Bug 3234

Summary: SSH does not read pkcs11-based private key.
Product: Portable OpenSSH Reporter: Inferno_geek <mishaad051>
Component: SmartcardAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WORKSFORME    
Severity: normal CC: djm, jjelen, mishaad051
Priority: P5    
Version: 8.4p1   
Hardware: amd64   
OS: Linux   

Description Inferno_geek 2020-11-20 07:20:49 AEDT 
When I try to connect to a server via ssh, which has the public key authentication enabled, my key is rejected and I am asked to use another authentication method.
System SSH version:                                                
OpenSSH_8.4p1, OpenSSL 1.1.1h  22 Sep 2020


ssh some-user@some-server -vvv -I ~/pkcs11-libs/librtpkcs11ecp.so:
https://termbin.com/ehn7
Token is detected and works for other purposes.
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -T

Available slots:
Slot 0 (0x0): Aktiv Rutoken ECP 00 00
  token label        : token1
  token manufacturer : Aktiv Co.
  token model        : Rutoken ECP
  token flags        : login required, rng, SO PIN to be changed, token initialized, PIN initialized, user PIN to be changed
  hardware version   : 20.5
  firmware version   : 23.2
  serial num         : 3b7558b7
  pin min/max        : 6/32

Whereas, using OpenSSH v8.2p1 allowed me to connect with key written in token: 
/home/some-user/ssh8.2/bin/ssh some-user@some-server -I /usr/lib/librtpkcs11ecp.so -vvv
https://termbin.com/7uy3
Comment 1 Damien Miller 2020-11-20 10:18:46 AEDT 
Does "ssh-keygen -D /path/pkcs11.so" show the keys?
Comment 2 Jakub Jelen 2020-11-20 20:35:04 AEDT 
The log says it has different amount of keys in OpenSSH 8.4. Can you get the list of objects with the following command?

pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O
Comment 3 Inferno_geek 2020-11-20 21:45:10 AEDT 
(In reply to Damien Miller from comment #1)
> Does "ssh-keygen -D /path/pkcs11.so" show the keys?

~/ssh8-2/bin/ssh-keygen -D ~/pkcs11-libs/librtpkcs11ecp.so | nc termbin.com 9999
https://termbin.com/g3fo

ssh-keygen -D ~/pkcs11-libs/librtpkcs11ecp.so | nc termbin.com 9999             
https://termbin.com/9avs
Comment 4 Inferno_geek 2020-11-20 21:45:59 AEDT 
(In reply to Jakub Jelen from comment #2)
> The log says it has different amount of keys in OpenSSH 8.4. Can you
> get the list of objects with the following command?
> 
> pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O

pkcs11-tool --module ~/pkcs11-libs/librtpkcs11ecp.so -O 2>&1 | nc termbin.com 9999
https://termbin.com/pvsa
Comment 5 Damien Miller 2020-11-23 10:06:50 AEDT 
Are you using IdentitiesOnly in your ~/.ssh/config? In fixing bug #3141, ssh will no longer attempt all PKCS#11 keys when this option is active.
Comment 6 Inferno_geek 2020-11-23 10:15:07 AEDT 
(In reply to Damien Miller from comment #5)
> Are you using IdentitiesOnly in your ~/.ssh/config? In fixing bug
> #3141, ssh will no longer attempt all PKCS#11 keys when this option
> is active.

I removed the line and I was able to connect via key on token. Thank you.
Comment 7 Damien Miller 2021-03-04 09:52:17 AEDT 
close bugs that were resolved in OpenSSH 8.5 release cycle