Understanding of ssh pkcs key provider
Locked
Understanding of ssh pkcs key provider
 
|
Hello.
First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know. I can add keys provided by my smart card to ssh-agent with $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so However, if I remove the card from the reader and then reinsert it I have to re-add the keys $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them? Thank you, Matthew Gyurgyik ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
On 5/19/2016 7:18 PM, Gyurgyik, Matthew S. wrote: > Hello. > > First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know. > > I can add keys provided by my smart card to ssh-agent with > > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > However, if I remove the card from the reader and then reinsert it I have to re-add the keys > > $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them? > You could ask on the OpenSSH list. I would suspect that the code is simple and only looks for a card when ssh-add is first called and the code does not know how to look for a reinsertion of the card. To see what it is doing, you could use the OpenSC SPY trace. See ssh-add example in: https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC > Thank you, > Matthew Gyurgyik > > ------------------------------------------------------------------------------ > Mobile security can be enabling, not merely restricting. Employees who > bring their own devices (BYOD) to work are irked by the imposition of MDM > restrictions. Mobile Device Manager Plus allows you to control only the > apps on BYO-devices by containerizing them, leaving personal data untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > _______________________________________________ > Opensc-devel mailing list > [hidden email] > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
In reply to this post by Matthew Gyurgyik
Hello,
Am Fri, 20 May 2016 00:18:48 +0000 schrieb "Gyurgyik, Matthew S." <[hidden email]>: > Hello. > > First, let me say I’m new to smart cards and I haven’t been able to > find much documentation on how they work. I’m looking for some > education, if there is a better place to post this question, please > let me know. > > I can add keys provided by my smart card to ssh-agent with > > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > However, if I remove the card from the reader and then reinsert it I > have to re-add the keys > > $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > This happens on both OS X and RHEL7. I am assuming this expected > behavior. Can someone explain (or point me to documentation) why it > is necessary to remove the keys and re-add them? > $ cat .ssh/config Host xxx PKCS11Provider /usr/local/lib/opensc-pkcs11.so xxx is the host I use the private key to connect to. No commands for card removal/reinsertion needed. Regards, Andreas Kemnade ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
In reply to this post by Douglas E Engert
On 16-05-20 07:09:16, Douglas E Engert wrote:
> > > On 5/19/2016 7:18 PM, Gyurgyik, Matthew S. wrote: > > Hello. > > > > First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know. > > > > I can add keys provided by my smart card to ssh-agent with > > > > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > > > However, if I remove the card from the reader and then reinsert it I have to re-add the keys > > > > $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so > > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > > > This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them? > > > > You could ask on the OpenSSH list. > > I would suspect that the code is simple and only looks for a card when ssh-add is first called and the code does not know how to look for a reinsertion of the card. > > To see what it is doing, you could use the OpenSC SPY trace. See ssh-add example in: > > https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC > I tried those instructions but I can't get PKCS11SPY to work. ~ $ PKCS11SPY=/usr/lib64/opensc-pkcs11.so PKCS11SPY_OUTPUT=logfile ssh-add -s /usr/lib64/pkcs11-spy.so Enter passphrase for PKCS#11: SSH_AGENT_FAILURE Could not add card: /usr/lib64/pkcs11-spy.so However this works just fine ~ $ ssh-add -s /usr/lib64/opensc-pkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib64/opensc-pkcs11.so I tried on both RHEL and OS X. Thanks, Matthew ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
In reply to this post by Andreas Kemnade-2
On 16-05-20 14:54:39, Andreas Kemnade wrote:
