3234 – SSH does not read pkcs11-based private key.

Bug 3234 - SSH does not read pkcs11-based private key.

Summary: SSH does not read pkcs11-based private key.

Status:	CLOSED WORKSFORME

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Smartcard (show other bugs)
Version:	8.4p1
Hardware:	amd64 Linux

Importance:	P5 normal
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:

Reported:	2020-11-20 07:20 AEDT by Inferno_geek
Modified:	2021-03-04 09:52 AEDT (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Inferno_geek 2020-11-20 07:20:49 AEDT

When I try to connect to a server via ssh, which has the public key authentication enabled, my key is rejected and I am asked to use another authentication method.
System SSH version:                                                
OpenSSH_8.4p1, OpenSSL 1.1.1h  22 Sep 2020


ssh some-user@some-server -vvv -I ~/pkcs11-libs/librtpkcs11ecp.so:
https://termbin.com/ehn7
Token is detected and works for other purposes.
pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -T

Available slots:
Slot 0 (0x0): Aktiv Rutoken ECP 00 00
  token label        : token1
  token manufacturer : Aktiv Co.
  token model        : Rutoken ECP
  token flags        : login required, rng, SO PIN to be changed, token initialized, PIN initialized, user PIN to be changed
  hardware version   : 20.5
  firmware version   : 23.2
  serial num         : 3b7558b7
  pin min/max        : 6/32

Whereas, using OpenSSH v8.2p1 allowed me to connect with key written in token: 
/home/some-user/ssh8.2/bin/ssh some-user@some-server -I /usr/lib/librtpkcs11ecp.so -vvv
https://termbin.com/7uy3

Comment 1 Damien Miller 2020-11-20 10:18:46 AEDT

Does "ssh-keygen -D /path/pkcs11.so" show the keys?

Comment 2 Jakub Jelen 2020-11-20 20:35:04 AEDT

The log says it has different amount of keys in OpenSSH 8.4. Can you get the list of objects with the following command?

pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O

Comment 3 Inferno_geek 2020-11-20 21:45:10 AEDT

(In reply to Damien Miller from comment #1)
> Does "ssh-keygen -D /path/pkcs11.so" show the keys?

~/ssh8-2/bin/ssh-keygen -D ~/pkcs11-libs/librtpkcs11ecp.so | nc termbin.com 9999
https://termbin.com/g3fo

ssh-keygen -D ~/pkcs11-libs/librtpkcs11ecp.so | nc termbin.com 9999             
https://termbin.com/9avs

Comment 4 Inferno_geek 2020-11-20 21:45:59 AEDT

(In reply to Jakub Jelen from comment #2)
> The log says it has different amount of keys in OpenSSH 8.4. Can you
> get the list of objects with the following command?
> 
> pkcs11-tool --module /usr/lib/librtpkcs11ecp.so -O

pkcs11-tool --module ~/pkcs11-libs/librtpkcs11ecp.so -O 2>&1 | nc termbin.com 9999
https://termbin.com/pvsa

Comment 5 Damien Miller 2020-11-23 10:06:50 AEDT

Are you using IdentitiesOnly in your ~/.ssh/config? In fixing bug #3141, ssh will no longer attempt all PKCS#11 keys when this option is active.

Comment 6 Inferno_geek 2020-11-23 10:15:07 AEDT

(In reply to Damien Miller from comment #5)
> Are you using IdentitiesOnly in your ~/.ssh/config? In fixing bug
> #3141, ssh will no longer attempt all PKCS#11 keys when this option
> is active.

I removed the line and I was able to connect via key on token. Thank you.

Comment 7 Damien Miller 2021-03-04 09:52:17 AEDT

close bugs that were resolved in OpenSSH 8.5 release cycle