Bug 1736

Summary:

OpenSSH doesn't seem to work with my MuscleCard PKCS#11 library

Product:

Portable OpenSSH

Reporter:

Daniel Benoy <daniel>

Component:

Smartcard

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

CLOSED FIXED

Severity:

normal

CC:

djm, jmpoure, markus

Priority:

Version:

5.4p1

Hardware:

ix86

OS:

Linux

Bug Depends on:

Bug Blocks:

1708

Attachments:

Description	Flags
print out key ID for debugging	none
Debug command output	none
Debug command output 2	none
Debug command output 3	none
don't add attribut 'sign=true' when looking up the private rsa key	none
try to find private key object w/CKA_SIGN first, retry w/o	none
really try to find private key object w/CKA_SIGN first, retry w/o	none

Description Daniel Benoy 2010-03-18 06:16:16 AEDT

Here's what I get when I try to use my MuscleCard PKCS#11 library with SSH:

----------
$ ssh -v -I /usr/local/lib/libmusclepkcs11.so root@jackson
OpenSSH_5.4p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: ssh_set_validator: ignore responder url
debug1: Connecting to jackson [2001:470:1d:160:224:8cff:fe92:3230] port 22.
debug1: Connection established.
debug1: manufacturerID <SCHLUMBERGER> cryptokiVersion 2.11 libraryDescription <SLB PKCS #11 module> libraryVersion 1.0
debug1: label <MuscleCard Applet> manufacturerID <Unknown MFR> model <Unknown Model> serial <1> flags 0x40d
C_GetAttributeValue failed: 18
debug1: have 1 keys
C_GetAttributeValue failed: 18
debug1: have 2 keys
debug1: identity file /home/dbenoy/.ssh/id_rsa type -1
debug1: identity file /home/dbenoy/.ssh/id_rsa-cert type -1
debug1: identity file /home/dbenoy/.ssh/id_dsa type -1
debug1: identity file /home/dbenoy/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'jackson' is known and matches the RSA host key.
debug1: Found key in /home/dbenoy/.ssh/known_hosts:15
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /usr/local/lib/libmusclepkcs11.so
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Offering public key: /usr/local/lib/libmusclepkcs11.so
debug1: Server accepts key: pkalg ssh-rsa blen 151
Enter PIN for 'MuscleCard Applet': 
C_FindObjects failed (0 nfound): 0
ssh_rsa_sign: RSA_sign failed: error:00000000:lib(0):func(0):reason(0)
debug1: Trying private key: /home/dbenoy/.ssh/id_rsa
debug1: Trying private key: /home/dbenoy/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password: 
----------

This PKCS#11 module works fine with Evolution, Firefox, and prior versions of SSH which I applied a patch to.

The patch was: http://sites.google.com/site/alonbarlev/openssh-pkcs11  (Although with that patch I had to use it as 'ssh -# /usr/local/lib/libmusclepkcs11.so:0:15' for some reason the :0:15 was important)

Also, my install of OpenSSH works successfully with the OpenSC PKCS#11 library.

So it seems the specific combination of MuscleCard and OpenSSH isn't working, even though they both work with other software.

Comment 1 Daniel Benoy 2010-03-18 06:19:17 AEDT

FYI: I'm using libmusclepkcs11.so from muscleframework version 1.1.7 from here:
https://alioth.debian.org/projects/muscleplugins/

Comment 2 Markus Friedl 2010-03-19 19:05:05 AEDT

what do the following commands print out:

 ssh-keygen -vvvD /usr/local/lib/libmusclepkcs11.so
 pkcs11-tool --module /usr/local/lib/libmusclepkcs11.so -O

do you have the original output from
 ssh -vvv# /usr/local/lib/libmusclepkcs11.so:0:15 xxxxx

Comment 3 Markus Friedl 2010-03-19 20:47:55 AEDT

Created attachment 1812 [details]
print out key ID for debugging

Could you please retry ssh -vI ... with this patch and attach
the new output? thanks!

Comment 4 Daniel Benoy 2010-03-20 00:01:49 AEDT

Created attachment 1813 [details]
Debug command output

Comment 5 Daniel Benoy 2010-03-20 00:02:12 AEDT

(In reply to comment #2)
> what do the following commands print out:
> 
>  ssh-keygen -vvvD /usr/local/lib/libmusclepkcs11.so
>  pkcs11-tool --module /usr/local/lib/libmusclepkcs11.so -O

attached.

> do you have the original output from
>  ssh -vvv# /usr/local/lib/libmusclepkcs11.so:0:15 xxxxx

'fraid not :(

Comment 6 Daniel Benoy 2010-03-20 00:16:28 AEDT

Created attachment 1814 [details]
Debug command output 2

Comment 7 Daniel Benoy 2010-03-20 00:17:47 AEDT

(In reply to comment #3)
> Created an attachment (id=1812) [details]
> print out key ID for debugging
> 
> Could you please retry ssh -vI ... with this patch and attach
> the new output? thanks!

Attached.  I believe this is the line you're looking for:

pkcs11_rsa_private_encrypt/20: 24b1986496cb599e52da591ff46c98cd8dd74418

Comment 8 jmpoure 2010-04-08 23:36:09 AEST

Muscle cards are highly experimental under GNU/Linux. It is recommended to use a traditional PKI card, compatible with OpenSC. This will work out of the box. You can try the FEITIAN PKI card for example, but there are other cards. Avoid Muscle cards.

Comment 9 Daniel Benoy 2010-04-09 00:42:00 AEST

I have an aladdin etoken which I'm using in the meantime until this bug gets fixed.

Comment 10 Markus Friedl 2010-04-09 05:46:32 AEST

could you please try
PKCS11SPY=/usr/local/lib/libmusclepkcs11.so
export PKCS11SPY

and then
% ssh -vvvI /usr/local/lib/pkcs11-spy.so host

pkcs11 spy should be part of opensc

Comment 11 Daniel Benoy 2010-04-09 06:21:06 AEST

Created attachment 1829 [details]
Debug command output 3

Comment 12 Markus Friedl 2010-04-09 17:13:24 AEST

Created attachment 1835 [details]
don't add attribut 'sign=true' when looking up the private rsa key

Could you please try this?

Comment 13 Daniel Benoy 2010-04-09 23:41:41 AEST

It worked! :D

Thanks :)

Comment 14 Markus Friedl 2010-04-13 07:40:49 AEST

Created attachment 1836 [details]
try to find private key object w/CKA_SIGN first, retry w/o

Thanks. Could you please try this, too? this should both
work with the MUSCLE card and the E-Token.

thanks, -m

Comment 15 Markus Friedl 2010-04-13 08:10:32 AEST

Created attachment 1837 [details]
really try to find private key object w/CKA_SIGN first, retry w/o   

this one should work

Comment 16 Daniel Benoy 2010-04-14 03:50:07 AEST

(In reply to comment #15)
> Created an attachment (id=1837) [details]
> really try to find private key object w/CKA_SIGN first, retry w/o   
> 
> this one should work

Yep!  It worked with both my MUSCLE card and my Aladdin eToken Pro 32k via OpenSC.

Comment 17 Damien Miller 2010-04-23 11:04:48 AEST

Markus has committed the fix in attachment #1837 [details]. It will be in OpenSSH 5.6.

Comment 18 Damien Miller 2011-01-24 12:33:48 AEDT

Move resolved bugs to CLOSED after 5.7 release