> Hello, > > Am Fri, 20 May 2016 00:18:48 +0000 > schrieb "Gyurgyik, Matthew S." <[hidden email]>: > > > Hello. > > > > First, let me say I’m new to smart cards and I haven’t been able to > > find much documentation on how they work. I’m looking for some > > education, if there is a better place to post this question, please > > let me know. > > > > I can add keys provided by my smart card to ssh-agent with > > > > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > > > However, if I remove the card from the reader and then reinsert it I > > have to re-add the keys > > > > $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so > > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > > > This happens on both OS X and RHEL7. I am assuming this expected > > behavior. Can someone explain (or point me to documentation) why it > > is necessary to remove the keys and re-add them? > > > here I simply use > $ cat .ssh/config > Host xxx > PKCS11Provider /usr/local/lib/opensc-pkcs11.so > > xxx is the host I use the private key to connect to. > > No commands for card removal/reinsertion needed. > > Regards, > Andreas Kemnade > Thanks for the suggestion and that certainly works, however I have a bastion host which allows access to the rest of the network. I am using SSH Agent Forwarding to allow authentication to hosts past the bastion host. Is there a clever way to forward the card reader to the bastion host? Thanks, Matthew ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
In reply to this post by Matthew Gyurgyik
The problem maybe ssh_add has access to the environment variables,
but it passes the name of the library /usr/lib64/pkcs11-spy.so to the ssh-agent that then loads the library. pkcs11-spy.so needs to then open the log and load the real PKCS#11 library so ssh-agent needs access to: export PKCS11SPY=/usr/lib64/opensc-pkcs11.so export PKCS11SPY_OUTPUT=/tmp/pkcs11-spy.$$.log Could also be full path to the logfile is needed in a directory writable like /tmp/pkcs11-spy.$$.log to get one log per process. On 5/20/2016 11:02 AM, Matthew Gyurgyik wrote: > On 16-05-20 07:09:16, Douglas E Engert wrote: >> >> >> On 5/19/2016 7:18 PM, Gyurgyik, Matthew S. wrote: >>> Hello. >>> >>> First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know. >>> >>> I can add keys provided by my smart card to ssh-agent with >>> >>> $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so >>> >>> However, if I remove the card from the reader and then reinsert it I have to re-add the keys >>> >>> $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so >>> $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so >>> >>> This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them? >>> >> >> You could ask on the OpenSSH list. >> >> I would suspect that the code is simple and only looks for a card when ssh-add is first called and the code does not know how to look for a reinsertion of the card. >> >> To see what it is doing, you could use the OpenSC SPY trace. See ssh-add example in: >> >> https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC >> > > I tried those instructions but I can't get PKCS11SPY to work. > > ~ $ PKCS11SPY=/usr/lib64/opensc-pkcs11.so PKCS11SPY_OUTPUT=logfile ssh-add -s /usr/lib64/pkcs11-spy.so > Enter passphrase for PKCS#11: > SSH_AGENT_FAILURE > Could not add card: /usr/lib64/pkcs11-spy.so > > However this works just fine > > ~ $ ssh-add -s /usr/lib64/opensc-pkcs11.so > Enter passphrase for PKCS#11: > Card added: /usr/lib64/opensc-pkcs11.so > > I tried on both RHEL and OS X. > > Thanks, > Matthew > . > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
In reply to this post by Matthew Gyurgyik
On 5/20/2016 11:05 AM, Gyurgyik, Matthew S. wrote: > > Is there a clever way to forward the card reader to the bastion host? > Closest thing is the Windows RDC/unix rdesktop that can do pcsc over the RDC session. But RDC is not SSH. The pcscd on the bastion host might give one user access to another user's card. (but would require the PIN.) Forwarding the the ssh-agent connection sounds like the way to go as that is the point of forwarding the ssh-agent. -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
In reply to this post by Douglas E Engert
On 16-05-20 13:46:17, Douglas E Engert wrote:
