Understanding of ssh pkcs key provider

classic Classic list List threaded Threaded
16 messages Options
Reply | Threaded
Open this post in threaded view
|

Understanding of ssh pkcs key provider

Matthew Gyurgyik
Hello.

First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know.

I can add keys provided by my smart card to ssh-agent with

$ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so

However, if I remove the card from the reader and then reinsert it I have to re-add the keys

$ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so
$ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so

This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them?

Thank you,
Matthew Gyurgyik

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Douglas E Engert


On 5/19/2016 7:18 PM, Gyurgyik, Matthew S. wrote:

> Hello.
>
> First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know.
>
> I can add keys provided by my smart card to ssh-agent with
>
> $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
>
> However, if I remove the card from the reader and then reinsert it I have to re-add the keys
>
> $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so
> $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
>
> This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them?
>

You could ask on the OpenSSH list.

I would suspect that the code is simple and only looks for a card when ssh-add is first called and the code does not know how to look for a reinsertion of the card.

To see what it is doing, you could use the OpenSC SPY trace. See ssh-add example in:

https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC



> Thank you,
> Matthew Gyurgyik
>
> ------------------------------------------------------------------------------
> Mobile security can be enabling, not merely restricting. Employees who
> bring their own devices (BYOD) to work are irked by the imposition of MDM
> restrictions. Mobile Device Manager Plus allows you to control only the
> apps on BYO-devices by containerizing them, leaving personal data untouched!
> https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Andreas Kemnade-2
In reply to this post by Matthew Gyurgyik
Hello,

Am Fri, 20 May 2016 00:18:48 +0000
schrieb "Gyurgyik, Matthew S." <[hidden email]>:

> Hello.
>
> First, let me say I’m new to smart cards and I haven’t been able to
> find much documentation on how they work. I’m looking for some
> education, if there is a better place to post this question, please
> let me know.
>
> I can add keys provided by my smart card to ssh-agent with
>
> $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
>
> However, if I remove the card from the reader and then reinsert it I
> have to re-add the keys
>
> $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so
> $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
>
> This happens on both OS X and RHEL7. I am assuming this expected
> behavior. Can someone explain (or point me to documentation) why it
> is necessary to remove the keys and re-add them?
>
here I simply use
$ cat .ssh/config
Host xxx
        PKCS11Provider /usr/local/lib/opensc-pkcs11.so

xxx is the host I use the private key to connect to.

No commands for card removal/reinsertion  needed.

Regards,
Andreas Kemnade

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Matthew Gyurgyik
In reply to this post by Douglas E Engert
On 16-05-20 07:09:16, Douglas E Engert wrote:

>
>
> On 5/19/2016 7:18 PM, Gyurgyik, Matthew S. wrote:
> > Hello.
> >
> > First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know.
> >
> > I can add keys provided by my smart card to ssh-agent with
> >
> > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
> >
> > However, if I remove the card from the reader and then reinsert it I have to re-add the keys
> >
> > $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so
> > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
> >
> > This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them?
> >
>
> You could ask on the OpenSSH list.
>
> I would suspect that the code is simple and only looks for a card when ssh-add is first called and the code does not know how to look for a reinsertion of the card.
>
> To see what it is doing, you could use the OpenSC SPY trace. See ssh-add example in:
>
> https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC
>

I tried those instructions but I can't get PKCS11SPY to work.

~ $ PKCS11SPY=/usr/lib64/opensc-pkcs11.so PKCS11SPY_OUTPUT=logfile ssh-add -s /usr/lib64/pkcs11-spy.so
Enter passphrase for PKCS#11:
SSH_AGENT_FAILURE
Could not add card: /usr/lib64/pkcs11-spy.so

However this works just fine

~ $ ssh-add -s /usr/lib64/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Card added: /usr/lib64/opensc-pkcs11.so

I tried on both RHEL and OS X.

