Menu
▾
▴
Re: [Opensc-devel] Understanding of ssh pkcs key provider
|
From: Matthew G. <gyu...@or...> - 2016-05-21 18:03:01
|
Unfortunately I don't think I can provide a full trace. I have confirmed my PIN is exposed, I could sanitize that. However, my cryptographic knowledge is fairly weak and there is a lot of data in the trace that I don't totally understand - I wouldn't feel comfortable sharing that with internal review from a coworker. Are there specific sections I could cherry-pick that may be useful? I have requested a test card, but I'm skeptical I'll be able to obtain one. My C knowledge is weak, my cryptographic knowledge is weak, as is my knowledge on smart cards. However, I can apply patches and compile code. As a matter of fact, I just compiled the latest versions of openssh and opensc the other day without any issues. Was there patch / code change you wanted me to try? I have no issues with raising the problem with the OpenSSH project. My understanding of the relationship between pcsc, opensc, and openssh is poor so I'm afraid my technical contribution to this issue will be limited. I appreciate the time you have taken on this issue so far. Thank you, Matthew On 16-05-21 09:09:47, Douglas E Engert wrote: > Looking at the https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c > in pkcs11_rsa_private_encrypt is where it is failing. All of the pkcs#11 code does not assume > that a card may be removed. It might be easy to fix if the same card is inserted, but not > if a different card is inserted. > > Seeing the SPY trace would help a lot. (note that your PIN may be exposed in the trace). > > Most of the initial information about the card is obtained when ssh-add sends the message to ssh-agent > to register a new provider. But it may be some time before that is actually used from pkcs11_rsa_private_encrypt. > In pkcs11_rsa_private_encrypt: > if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { > is checking if the user should be logged_in from the last use of when the provider was first added to ssh_agent. > The C_Sign operation also uses si->session which may not be valid especially if a different card was inserted. > > I don't know if you are willing to make code changes or not, or to push the issue with OpenSSH. > > > On 5/21/2016 7:30 AM, Matthew Gyurgyik wrote: > >On 16-05-20 13:46:17, Douglas E Engert wrote: > >>The problem maybe ssh_add has access to the environment variables, > >>but it passes the name of the library /usr/lib64/pkcs11-spy.so to the ssh-agent that > >>then loads the library. pkcs11-spy.so needs to then open the log and load the real PKCS#11 library > >>so ssh-agent needs access to: > >>export PKCS11SPY=/usr/lib64/opensc-pkcs11.so > >>export PKCS11SPY_OUTPUT=/tmp/pkcs11-spy.$$.log > >> > >>Could also be full path to the logfile is needed in a directory writable like /tmp/pkcs11-spy.$$.log > >>to get one log per process. > >> > >> > > > >Thanks for the pointer. I got pkcs11-spy working by setting those > >environment variable when launching ssh-agent and running ssh-add and > >using a full absolute path for the log. > > > >After removing the card I see the following error when trying to log > >into SSH. Note I truncated some data just to be safe. > > > >53: C_Sign > >2016-05-21 08:23:13.070 > >Returned: 257 CKR_USER_NOT_LOGGED_IN > > > >Is it up the application to detect CKR_USER_NOT_LOGGED_IN and take an > >appropriate action? Is it possible to log into manually after > >re-insertation? > > > > > > -- > > Douglas E. Engert <DEE...@gm...> > > -- Matthew Gyurgyik HPC System Administrator National Center for Computational Sciences Oak Ridge National Laboratory Bldg: 5600-D219 Phone: 865.576.7099 |
