Bug 3141

Summary:

ssh ignores IdentitiesOnly for PKCS11Provider

Product:

Portable OpenSSH

Reporter:

keil

Component:

ssh

Assignee:

Damien Miller <djm>

Status:

CLOSED FIXED

Severity:

enhancement

CC:

ahmedsayeed1982, djm, dtucker, ivan.2019.ifv

Priority:

Version:

8.1p1

Hardware:

Other

OS:

Linux

Bug Depends on:

Bug Blocks:

3117

Attachments:

Description	Flags
check PKCS#11 keys against non-PKCS#11 keys only	dtucker: ok+

Description keil 2020-03-28 01:23:13 AEDT

I'm using SSH with a token storing my keys. Trying to limit the tried indentities with IdentitiesOnly and IdentityFiles works as long as I'm using the ssg-agent. But if I instead configure the token with PKCS11Provider, ssh ignores IdentitiesOnly and tries all identities present on the token.

My config includes

Host *
IdentitiesOnly yes
IdentityFile ~/.ssh/token.pub
PKCS11Provider /usr/lib/libeTPkcs11.so

There are no host specific entries for any of these.

If I now try to ssh to any system, the output of ssh -vvv shows that it loads the provider and counts the keys. Later it prints

debug1: Will attempt key: /usr/lib64/libeTPkcs11.so RSA SHA256:... token
debug1: Will attempt key: /usr/lib64/libeTPkcs11.so RSA SHA256:... token
debug1: Will attempt key: /usr/lib64/libeTPkcs11.so RSA SHA256:... token

for all identities on the token. The hashes are distinct, so it's not printing the same multiple times.

Doing the same with adding the provider to ssh-agent and removing the PKCS11Provider key, shows only one key as attempted.

I may be way off here, but the code in sshconnect2:pubkey_prepare around line 1592 seems to iterate the files list limiting itself to external keys. For each external key it iterates the files list again using the same filter. As it finds the same key again it compares the two and thus adds it to the preferred list. Running this in gdb shows the two keys id and id2 pointing to the same address when adding the key to the preferred list. It looks like it might be iterating the external keys and trying to find a matching IdentityFile to apply the IdentitiesOnly filter but fails to do so. But as I said, that might be a misinterpretation and not related.

Comment 1 Damien Miller 2020-04-03 16:15:55 AEDT

Created attachment 3372 [details]
check PKCS#11 keys against non-PKCS#11 keys only

I think you analysis is correct. Can you please try this patch?

Comment 2 keil 2020-04-03 19:08:32 AEDT

Yes, that does it. Only the keys present as IdentityFiles are now attempted.

Comment 3 Damien Miller 2020-04-17 13:40:11 AEST

That fix has been committed and will be included in the OpenSSH 8.3 release - thanks!

Comment 4 Damien Miller 2021-04-23 15:10:43 AEST

closing resolved bugs as of 8.6p1 release

Comment 5 Ahmed Sayeed 2021-10-14 01:40:47 AEDT

[spam removed]