Thanks,
Matthew

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Matthew Gyurgyik
In reply to this post by Andreas Kemnade-2
On 16-05-20 14:54:39, Andreas Kemnade wrote:

> Hello,
>
> Am Fri, 20 May 2016 00:18:48 +0000
> schrieb "Gyurgyik, Matthew S." <[hidden email]>:
>
> > Hello.
> >
> > First, let me say I’m new to smart cards and I haven’t been able to
> > find much documentation on how they work. I’m looking for some
> > education, if there is a better place to post this question, please
> > let me know.
> >
> > I can add keys provided by my smart card to ssh-agent with
> >
> > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
> >
> > However, if I remove the card from the reader and then reinsert it I
> > have to re-add the keys
> >
> > $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so
> > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
> >
> > This happens on both OS X and RHEL7. I am assuming this expected
> > behavior. Can someone explain (or point me to documentation) why it
> > is necessary to remove the keys and re-add them?
> >
> here I simply use
> $ cat .ssh/config
> Host xxx
> PKCS11Provider /usr/local/lib/opensc-pkcs11.so
>
> xxx is the host I use the private key to connect to.
>
> No commands for card removal/reinsertion  needed.
>
> Regards,
> Andreas Kemnade
>

Thanks for the suggestion and that certainly works, however I have a
bastion host which allows access to the rest of the network. I am using
SSH Agent Forwarding to allow authentication to hosts past the bastion
host.

Is there a clever way to forward the card reader to the bastion host?

Thanks,
Matthew

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Douglas E Engert
In reply to this post by Matthew Gyurgyik
The problem maybe ssh_add has access to the environment variables,
but it passes the name of the library  /usr/lib64/pkcs11-spy.so to the ssh-agent that
then loads the library.  pkcs11-spy.so needs to then open the log and load the real PKCS#11 library
so ssh-agent needs access to:
export PKCS11SPY=/usr/lib64/opensc-pkcs11.so
export PKCS11SPY_OUTPUT=/tmp/pkcs11-spy.$$.log

Could also be full path to the logfile is needed in a directory writable like /tmp/pkcs11-spy.$$.log
to get one log per process.


On 5/20/2016 11:02 AM, Matthew Gyurgyik wrote:

> On 16-05-20 07:09:16, Douglas E Engert wrote:
>>
>>
>> On 5/19/2016 7:18 PM, Gyurgyik, Matthew S. wrote:
>>> Hello.
>>>
>>> First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know.
>>>
>>> I can add keys provided by my smart card to ssh-agent with
>>>
>>> $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
>>>
>>> However, if I remove the card from the reader and then reinsert it I have to re-add the keys
>>>
>>> $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so
>>> $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
>>>
>>> This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them?
>>>
>>
>> You could ask on the OpenSSH list.
>>
>> I would suspect that the code is simple and only looks for a card when ssh-add is first called and the code does not know how to look for a reinsertion of the card.
>>
>> To see what it is doing, you could use the OpenSC SPY trace. See ssh-add example in:
>>
>> https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC
>>
>
> I tried those instructions but I can't get PKCS11SPY to work.
>
> ~ $ PKCS11SPY=/usr/lib64/opensc-pkcs11.so PKCS11SPY_OUTPUT=logfile ssh-add -s /usr/lib64/pkcs11-spy.so
> Enter passphrase for PKCS#11:
> SSH_AGENT_FAILURE
> Could not add card: /usr/lib64/pkcs11-spy.so
>
> However this works just fine
>
> ~ $ ssh-add -s /usr/lib64/opensc-pkcs11.so
> Enter passphrase for PKCS#11:
> Card added: /usr/lib64/opensc-pkcs11.so
>
> I tried on both RHEL and OS X.
>
> Thanks,
> Matthew
> .
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Douglas E Engert
In reply to this post by Matthew Gyurgyik

On 5/20/2016 11:05 AM, Gyurgyik, Matthew S. wrote:

>
> Is there a clever way to forward the card reader to the bastion host?
>

Closest thing is the Windows RDC/unix rdesktop that can do pcsc over the RDC session.
But RDC is not SSH. The pcscd on the bastion host might give one user access to another
user's card. (but would require the PIN.)

Forwarding the the ssh-agent connection sounds like the way to go as that is the point of forwarding
the ssh-agent.

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Matthew Gyurgyik
In reply to this post by Douglas E Engert
On 16-05-20 13:46:17, Douglas E Engert wrote:

> The problem maybe ssh_add has access to the environment variables,
> but it passes the name of the library  /usr/lib64/pkcs11-spy.so to the ssh-agent that
> then loads the library.  pkcs11-spy.so needs to then open the log and load the real PKCS#11 library
> so ssh-agent needs access to:
> export PKCS11SPY=/usr/lib64/opensc-pkcs11.so
> export PKCS11SPY_OUTPUT=/tmp/pkcs11-spy.$$.log
>
> Could also be full path to the logfile is needed in a directory writable like /tmp/pkcs11-spy.$$.log
> to get one log per process.
>
>

Thanks for the pointer. I got pkcs11-spy working by setting those
environment variable when launching ssh-agent and running ssh-add and
using a full absolute path for the log.

