1,umac-64 at openssh.com <mailto:umac-64 at openssh.com>
,umac-128 at openssh.com <mailto:umac-128 at openssh.com>
,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160 at openssh.com
<mailto:hmac-ripemd160 at openssh.com> ,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib at openssh.com <mailto:zlib at
openssh.com> ,zlib
> > debug2: kex_parse_kexinit: none,zlib at openssh.com <mailto:zlib at
openssh.com> ,zlib
> > debug2: kex_parse_kexinit: 
> > debug2: kex_parse_kexinit: 
> > debug2: kex_parse_kexinit: first_kex_follows 0 
> > debug2: kex_parse_kexinit: reserved 0 
> > debug2: kex_parse_kexinit:
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> > debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256
> > debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc
at lysator.liu.se <mailto:rijndael-cbc at lysator.liu.se>
> > debug2: kex_parse_kexinit:
aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc
at lysator.liu.se <mailto:rijndael-cbc at lysator.liu.se>
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com
<mailto:umac-64 at openssh.com>
,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160
at openssh.com <mailto:hmac-ripemd160 at openssh.com>
,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64 at openssh.com
<mailto:umac-64 at openssh.com>
,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,hmac-ripemd160
at openssh.com <mailto:hmac-ripemd160 at openssh.com>
,hmac-sha1-96,hmac-md5-96
> > debug2: kex_parse_kexinit: none,zlib at openssh.com <mailto:zlib at
openssh.com>
> > debug2: kex_parse_kexinit: none,zlib at openssh.com <mailto:zlib at
openssh.com>
> > debug2: kex_parse_kexinit: 
> > debug2: kex_parse_kexinit: 
> > debug2: kex_parse_kexinit: first_kex_follows 0 
> > debug2: kex_parse_kexinit: reserved 0 
> > debug2: mac_setup: found hmac-md5
> > debug1: kex: server->client aes128-ctr hmac-md5 none
> > debug2: mac_setup: found hmac-md5
> > debug1: kex: client->server aes128-ctr hmac-md5 none
> > debug1: sending SSH2_MSG_KEX_ECDH_INIT
> > debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
> > debug1: Server host key: ECDSA
3a:84:54:ef:16:55:52:27:d5:c4:cf:bd:9d:e8:0a:ac
> > debug3: put_host_port: [10.0.0.41]:222
> > debug3: put_host_port: [10.0.0.41]:222
> > debug3: load_hostkeys: loading entries for host
"[10.0.0.41]:222" from file
"/home/benjaminfras/.ssh/known_hosts"
> > debug3: load_hostkeys: found key type ECDSA in file
/home/benjaminfras/.ssh/known_hosts:1
> > debug3: load_hostkeys: loaded 1 keys
> > debug3: load_hostkeys: loading entries for host
"[10.0.0.41]:222" from file
"/home/benjaminfras/.ssh/known_hosts"
> > debug3: load_hostkeys: found key type ECDSA in file
/home/benjaminfras/.ssh/known_hosts:1
> > debug3: load_hostkeys: loaded 1 keys
> > debug1: Host '[10.0.0.41]:222' is known and matches the ECDSA
host key.
> > debug1: Found key in /home/benjaminfras/.ssh/known_hosts:1
> > debug1: ssh_ecdsa_verify: signature correct
> > debug2: kex_derive_keys
> > debug2: set_newkeys: mode 1
> > debug1: SSH2_MSG_NEWKEYS sent
> > debug1: expecting SSH2_MSG_NEWKEYS
> > debug2: set_newkeys: mode 0
> > debug1: SSH2_MSG_NEWKEYS received
> > debug1: Roaming not allowed by server
> > debug1: SSH2_MSG_SERVICE_REQUEST sent
> > debug2: service_accept: ssh-userauth
> > debug1: SSH2_MSG_SERVICE_ACCEPT received
> > debug2: key: /home/benjaminfras/.ssh/id_rsa (0x85d3b0),
