Hi, I was trying to get OpenSSH portable working with my Yubikey.? A key was present on the token but generated using the ECCP384 algorithm. This lead to many obscure goose-chase red-herring error messages from OpenSSH such as the delightful "Could not add card : agent refused operation" or other nonsense that was meaningless and unhelpful. Many hours later in Mr Google's company, I eventually found this website https://fedoramagazine.org/fedora-28-better-smart-card-support-openssh/ , which points to this https://bugzilla.mindrot.org/show_bug.cgi?id=2474 . Which basically says that despite many patches, support for ECC has never been incorporated into OpenSSH PKCS#11. And indeed this was the underlying cause. I deleted the ECC key, generated an RSA one, and it worked. So, I have two questions: (1) Why has this ECC thing been ongoing since 2015 and yet, despite the passage of weeks, months and years, nobody has yet pulled any of the patches into the OpenSSH codebase ? (2) If you don't want ECC in the codebase, which appears to clearly be the case, can you at least generate some more sensible error messages that say "look, we only accept RSA keys, ok chum ?".?? That would save people like me many hours of wasted time caused by your political or other reasons for being stubborn and not including ECC support. Sorry for the tone of this message, but I've had a rather frustrating waste of a day due the issues outlined. Bob
Blumenthal, Uri - 0553 - MITLL
2018-Aug-12 23:06 UTC
Why still no PKCS#11 ECC key support in OpenSSH ?
Tone aside, let me second what Bob said. OpenSSH maintainers seem to be able to find time for many updates and upgrades - but ECC support over PKCS#11 appears to repulse them for more than two years (I don't care to check for exactly how many more). Since several patches have been posted, so it's not like a new feature has to be implemented from scratch - I'm at loss trying to understand what's going on. An explanation would be nice. Merging one of the patches would be even nicer. Regards, Uri Sent from my iPhone> On Aug 12, 2018, at 17:30, Bob Smith <b631093f-779b-4d67-9ffe-5f6d5b1d3f8a at protonmail.ch> wrote: > > Hi, > > I was trying to get OpenSSH portable working with my Yubikey. A key was present on the token but generated using the ECCP384 algorithm. > > This lead to many obscure goose-chase red-herring error messages from OpenSSH such as the delightful "Could not add card : agent refused operation" or other nonsense that was meaningless and unhelpful. > > Many hours later in Mr Google's company, I eventually found this website https://fedoramagazine.org/fedora-28-better-smart-card-support-openssh/ , which points to this https://bugzilla.mindrot.org/show_bug.cgi?id=2474 . Which basically says that despite many patches, support for ECC has never been incorporated into OpenSSH PKCS#11. > > And indeed this was the underlying cause. I deleted the ECC key, generated an RSA one, and it worked. > > So, I have two questions: > > (1) Why has this ECC thing been ongoing since 2015 and yet, despite the passage of weeks, months and years, nobody has yet pulled any of the patches into the OpenSSH codebase ? > > (2) If you don't want ECC in the codebase, which appears to clearly be the case, can you at least generate some more sensible error messages that say "look, we only accept RSA keys, ok chum ?". That would save people like me many hours of wasted time caused by your political or other reasons for being stubborn and not including ECC support. > > Sorry for the tone of this message, but I've had a rather frustrating waste of a day due the issues outlined. > > Bob > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev-------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 5801 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180812/e131f392/attachment.p7s>
On Sun, 12 Aug 2018, Blumenthal, Uri - 0553 - MITLL wrote:> Tone aside, let me second what Bob said. OpenSSH maintainers seem to > be able to find time for many updates and upgrades - but ECC support > over PKCS#11 appears to repulse them for more than two years (I don't > care to check for exactly how many more).There's no "repulsion" involved, just a lack of time coupled with a lot of unfinished work and the costs (for me at least) of ramping up on an unfamiliar API (PKCS#11). -d