After removing the card I see the following error when trying to log
into SSH. Note I truncated some data just to be safe.

53: C_Sign
2016-05-21 08:23:13.070
Returned:  257 CKR_USER_NOT_LOGGED_IN

Is it up the application to detect CKR_USER_NOT_LOGGED_IN and take an
appropriate action? Is it possible to log into manually after
re-insertation?


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Douglas E Engert
Looking at the https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c
in pkcs11_rsa_private_encrypt is where it is failing. All of the pkcs#11 code does not assume
that a card may be removed. It might be easy to fix if the same card is inserted, but not
if a different card is inserted.

Seeing the SPY trace would help a lot. (note that your PIN may be exposed in the trace).

Most of the initial information about the card is obtained when ssh-add sends the message to ssh-agent
to register a new provider. But it may be some time before that is actually used from pkcs11_rsa_private_encrypt.
In pkcs11_rsa_private_encrypt:
  if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
is checking if the user should be logged_in from the last use of when the provider was first added to ssh_agent.
The C_Sign operation also uses si->session which may not be valid especially if a different card was inserted.

I don't know if you are willing to make code changes or not, or to push the issue with OpenSSH.


On 5/21/2016 7:30 AM, Matthew Gyurgyik wrote:

> On 16-05-20 13:46:17, Douglas E Engert wrote:
>> The problem maybe ssh_add has access to the environment variables,
>> but it passes the name of the library  /usr/lib64/pkcs11-spy.so to the ssh-agent that
>> then loads the library.  pkcs11-spy.so needs to then open the log and load the real PKCS#11 library
>> so ssh-agent needs access to:
>> export PKCS11SPY=/usr/lib64/opensc-pkcs11.so
>> export PKCS11SPY_OUTPUT=/tmp/pkcs11-spy.$$.log
>>
>> Could also be full path to the logfile is needed in a directory writable like /tmp/pkcs11-spy.$$.log
>> to get one log per process.
>>
>>
>
> Thanks for the pointer. I got pkcs11-spy working by setting those
> environment variable when launching ssh-agent and running ssh-add and
> using a full absolute path for the log.
>
> After removing the card I see the following error when trying to log
> into SSH. Note I truncated some data just to be safe.
>
> 53: C_Sign
> 2016-05-21 08:23:13.070
> Returned:  257 CKR_USER_NOT_LOGGED_IN
>
> Is it up the application to detect CKR_USER_NOT_LOGGED_IN and take an
> appropriate action? Is it possible to log into manually after
> re-insertation?
>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Matthew Gyurgyik
Unfortunately I don't think I can provide a full trace. I have confirmed
my PIN is exposed, I could sanitize that. However, my cryptographic
knowledge is fairly weak and there is a lot of data in the trace that I
don't totally understand - I wouldn't feel comfortable sharing that with
internal review from a coworker. Are there specific sections I could
cherry-pick that may be useful?

I have requested a test card, but I'm skeptical I'll be able to obtain
one.

My C knowledge is weak, my cryptographic knowledge is weak, as is my
knowledge on smart cards. However, I can apply patches and compile code.
As a matter of fact, I just compiled the latest versions of  openssh and
opensc the other day without any issues.

Was there patch / code change you wanted me to try? I have no issues
with raising the problem with the OpenSSH project. My understanding of
the relationship between pcsc, opensc, and openssh is poor so I'm afraid
my technical contribution to this issue will be limited.

I appreciate the time you have taken on this issue so far.

Thank you,
Matthew

On 16-05-21 09:09:47, Douglas E Engert wrote:

> Looking at the https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c
> in pkcs11_rsa_private_encrypt is where it is failing. All of the pkcs#11 code does not assume
> that a card may be removed. It might be easy to fix if the same card is inserted, but not
> if a different card is inserted.
>
> Seeing the SPY trace would help a lot. (note that your PIN may be exposed in the trace).
>
> Most of the initial information about the card is obtained when ssh-add sends the message to ssh-agent
> to register a new provider. But it may be some time before that is actually used from pkcs11_rsa_private_encrypt.
> In pkcs11_rsa_private_encrypt:
>  if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
> is checking if the user should be logged_in from the last use of when the provider was first added to ssh_agent.
> The C_Sign operation also uses si->session which may not be valid especially if a different card was inserted.
>
> I don't know if you are willing to make code changes or not, or to push the issue with OpenSSH.
>
>
> On 5/21/2016 7:30 AM, Matthew Gyurgyik wrote:
> >On 16-05-20 13:46:17, Douglas E Engert wrote:
> >>The problem maybe ssh_add has access to the environment variables,
> >>but it passes the name of the library  /usr/lib64/pkcs11-spy.so to the ssh-agent that
> >>then loads the library.  pkcs11-spy.so needs to then open the log and load the real PKCS#11 library
> >>so ssh-agent needs access to:
> >>export PKCS11SPY=/usr/lib64/opensc-pkcs11.so
> >>export PKCS11SPY_OUTPUT=/tmp/pkcs11-spy.$$.log
> >>
> >>Could also be full path to the logfile is needed in a directory writable like /tmp/pkcs11-spy.$$.log
> >>to get one log per process.
> >>
> >>
> >
> >Thanks for the pointer. I got pkcs11-spy working by setting those
> >environment variable when launching ssh-agent and running ssh-add and
> >using a full absolute path for the log.
> >
> >After removing the card I see the following error when trying to log
> >into SSH. Note I truncated some data just to be safe.
> >
> >53: C_Sign
> >2016-05-21 08:23:13.070
> >Returned:  257 CKR_USER_NOT_LOGGED_IN
> >
> >Is it up the application to detect CKR_USER_NOT_LOGGED_IN and take an
> >appropriate action? Is it possible to log into manually after
> >re-insertation?
> >
> >
>
> --
>
>  Douglas E. Engert  <[hidden email]>
>
>

--
Matthew Gyurgyik
HPC System Administrator
National Center for Computational Sciences
Oak Ridge National Laboratory
Bldg: 5600-D219 Phone: 865.576.7099

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Jakub Jelen
In reply to this post by Douglas E Engert
On 05/21/2016 04:09 PM, Douglas E Engert wrote:

> Looking at the https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c
> in pkcs11_rsa_private_encrypt is where it is failing. All of the pkcs#11 code does not assume
> that a card may be removed. It might be easy to fix if the same card is inserted, but not
> if a different card is inserted.
>
> Seeing the SPY trace would help a lot. (note that your PIN may be exposed in the trace).
>
> Most of the initial information about the card is obtained when ssh-add sends the message to ssh-agent
> to register a new provider. But it may be some time before that is actually used from pkcs11_rsa_private_encrypt.
> In pkcs11_rsa_private_encrypt:
>    if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
> is checking if the user should be logged_in from the last use of when the provider was first added to ssh_agent.
> The C_Sign operation also uses si->session which may not be valid especially if a different card was inserted.
>
> I don't know if you are willing to make code changes or not, or to push the issue with OpenSSH.
OpenSSH pkcs11 currently does not support EC keys and needs a lot of
changes to support them. There are at least two patches hanging around
openssh mailing lists and bugzillas adding this support to some extent.
I plan to have a look into this in the months or so to get that upstream.

To the actual topic, if you think this is a valid use case (reinsertion
of the card), I can pick that up and try to implement a fix. But I would
need a bit help in the case "how to look for a reinsertion of the card"
as mentioned in previous mails.

The problem from my point of view is that you have a terminal/keyboard
when you add the key (ssh-add, message adding a card to the agent
already contains pin), but when you do the signature, you don't have it
and you have basically no way to get the PIN from the user (unless you
would store it in the ssh-agent, which is generally not a good idea;
message to sign from ssh does not have any field to provide PIN).

Regards,

--
Jakub Jelen
Security Technologies
Red Hat


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Mathias Brossard-2
On Mon, May 23, 2016 at 1:11 AM, Jakub Jelen <[hidden email]> wrote:
OpenSSH pkcs11 currently does not support EC keys and needs a lot of
changes to support them. There are at least two patches hanging around
openssh mailing lists and bugzillas adding this support to some extent.
I plan to have a look into this in the months or so to get that upstream.

I'm the author of the one in #2474 (https://bugzilla.mindrot.org/show_bug.cgi?id=2474), tell me if there's something I can do to help. The patch is tested with OpenSC (Yubikey Neo).