> The problem maybe ssh_add has access to the environment variables, > but it passes the name of the library /usr/lib64/pkcs11-spy.so to the ssh-agent that > then loads the library. pkcs11-spy.so needs to then open the log and load the real PKCS#11 library > so ssh-agent needs access to: > export PKCS11SPY=/usr/lib64/opensc-pkcs11.so > export PKCS11SPY_OUTPUT=/tmp/pkcs11-spy.$$.log > > Could also be full path to the logfile is needed in a directory writable like /tmp/pkcs11-spy.$$.log > to get one log per process. > > Thanks for the pointer. I got pkcs11-spy working by setting those environment variable when launching ssh-agent and running ssh-add and using a full absolute path for the log. After removing the card I see the following error when trying to log into SSH. Note I truncated some data just to be safe. 53: C_Sign 2016-05-21 08:23:13.070 Returned: 257 CKR_USER_NOT_LOGGED_IN Is it up the application to detect CKR_USER_NOT_LOGGED_IN and take an appropriate action? Is it possible to log into manually after re-insertation? ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
Looking at the https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c
in pkcs11_rsa_private_encrypt is where it is failing. All of the pkcs#11 code does not assume that a card may be removed. It might be easy to fix if the same card is inserted, but not if a different card is inserted. Seeing the SPY trace would help a lot. (note that your PIN may be exposed in the trace). Most of the initial information about the card is obtained when ssh-add sends the message to ssh-agent to register a new provider. But it may be some time before that is actually used from pkcs11_rsa_private_encrypt. In pkcs11_rsa_private_encrypt: if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { is checking if the user should be logged_in from the last use of when the provider was first added to ssh_agent. The C_Sign operation also uses si->session which may not be valid especially if a different card was inserted. I don't know if you are willing to make code changes or not, or to push the issue with OpenSSH. On 5/21/2016 7:30 AM, Matthew Gyurgyik wrote: > On 16-05-20 13:46:17, Douglas E Engert wrote: >> The problem maybe ssh_add has access to the environment variables, >> but it passes the name of the library /usr/lib64/pkcs11-spy.so to the ssh-agent that >> then loads the library. pkcs11-spy.so needs to then open the log and load the real PKCS#11 library >> so ssh-agent needs access to: >> export PKCS11SPY=/usr/lib64/opensc-pkcs11.so >> export PKCS11SPY_OUTPUT=/tmp/pkcs11-spy.$$.log >> >> Could also be full path to the logfile is needed in a directory writable like /tmp/pkcs11-spy.$$.log >> to get one log per process. >> >> > > Thanks for the pointer. I got pkcs11-spy working by setting those > environment variable when launching ssh-agent and running ssh-add and > using a full absolute path for the log. > > After removing the card I see the following error when trying to log > into SSH. Note I truncated some data just to be safe. > > 53: C_Sign > 2016-05-21 08:23:13.070 > Returned: 257 CKR_USER_NOT_LOGGED_IN > > Is it up the application to detect CKR_USER_NOT_LOGGED_IN and take an > appropriate action? Is it possible to log into manually after > re-insertation? > > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
Unfortunately I don't think I can provide a full trace. I have confirmed
my PIN is exposed, I could sanitize that. However, my cryptographic knowledge is fairly weak and there is a lot of data in the trace that I don't totally understand - I wouldn't feel comfortable sharing that with internal review from a coworker. Are there specific sections I could cherry-pick that may be useful? I have requested a test card, but I'm skeptical I'll be able to obtain one. My C knowledge is weak, my cryptographic knowledge is weak, as is my knowledge on smart cards. However, I can apply patches and compile code. As a matter of fact, I just compiled the latest versions of openssh and opensc the other day without any issues. Was there patch / code change you wanted me to try? I have no issues with raising the problem with the OpenSSH project. My understanding of the relationship between pcsc, opensc, and openssh is poor so I'm afraid my technical contribution to this issue will be limited. I appreciate the time you have taken on this issue so far. Thank you, Matthew On 16-05-21 09:09:47, Douglas E Engert wrote: > Looking at the https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c > in pkcs11_rsa_private_encrypt is where it is failing. All of the pkcs#11 code does not assume > that a card may be removed. It might be easy to fix if the same card is inserted, but not > if a different card is inserted. > > Seeing the SPY trace would help a lot. (note that your PIN may be exposed in the trace). > > Most of the initial information about the card is obtained when ssh-add sends the message to ssh-agent > to register a new provider. But it may be some time before that is actually used from pkcs11_rsa_private_encrypt. > In pkcs11_rsa_private_encrypt: > if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { > is checking if the user should be logged_in from the last use of when the provider was first added to ssh_agent. > The C_Sign operation also uses si->session which may not be valid especially if a different card was inserted. > > I don't know if you are willing to make code changes or not, or to push the issue with OpenSSH. > > > On 5/21/2016 7:30 AM, Matthew Gyurgyik wrote: > >On 16-05-20 13:46:17, Douglas E Engert wrote: > >>The problem maybe ssh_add has access to the environment variables, > >>but it passes the name of the library /usr/lib64/pkcs11-spy.so to the ssh-agent that > >>then loads the library. pkcs11-spy.so needs to then open the log and load the real PKCS#11 library > >>so ssh-agent needs access to: > >>export PKCS11SPY=/usr/lib64/opensc-pkcs11.so > >>export PKCS11SPY_OUTPUT=/tmp/pkcs11-spy.$$.log > >> > >>Could also be full path to the logfile is needed in a directory writable like /tmp/pkcs11-spy.$$.log > >>to get one log per process. > >> > >> > > > >Thanks for the pointer. I got pkcs11-spy working by setting those > >environment variable when launching ssh-agent and running ssh-add and > >using a full absolute path for the log. > > > >After removing the card I see the following error when trying to log > >into SSH. Note I truncated some data just to be safe. > > > >53: C_Sign > >2016-05-21 08:23:13.070 > >Returned: 257 CKR_USER_NOT_LOGGED_IN > > > >Is it up the application to detect CKR_USER_NOT_LOGGED_IN and take an > >appropriate action? Is it possible to log into manually after > >re-insertation? > > > > > > -- > > Douglas E. Engert <[hidden email]> > > -- Matthew Gyurgyik HPC System Administrator National Center for Computational Sciences Oak Ridge National Laboratory Bldg: 5600-D219 Phone: 865.576.7099 ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
In reply to this post by Douglas E Engert
On 05/21/2016 04:09 PM, Douglas E Engert wrote:
> Looking at the https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c > in pkcs11_rsa_private_encrypt is where it is failing. All of the pkcs#11 code does not assume > that a card may be removed. It might be easy to fix if the same card is inserted, but not > if a different card is inserted. > > Seeing the SPY trace would help a lot. (note that your PIN may be exposed in the trace). > > Most of the initial information about the card is obtained when ssh-add sends the message to ssh-agent > to register a new provider. But it may be some time before that is actually used from pkcs11_rsa_private_encrypt. > In pkcs11_rsa_private_encrypt: > if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { > is checking if the user should be logged_in from the last use of when the provider was first added to ssh_agent. > The C_Sign operation also uses si->session which may not be valid especially if a different card was inserted. > > I don't know if you are willing to make code changes or not, or to push the issue with OpenSSH. changes to support them. There are at least two patches hanging around openssh mailing lists and bugzillas adding this support to some extent. I plan to have a look into this in the months or so to get that upstream. To the actual topic, if you think this is a valid use case (reinsertion of the card), I can pick that up and try to implement a fix. But I would need a bit help in the case "how to look for a reinsertion of the card" as mentioned in previous mails. The problem from my point of view is that you have a terminal/keyboard when you add the key (ssh-add, message adding a card to the agent already contains pin), but when you do the signature, you don't have it and you have basically no way to get the PIN from the user (unless you would store it in the ssh-agent, which is generally not a good idea; message to sign from ssh does not have any field to provide PIN). Regards, -- Jakub Jelen Security Technologies Red Hat ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
On Mon, May 23, 2016 at 1:11 AM, Jakub Jelen <[hidden email]> wrote:
OpenSSH pkcs11 currently does not support EC keys and needs a lot of I'm the author of the one in #2474 (https://bugzilla.mindrot.org/show_bug.cgi?id=2474), tell me if there's something I can do to help. The patch is tested with OpenSC (Yubikey Neo). Sincerely, -- Mathias Brossard ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
In reply to this post by Jakub Jelen