> > debug2: key: /home/benjaminfras/.ssh/id_dsa ((nil)),
> > debug2: key: /home/benjaminfras/.ssh/id_ecdsa ((nil)),
> > debug1: Authentications that can continue: publickey
> > debug3: start over, passed a different list publickey
> > debug3: preferred publickey,keyboard-interactive,password
> > debug3: authmethod_lookup publickey
> > debug3: remaining preferred: keyboard-interactive,password
> > debug3: authmethod_is_enabled publickey
> > debug1: Next authentication method: publickey
> > debug1: Offering RSA public key: /home/benjaminfras/.ssh/id_rsa
> > debug3: send_pubkey_test
> > debug2: we sent a publickey packet, wait for reply
> > debug1: Authentications that can continue: publickey
> > debug1: Trying private key: /home/benjaminfras/.ssh/id_dsa
> > debug3: no such identity: /home/benjaminfras/.ssh/id_dsa: No such file
or directory
> > debug1: Trying private key: /home/benjaminfras/.ssh/id_ecdsa
> > debug3: no such identity: /home/benjaminfras/.ssh/id_ecdsa: No such
file or directory
> > debug2: we did not send a packet, disable method
> > debug1: No more authentication methods to try.
> > Permission denied (publickey).
> > 
> > If you have a look at line 8, you'll see that no keys were found.
I'm wondering why. I assume that the Safnet driver is not behaving the way
as expected from the pkcs11-helper, which is used by openssh-client (please
correct me if I'm wrong).
> > 
> > Ben 
> > 
> > 
> > 
> > -----Urspr?ngliche Nachricht-----
> >> Von:Damien Miller <djm at mindrot.org <mailto:djm at
mindrot.org>  <mailto:djm at mindrot.org <mailto:djm at mindrot.org>
> >
> >> Gesendet: Mit 11 Dezember 2013 11:24
> >> An: Benjamin Fras <benjaminfras at netbens.de
<mailto:benjaminfras at netbens.de>  <mailto:benjaminfras at netbens.de
<mailto:benjaminfras at netbens.de> > >
> >> CC: openssh-unix-dev at mindrot.org <mailto:openssh-unix-dev at
mindrot.org>  <mailto:openssh-unix-dev at mindrot.org
<mailto:openssh-unix-dev at mindrot.org> >
> >> Betreff: Re: OpenSSH 6.3p1 Smartcard-Support
> >> 
> >> 
> >> 
> >> On Wed, 11 Dec 2013, Benjamin Fras wrote:
> >> 
> >>> Hi there,
> >>> 
> >>> has anybody managed to get the eToken Pro Anywhere work with
SSH? I'm
> >>> using the latest SafeNetAuthentication drivers available for
Ubuntu
> >>> 64bit (8.3) and everything is working just fine except for
ssh. I
> >>> can use the eToken for logging in, openvpn, rdestkop, etc. but
it
> >>> seems ssh does not recognize the device properly. The command
"ssh
> >>> -I /usr/lib/libeToken.so.8 user at hostname" is accessing
the eToken
> >>> somehow, as indicated by the blinking led. But it doesn't
ask for
> >>> a pin and thus the connection is aborted due to "no
authentication
> >>> methods available".
> >> 
> >> You'll need to post at least a debug trace if you want help.
> >> 
> >> -d
> >> 
> >> 
> > 
> > _______________________________________________
> > openssh-unix-dev mailing list
> > openssh-unix-dev at mindrot.org <mailto:openssh-unix-dev at
mindrot.org>
> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
>

Reasonably Related Threads

Search for more possibly parallel threads

openssh unix dev - Dec 2013 - OpenSSH 6.3p1 Smartcard-Support

OpenSSH 6.3p1 Smartcard-Support

OpenSSH 6.3p1 Smartcard-Support

AW: OpenSSH 6.3p1 Smartcard-Support

AW: AW: OpenSSH 6.3p1 Smartcard-Support

AW: OpenSSH 6.3p1 Smartcard-Support

Reasonably Related Threads