Bug 3141 - ssh ignores IdentitiesOnly for PKCS11Provider
Summary: ssh ignores IdentitiesOnly for PKCS11Provider
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 8.1p1
Hardware: Other Linux
: P5 enhancement
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_8_3
  Show dependency treegraph
 
Reported: 2020-03-28 01:23 AEDT by keil
Modified: 2021-10-14 01:40 AEDT (History)
4 users (show)

See Also:


Attachments
check PKCS#11 keys against non-PKCS#11 keys only (445 bytes, patch)
2020-04-03 16:15 AEDT, Damien Miller
dtucker: ok+
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description keil 2020-03-28 01:23:13 AEDT
I'm using SSH with a token storing my keys. Trying to limit the tried indentities with IdentitiesOnly and IdentityFiles works as long as I'm using the ssg-agent. But if I instead configure the token with PKCS11Provider, ssh ignores IdentitiesOnly and tries all identities present on the token.

My config includes

Host *
IdentitiesOnly yes
IdentityFile ~/.ssh/token.pub
PKCS11Provider /usr/lib/libeTPkcs11.so

There are no host specific entries for any of these.

If I now try to ssh to any system, the output of ssh -vvv shows that it loads the provider and counts the keys. Later it prints

debug1: Will attempt key: /usr/lib64/libeTPkcs11.so RSA SHA256:... token
debug1: Will attempt key: /usr/lib64/libeTPkcs11.so RSA SHA256:... token
debug1: Will attempt key: /usr/lib64/libeTPkcs11.so RSA SHA256:... token

for all identities on the token. The hashes are distinct, so it's not printing the same multiple times.

Doing the same with adding the provider to ssh-agent and removing the PKCS11Provider key, shows only one key as attempted.

I may be way off here, but the code in sshconnect2:pubkey_prepare around line 1592 seems to iterate the files list limiting itself to external keys. For each external key it iterates the files list again using the same filter. As it finds the same key again it compares the two and thus adds it to the preferred list. Running this in gdb shows the two keys id and id2 pointing to the same address when adding the key to the preferred list. It looks like it might be iterating the external keys and trying to find a matching IdentityFile to apply the IdentitiesOnly filter but fails to do so. But as I said, that might be a misinterpretation and not related.
Comment 1 Damien Miller 2020-04-03 16:15:55 AEDT
Created attachment 3372 [details]
check PKCS#11 keys against non-PKCS#11 keys only

I think you analysis is correct. Can you please try this patch?
Comment 2 keil 2020-04-03 19:08:32 AEDT
Yes, that does it. Only the keys present as IdentityFiles are now attempted.
Comment 3 Damien Miller 2020-04-17 13:40:11 AEST
That fix has been committed and will be included in the OpenSSH 8.3 release - thanks!
Comment 4 Damien Miller 2021-04-23 15:10:43 AEST
closing resolved bugs as of 8.6p1 release
Comment 5 Ahmed Sayeed 2021-10-14 01:40:47 AEDT
[spam removed]