On 5/23/2016 3:11 AM, Jakub Jelen wrote: > On 05/21/2016 04:09 PM, Douglas E Engert wrote: >> Looking at the https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c >> in pkcs11_rsa_private_encrypt is where it is failing. All of the pkcs#11 code does not assume >> that a card may be removed. It might be easy to fix if the same card is inserted, but not >> if a different card is inserted. >> >> Seeing the SPY trace would help a lot. (note that your PIN may be exposed in the trace). >> >> Most of the initial information about the card is obtained when ssh-add sends the message to ssh-agent >> to register a new provider. But it may be some time before that is actually used from pkcs11_rsa_private_encrypt. >> In pkcs11_rsa_private_encrypt: >> if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) { >> is checking if the user should be logged_in from the last use of when the provider was first added to ssh_agent. >> The C_Sign operation also uses si->session which may not be valid especially if a different card was inserted. >> >> I don't know if you are willing to make code changes or not, or to push the issue with OpenSSH. > OpenSSH pkcs11 currently does not support EC keys and needs a lot of > changes to support them. There are at least two patches hanging around > openssh mailing lists and bugzillas adding this support to some extent. > I plan to have a look into this in the months or so to get that upstream. Yes, EC support is a separate issue which should be addressed. > > To the actual topic, if you think this is a valid use case (reinsertion > of the card), I can pick that up and try to implement a fix. But I would > need a bit help in the case "how to look for a reinsertion of the card" > as mentioned in previous mails. PKCS#11 can return CKR_DEVICE_REMOVED to indicate the card had been removed. From an opensc SPY trace of ssh_agent: 55: C_Sign 2016-05-22 09:14:41.715 [in] hSession = 0x7fe7fb518580 [in] pData[ulDataLen] <REDACTED> Returned: 50 CKR_DEVICE_REMOVED Problem is this card status change is only returned to calling application when some attempt is made to contact the card. The way the ssh-agent code is written, where certificates and keys are found when ssh-add registers the provider, but the key may not be used until a C_Sign is needed may be minutes or hours later, and the user may have pulled his card/ID badge out when leaving the workstation then inserted it upon return. C_WaitForSlotEvent and C_getTokenInfo could be used to detect if the card status has changed before doing the C_Sign. Many PKCS#11 implementations will invalidate any sessions and release objects when the card is removed. Insertion of the same card will also require C_Login to be done again. Even without removal and insertion use of the card by other applications could also cause the PIN to be required again. > > The problem from my point of view is that you have a terminal/keyboard > when you add the key (ssh-add, message adding a card to the agent > already contains pin), but when you do the signature, you don't have it > and you have basically no way to get the PIN from the user (unless you > would store it in the ssh-agent, which is generally not a good idea; > message to sign from ssh does not have any field to provide PIN). Caching of the PIN is an option and OpenSC has optional pin caching.(Other PKCS#11 libs may not) But the removal of the card will cause the opensc cache, slots, sessions and objects to be cleared. And a different card might be inserted requiring a different PIN! The use of a PIN PAD reader is another option especially in a high security environment, and I see ssh-pkcs11.c supports CKF_PROTECTED_AUTHENTICATION_PATH, so PIN is never in the host but user has access to pin pad reader even from ssh-agent but has to *look* at the pin pad reader. But the issue of PKCS#11 slots, sessions and objects need to be reestablished would still need to be addressed. So would a better way to address this would be scripts run from screen unlock or some user started background process to do a new ssh-add -s? i.e. when user pulls the card, they are most likely going to leave workstation, or don't want the card being used for some reason. Smart cards introduce a lot of human factors which are not often considered when writing code. > > Regards, > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
In reply to this post by Mathias Brossard-2
On 05/23/2016 10:39 AM, Mathias Brossard wrote:
> On Mon, May 23, 2016 at 1:11 AM, Jakub Jelen <[hidden email] > <mailto:[hidden email]>> wrote: > > OpenSSH pkcs11 currently does not support EC keys and needs a lot of > changes to support them. There are at least two patches hanging around > openssh mailing lists and bugzillas adding this support to some > extent. > I plan to have a look into this in the months or so to get that > upstream. > > > I'm the author of the one in #2474 > (https://bugzilla.mindrot.org/show_bug.cgi?id=2474), tell me if > there's something I can do to help. The patch is tested with OpenSC > (Yubikey Neo). would like to polish it and make it upstream. I started some comment on this bug, but moved to other tasks so I will not be able to work on this during next month. So far I tested with the NIST PIV Test cars, and I noticed a lot of "C_GetAttributeValue failed:" messages, which is very annoying. Another consideration was using CKA_SIGN flags to test if the card even allows signatures using this key, but there will be probably more things to resolve. Kind regards, -- Jakub Jelen Security Technologies Red Hat ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
On 5/23/2016 9:10 AM, Jakub Jelen wrote: > On 05/23/2016 10:39 AM, Mathias Brossard wrote: >> On Mon, May 23, 2016 at 1:11 AM, Jakub Jelen <[hidden email] >> <mailto:[hidden email]>> wrote: >> >> OpenSSH pkcs11 currently does not support EC keys and needs a lot of >> changes to support them. There are at least two patches hanging around >> openssh mailing lists and bugzillas adding this support to some >> extent. >> I plan to have a look into this in the months or so to get that >> upstream. >> >> >> I'm the author of the one in #2474 >> (https://bugzilla.mindrot.org/show_bug.cgi?id=2474), tell me if >> there's something I can do to help. The patch is tested with OpenSC >> (Yubikey Neo). > Yes. I tested your patch. Not that there would be something wrong, but I > would like to polish it and make it upstream. I started some comment on > this bug, but moved to other tasks so I will not be able to work on this > during next month. Keep in mind that OpenSSL-1.1.0 changes the EC structures that were used in 1.0.2. in before 1.1.0, there were ECDSA_METHOD and ECDH_METHOD. With 1.1.0 there is only EC_KEY_METHOD with with multiple routines. The OpenSC libp11 now has the opensc_engine built in and can run with OpenSSL versions 0.9.8 to 1.1.0. > > So far I tested with the NIST PIV Test cars, and I noticed a lot of > "C_GetAttributeValue failed:" messages, which is very annoying. What attributes are failing? RSA and EC keys have different attributes, the code should request the CKA_KEY_TYPE first then query for attributes based on the key type. > Another > consideration was using CKA_SIGN flags to test if the card even allows > signatures using this key, but there will be probably more things to > resolve. That would be valid. With the NIST PIV specs, there are 4 cert/key defined, and maybe multiple retired key management keys. X.509 Certificate for PIV Authentication X.509 Certificate for Digital Signature X.509 Certificate for Key Management X.509 Certificate for Card Authentication Retired X.509 Certificates for Key Management NIST does not define PKCS#11 attributes, but reading the NIST 800-73 usages for these keys, the key Management private keys if RSA are to be used only for decrypt/unwrap if EC they can only be used for derive. (But to allow a certificate request to be signed by a key Management private key, the OpenSC code add the sign attribute if no cert is already on the card.) > > Kind regards, > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Re: Understanding of ssh pkcs key provider
|
|
On Mon, May 23, 2016 at 12:52 PM, Douglas E Engert <[hidden email]> wrote: -- On 5/23/2016 9:10 AM, Jakub Jelen wrote: True. I worked on it a little bit, but wasn't sure if updating my patch before OpenSSL 1.1 is out was worth it. Hopefully with rc5 will be the last time they change the APIs we need. The OpenSC libp11 now has the opensc_engine built in and can run with I don't think OpenSSH would accept a patch to make it use libp11: too much changes and license. Sincerely, Mathias Brossard ------------------------------------------------------------------------------ Mobile security can be enabling, not merely restricting. Employees who bring their own devices (BYOD) to work are irked by the imposition of MDM restrictions. Mobile Device Manager Plus allows you to control only the apps on BYO-devices by containerizing them, leaving personal data untouched! https://ad.doubleclick.net/ddm/clk/304595813;131938128;j _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
«
Return to Developer
|
1 view|%1 views
| Free forum by Nabble | Edit this page |