Sincerely,
--
Mathias Brossard
 

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Douglas E Engert
In reply to this post by Jakub Jelen


On 5/23/2016 3:11 AM, Jakub Jelen wrote:

> On 05/21/2016 04:09 PM, Douglas E Engert wrote:
>> Looking at the https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c
>> in pkcs11_rsa_private_encrypt is where it is failing. All of the pkcs#11 code does not assume
>> that a card may be removed. It might be easy to fix if the same card is inserted, but not
>> if a different card is inserted.
>>
>> Seeing the SPY trace would help a lot. (note that your PIN may be exposed in the trace).
>>
>> Most of the initial information about the card is obtained when ssh-add sends the message to ssh-agent
>> to register a new provider. But it may be some time before that is actually used from pkcs11_rsa_private_encrypt.
>> In pkcs11_rsa_private_encrypt:
>>    if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
>> is checking if the user should be logged_in from the last use of when the provider was first added to ssh_agent.
>> The C_Sign operation also uses si->session which may not be valid especially if a different card was inserted.
>>
>> I don't know if you are willing to make code changes or not, or to push the issue with OpenSSH.


> OpenSSH pkcs11 currently does not support EC keys and needs a lot of
> changes to support them. There are at least two patches hanging around
> openssh mailing lists and bugzillas adding this support to some extent.
> I plan to have a look into this in the months or so to get that upstream.

Yes, EC support is a separate issue which should be addressed.

>
> To the actual topic, if you think this is a valid use case (reinsertion
> of the card), I can pick that up and try to implement a fix. But I would
> need a bit help in the case "how to look for a reinsertion of the card"
> as mentioned in previous mails.


PKCS#11 can return CKR_DEVICE_REMOVED to indicate the card had been removed. From an opensc SPY trace
of ssh_agent:

55: C_Sign
2016-05-22 09:14:41.715
[in] hSession = 0x7fe7fb518580
[in] pData[ulDataLen] <REDACTED>
Returned:  50 CKR_DEVICE_REMOVED

Problem is this card status change is only returned to calling application when some attempt is made
to contact the card.  The way the ssh-agent code is written, where certificates and keys are found
when ssh-add registers the provider, but the key may not be used until a C_Sign is needed may be
minutes or hours later, and the user may have pulled his card/ID badge out when leaving the workstation
then inserted it upon return.
C_WaitForSlotEvent and C_getTokenInfo could be used to detect if the card status has changed before
doing the C_Sign.

Many PKCS#11 implementations will invalidate any sessions and release objects when the card is removed.

Insertion of the same card will also require C_Login to be done again. Even without removal and insertion
use of the card by other applications could also cause the PIN to be required again.

>
> The problem from my point of view is that you have a terminal/keyboard
> when you add the key (ssh-add, message adding a card to the agent
> already contains pin), but when you do the signature, you don't have it
> and you have basically no way to get the PIN from the user (unless you
> would store it in the ssh-agent, which is generally not a good idea;
> message to sign from ssh does not have any field to provide PIN).

Caching of the PIN is an option and OpenSC has optional pin caching.(Other PKCS#11 libs may not) But the removal of the card
will cause the opensc cache, slots, sessions and objects to be cleared. And a different card might be inserted requiring a different PIN!

The use of a PIN PAD reader is another option especially in a high security environment, and I see ssh-pkcs11.c supports
CKF_PROTECTED_AUTHENTICATION_PATH, so PIN is never in the host but user has access to pin pad reader even from ssh-agent but has to *look* at the pin pad reader.

But the issue of PKCS#11 slots, sessions and objects need to be reestablished would still need to be addressed.

So would a better way to address this would be scripts run from screen unlock or some user
started background process to do a new ssh-add -s?
i.e. when user pulls the card, they are most likely going to leave workstation, or don't want
the card being used for some reason.

Smart cards introduce a lot of human factors which are not often considered when writing code.



>
> Regards,
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Jakub Jelen
In reply to this post by Mathias Brossard-2
On 05/23/2016 10:39 AM, Mathias Brossard wrote:

> On Mon, May 23, 2016 at 1:11 AM, Jakub Jelen <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     OpenSSH pkcs11 currently does not support EC keys and needs a lot of
>     changes to support them. There are at least two patches hanging around
>     openssh mailing lists and bugzillas adding this support to some
>     extent.
>     I plan to have a look into this in the months or so to get that
>     upstream.
>
>
> I'm the author of the one in #2474
> (https://bugzilla.mindrot.org/show_bug.cgi?id=2474), tell me if
> there's something I can do to help. The patch is tested with OpenSC
> (Yubikey Neo).
Yes. I tested your patch. Not that there would be something wrong, but I
would like to polish it and make it upstream. I started some comment on
this bug, but moved to other tasks so I will not be able to work on this
during next month.

So far I tested with the NIST PIV Test cars, and I noticed a lot of
"C_GetAttributeValue failed:" messages, which is very annoying. Another
consideration was using CKA_SIGN flags to test if the card even allows
signatures using this key, but there will be probably more things to
resolve.

