Hello,
I have two hardware tokens (Thales/Safenet eToken 5110cc) that both
contain certificates for various uses. They obviously use the same
driver, libeToken.so (version 10.7.77). I have no issues using one of
them either directly (with -I/PKCS11Provider) with ssh or ssh-agent.
However, I have to keep both tokens connected and I need to add only one
specific certificate to ssh-agent. For test purposes both tokens use the
same pin code, as with every try if the pin code is different, the one
for which it is incorrect will increment the tentative counter on the
token thus ending locking it. If the two pin codes are different the
selection will be based on available certificates with that pin, so that
kinda works until one of the two tokens is locked.
From what I've read, p11-kit seems to be the piece of software that was
missing to glue various middlewares to 'consumer' software like ssh.
So, here are my two certificates:
$ p11tool --list-all-certs
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=ABCDEF1234567890;token=bar
From what I've read, this syntax should be correct:
$ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo'
Or even
$ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
pkcs11:serial=1234567890ABCDEF
(I'm using ssh-add through p11-kit-proxy.so for now as I've not been
able to directly use the pkcs11 uri - not sure if that matters).
But the pkcs11 uri does not seem to be used and all certificates end up
being added to ssh-agent:
$ ssh-add -L
ssh-rsa AAAAB3<snip> foo
ssh-rsa AAAAC5<snip> bar
Is this because of the use of p11-kit-proxy, or something else I've
missed? If there is another method than p11-kit to achieve this I'm also
interested!
thanks,
pierre
On 1/14/22 17:02, petrus at gozmail.bzh wrote:> Hello, > > > I have two hardware tokens (Thales/Safenet eToken 5110cc) that both > contain certificates for various uses. They obviously use the same > driver, libeToken.so (version 10.7.77). I have no issues using one of > them either directly (with -I/PKCS11Provider) with ssh or ssh-agent. > > However, I have to keep both tokens connected and I need to add only one > specific certificate to ssh-agent. For test purposes both tokens use the > same pin code, as with every try if the pin code is different, the one > for which it is incorrect will increment the tentative counter on the > token thus ending locking it. If the two pin codes are different the > selection will be based on available certificates with that pin, so that > kinda works until one of the two tokens is locked. > > From what I've read, p11-kit seems to be the piece of software that was > missing to glue various middlewares to 'consumer' software like ssh. > > So, here are my two certificates: > > ??? $ p11tool --list-all-certs > pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo > > pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=ABCDEF1234567890;token=bar > > > From what I've read, this syntax should be correct: > > ??? $ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so > 'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo' > > > Or even > > ??? $ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so > pkcs11:serial=1234567890ABCDEF > > (I'm using ssh-add through p11-kit-proxy.so for now as I've not been > able to directly use the pkcs11 uri - not sure if that matters). > > But the pkcs11 uri does not seem to be used and all certificates end up > being added to ssh-agent: > > ??? $ ssh-add -L > ??? ssh-rsa AAAAB3<snip> foo > ??? ssh-rsa AAAAC5<snip> bar > > Is this because of the use of p11-kit-proxy, or something else I've > missed? If there is another method than p11-kit to achieve this I'm also > interested!I implemented support for PKCS#11 URI and it is now in Fedora and RHEL8+ for couple of years. Unfortunately, it was not yet accepted and merged into the openssh: https://bugzilla.mindrot.org/show_bug.cgi?id=2817 The patch is a bit outdated so not ready to be merged. The updated one is in Fedora if you want to try that out: https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-pkcs11-uri.patch Regards, -- Jakub Jelen Crypto Team, Security Engineering Red Hat, Inc.
Hello Jakub, Le 2022-01-24 16:39, Jakub Jelen a ?crit?:> > I implemented support for PKCS#11 URI and it is now in Fedora and > RHEL8+ for couple of years. Unfortunately, it was not yet accepted and > merged into the openssh: > > https://bugzilla.mindrot.org/show_bug.cgi?id=2817This is great, but unfortunate indeed this is not upstream. I see that the bugzilla entry is still open, hasn't this been merged because of lack of maintainer time over relative interest, or are there any issues preventing this from happening?> The patch is a bit outdated so not ready to be merged. The updated one > is in Fedora if you want to try that out: > > https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-pkcs11-uri.patchMany thanks! I'll try this patch and see how I can fix this until this is committed upstream. Regards, pierre