Joost van Dijk
2025-Oct-09 08:36 UTC
OpenSSH 10.1p1 and ed25519 keys hosted on PKCS#11 tokens
> On 8 Oct 2025, at 23:39, Damien Miller <djm at mindrot.org> wrote: > > On Wed, 8 Oct 2025, Joost van Dijk wrote: > >> Apologies if I used the wrong version - I was convinced I used 10.1 installed using HomeBrew. >> But I also compiled different versions from source, and now I cannot reproduce so I must have screwed up at some point. >> >> But actually, I was struggling with some other issue involving the PIN that seems to have changed between 10.0 and 10.1. > > Try this patch. You'll need to re-run configure (or at least > config.status) and make > > diff --git a/Makefile.in b/Makefile.in > index 19a9e4dcf..ea38671f7 100644 > --- a/Makefile.in > +++ b/Makefile.in > @@ -157,7 +157,7 @@ SSHADD_OBJS= ssh-add.o $(P11OBJS) $(SKOBJS) > > SSHAGENT_OBJS= ssh-agent.o $(P11OBJS) $(SKOBJS) > > -SSHKEYGEN_OBJS= ssh-keygen.o sshsig.o $(P11OBJS) $(SKOBJS) > +SSHKEYGEN_OBJS= ssh-keygen.o sshsig.o ssh-pkcs11.o $(SKOBJS) > > SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS) >After applying the patch: $ git diff diff --git a/Makefile.in b/Makefile.in index 760fbaa5b..ba17a79f0 100644 --- a/Makefile.in +++ b/Makefile.in @@ -158,7 +158,7 @@ SSHADD_OBJS= ssh-add.o $(P11OBJS) $(SKOBJS) SSHAGENT_OBJS= ssh-agent.o $(P11OBJS) $(SKOBJS) -SSHKEYGEN_OBJS= ssh-keygen.o sshsig.o $(P11OBJS) $(SKOBJS) +SSHKEYGEN_OBJS= ssh-keygen.o sshsig.o ssh-pkcs11.o $(SKOBJS) SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS) And running $ ./configure --prefix $(pwd)/V_10_1_P1 --with-ssl-dir=/opt/homebrew/opt/openssl at 3 make install I no longer get the ?pin required? message, and the attestation public key is output, as well as my ed25519 key. However, it is followed by a segmentation fault: $ V_10_1_P1/bin/ssh-keygen -D $YKCS_P11 failed to fetch key failed to fetch key ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIGaro7qWzlUwCeOoYj6TMjlQ4PB92sSPl8MFcjpdiin Public key for PIV Authentication ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3xrCZVCZUhVvVNS4jyXtidBxMtMGnMWud3NFBHsa/2bYJqyH/wlYfJKhOKqTLOYoHsqsamai43TamWZnWBXxyS+gCkqaQnFmJ2hzeq0o+joAaYnYPbmkJTcftN315+xiR0IVmIL01/anM5n5Kodq4eGteAYNoqYAXj8MLz1InR0nasrXzIKvh9WM26Lmpl8h3XKVvzjzznqE8L/l+H6925XacAAahw0/5jP854denYULu0JTxYJxt6zSunXQiHVbhbPi6mJVO1LXvn0G1afBYq2r8XM1G9RkUSjDZFhrQOpuT/O88gMPL1G5zJbH5Y+qWhwMDqc13wE+PxpOuVIal Public key for PIV Attestation Segmentation fault: 11 You wrote:> I just checked that ssh-keygen -D does work with a yk5 and ykcs11, > though I did notice that it crashes at exit. I'll commit a fix.Do I understand correctly that the patch intends to solve the ?pin required? issue (which it does), and not the crash? In case it helps: reconfiguring and recompiling with CFLAGS="-g?, I get: $ lldb ./ssh-keygen (lldb) target create "./ssh-keygen" Current executable set to '/tmp/openssh-portable/ssh-keygen' (arm64). (lldb) run -D /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib -vv Process 25300 launched: '/tmp/openssh-portable/ssh-keygen' (arm64) debug1: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib: manufacturerID <Yubico (www.yubico.com)> cryptokiVersion 2.40 libraryDescription <PKCS#11 PIV Library (SP-800-73)> libraryVersion 2.72 debug1: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0: label <YubiKey PIV #NNNNNNNN> manufacturerID <Yubico (www.yubico.com)> model <YubiKey YK5> serial < NNNNNNNN > flags 0x40d debug1: pkcs11_record_key: RSA key: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0 keyid 19 debug2: pkcs11_fetch_keys: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0: RSA SHA256:FL3YeeN1Bv1szOAuL86RUCVFdNNikb1f67OnjbnB9Jk debug1: have 1 keys debug1: pkcs11_record_key: RSA key: provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0 keyid 19 debug1: pkcs11_record_key: Already seen this key at provider /opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib slot 0 keyid 19 failed to fetch key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC3xrCZVCZUhVvVNS4jyXtidBxMtMGnMWud3NFBHsa/2bYJqyH/wlYfJKhOKqTLOYoHsqsamai43TamWZnWBXxyS+gCkqaQnFmJ2hzeq0o+joAaYnYPbmkJTcftN315+xiR0IVmIL01/anM5n5Kodq4eGteAYNoqYAXj8MLz1InR0nasrXzIKvh9WM26Lmpl8h3XKVvzjzznqE8L/l+H6925XacAAahw0/5jP854denYULu0JTxYJxt6zSunXQiHVbhbPi6mJVO1LXvn0G1afBYq2r8XM1G9RkUSjDZFhrQOpuT/O88gMPL1G5zJbH5Y+qWhwMDqc13wE+PxpOuVIal Public key for PIV Attestation debug1: pkcs11_provider_unref: provider "/opt/homebrew/Cellar/yubico-piv-tool/2.7.2/lib/libykcs11.2.7.2.dylib" refcount 2 Process 25300 stopped * thread #1, queue = 'com.apple.main-thread', stop reason = EXC_BAD_ACCESS (code=1, address=0x4) frame #0: 0x00000001000141b0 ssh-keygen`pkcs11_provider_unref(p=0x0000000000000004) at ssh-pkcs11.c:140:2 137 static void 138 pkcs11_provider_unref(struct pkcs11_provider *p) 139 { -> 140 debug_f("provider \"%s\" refcount %d", p->name, p->refcount); 141 if (--p->refcount <= 0) { 142 if (p->valid) 143 error_f("provider \"%s\" still valid", p->name); Target 0: (ssh-keygen) stopped. Thank you for your efforts to get this sorted out! ? Joost
Damien Miller
2025-Oct-09 23:17 UTC
OpenSSH 10.1p1 and ed25519 keys hosted on PKCS#11 tokens
On Thu, 9 Oct 2025, Joost van Dijk wrote:> > > > On 8 Oct 2025, at 23:39, Damien Miller <djm at mindrot.org> wrote: > > > > On Wed, 8 Oct 2025, Joost van Dijk wrote: > > > >> Apologies if I used the wrong version - I was convinced I used 10.1 installed using HomeBrew. > >> But I also compiled different versions from source, and now I cannot reproduce so I must have screwed up at some point. > >> > >> But actually, I was struggling with some other issue involving the PIN that seems to have changed between 10.0 and 10.1. > > > > Try this patch. You'll need to re-run configure (or at least > > config.status) and make > > > > diff --git a/Makefile.in b/Makefile.in > > index 19a9e4dcf..ea38671f7 100644 > > --- a/Makefile.in > > +++ b/Makefile.in > > @@ -157,7 +157,7 @@ SSHADD_OBJS= ssh-add.o $(P11OBJS) $(SKOBJS) > > > > SSHAGENT_OBJS= ssh-agent.o $(P11OBJS) $(SKOBJS) > > > > -SSHKEYGEN_OBJS= ssh-keygen.o sshsig.o $(P11OBJS) $(SKOBJS) > > +SSHKEYGEN_OBJS= ssh-keygen.o sshsig.o ssh-pkcs11.o $(SKOBJS) > > > > SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS) > > > > After applying the patch: > > $ git diff > diff --git a/Makefile.in b/Makefile.in > index 760fbaa5b..ba17a79f0 100644 > --- a/Makefile.in > +++ b/Makefile.in > @@ -158,7 +158,7 @@ SSHADD_OBJS= ssh-add.o $(P11OBJS) $(SKOBJS) > > SSHAGENT_OBJS= ssh-agent.o $(P11OBJS) $(SKOBJS) > > -SSHKEYGEN_OBJS= ssh-keygen.o sshsig.o $(P11OBJS) $(SKOBJS) > +SSHKEYGEN_OBJS= ssh-keygen.o sshsig.o ssh-pkcs11.o $(SKOBJS) > > SSHKEYSIGN_OBJS=ssh-keysign.o readconf.o uidswap.o $(P11OBJS) $(SKOBJS) > > And running > > $ ./configure --prefix $(pwd)/V_10_1_P1 --with-ssl-dir=/opt/homebrew/opt/openssl at 3 > make install > > I no longer get the ?pin required? message, and the attestation public key is output, as well as my ed25519 key. > However, it is followed by a segmentation fault:Yes, this is the crash I mentioned. The fix was committed as 0118c30aca and will be in OpenSSH 10.2, which is about to be released.