Kind regards,

--
Jakub Jelen
Security Technologies
Red Hat


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Douglas E Engert


On 5/23/2016 9:10 AM, Jakub Jelen wrote:

> On 05/23/2016 10:39 AM, Mathias Brossard wrote:
>> On Mon, May 23, 2016 at 1:11 AM, Jakub Jelen <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>     OpenSSH pkcs11 currently does not support EC keys and needs a lot of
>>     changes to support them. There are at least two patches hanging around
>>     openssh mailing lists and bugzillas adding this support to some
>>     extent.
>>     I plan to have a look into this in the months or so to get that
>>     upstream.
>>
>>
>> I'm the author of the one in #2474
>> (https://bugzilla.mindrot.org/show_bug.cgi?id=2474), tell me if
>> there's something I can do to help. The patch is tested with OpenSC
>> (Yubikey Neo).
> Yes. I tested your patch. Not that there would be something wrong, but I
> would like to polish it and make it upstream. I started some comment on
> this bug, but moved to other tasks so I will not be able to work on this
> during next month.

Keep in mind that OpenSSL-1.1.0 changes the EC structures that were used in 1.0.2.
in before 1.1.0, there were ECDSA_METHOD and ECDH_METHOD. With 1.1.0
there is only  EC_KEY_METHOD with with multiple routines.

The OpenSC libp11 now has the opensc_engine built in and can run with
OpenSSL versions 0.9.8 to 1.1.0.

>
> So far I tested with the NIST PIV Test cars, and I noticed a lot of
> "C_GetAttributeValue failed:" messages, which is very annoying.

What attributes are failing? RSA and EC keys have different attributes,
the code should request the CKA_KEY_TYPE first then query for attributes
based on the key type.

> Another
> consideration was using CKA_SIGN flags to test if the card even allows
> signatures using this key, but there will be probably more things to
> resolve.

That would be valid. With the NIST PIV specs, there are 4 cert/key defined,
and maybe multiple retired key management keys.
X.509 Certificate for PIV Authentication
X.509 Certificate for Digital Signature
X.509 Certificate for Key Management
X.509 Certificate for Card Authentication
Retired X.509 Certificates for Key Management

NIST does not define PKCS#11 attributes, but reading the NIST 800-73 usages
for these keys, the key Management private keys if RSA are to be used only for decrypt/unwrap
if EC they can only be used for derive. (But to allow a certificate request to be signed
by a key Management private key, the OpenSC code add the sign attribute if no cert is already
on the card.)

>
> Kind regards,
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Understanding of ssh pkcs key provider

Mathias Brossard-2
On Mon, May 23, 2016 at 12:52 PM, Douglas E Engert <[hidden email]> wrote:
On 5/23/2016 9:10 AM, Jakub Jelen wrote:
> On 05/23/2016 10:39 AM, Mathias Brossard wrote:
>> On Mon, May 23, 2016 at 1:11 AM, Jakub Jelen <[hidden email]
>> <mailto:[hidden email]>> wrote:
>>
>>     OpenSSH pkcs11 currently does not support EC keys and needs a lot of
>>     changes to support them. There are at least two patches hanging around
>>     openssh mailing lists and bugzillas adding this support to some
>>     extent.
>>     I plan to have a look into this in the months or so to get that
>>     upstream.
>>
>>
>> I'm the author of the one in #2474
>> (https://bugzilla.mindrot.org/show_bug.cgi?id=2474), tell me if
>> there's something I can do to help. The patch is tested with OpenSC
>> (Yubikey Neo).
> Yes. I tested your patch. Not that there would be something wrong, but I
> would like to polish it and make it upstream. I started some comment on
> this bug, but moved to other tasks so I will not be able to work on this
> during next month.

Keep in mind that OpenSSL-1.1.0 changes the EC structures that were used in 1.0.2.
in before 1.1.0, there were ECDSA_METHOD and ECDH_METHOD. With 1.1.0
there is only  EC_KEY_METHOD with with multiple routines.

True. I worked on it a little bit, but wasn't sure if updating my patch before OpenSSL 1.1 is out was worth it. Hopefully with rc5 will be the last time they change the APIs we need.

The OpenSC libp11 now has the opensc_engine built in and can run with
OpenSSL versions 0.9.8 to 1.1.0.

I don't think OpenSSH would accept a patch to make it use libp11: too much changes and license.

Sincerely,
--
Mathias Brossard

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel