[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hardware device


To add; I tried using curl with the URI and get similar results (on Fedora 37/arm64 and CentOS 9 Stream/x86_64):

* Connected to 1.2.3.4 port 22 (#0)
* User: <user><mailto:dgnatowski@xxxxxxxxx>
* Authentication using SSH public key file
Failed to enumerate slots
Failed to enumerate slots
PKCS11_get_private_key returned NULL
* Could not load private key file pkcs11:manufacturer=IBM?module=/usr/lib64/pkcs11/PKCS11_API.so;model=Soft;token=CentOS%20Token
* Closing connection 0
curl: (67) Could not load private key file pkcs11:manufacturer=IBM?module=/usr/lib64/pkcs11/PKCS11_API.so;model=Soft;token=CentOS%20Token

From: Dennis Gnatowski <dennis@xxxxxxxxx>
Date: Monday, December 5, 2022 at 8:38 AM
To: libssh@xxxxxxxxxx <libssh@xxxxxxxxxx>
Subject: Re: Hardware device
I am following the example from (https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in-libssh#build_and_use_libssh_with_pkcs__11)

  int rc;
  char priv_uri[1042] = “pkcs11:token=my-token;object=my-object;type=private?pin-value=1234”;

  rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, priv_uri);
  assert_int_equal(rc, SSH_OK)

  rc = ssh_userauth_publickey_auto(session, NULL, NULL);

but using:
char priv_uri[1042] = "pkcs11:object=SSH-key-acme?pin-value=####;manufacturer=IBM?module-path=/usr/lib64/pkcs11/PKCS11_API.so";

What I see in TRACE log output is an attempt to authenticate using my local ID (dennis@fedora) instead of the ID/User I’m passing in:

[2022/12/05 08:33:31.286721, 3] ssh_userauth_agent:  Public key of dennis@fedora refused by server
[2022/12/05 08:33:31.286728, 3] ssh_userauth_publickey_auto:  Trying to authenticate with pkcs11:object=SSH-key-acme?pin-value=####;manufacturer=IBM?module-path=/usr/lib64/pkcs11/PKCS11_API.so
[2022/12/05 08:33:31.286731, 2] ssh_userauth_publickey_auto:  Authenticating with PKCS #11 URI.
[2022/12/05 08:33:31.286883, 2] pki_get_engine:  Engine loaded successfully
[2022/12/05 08:33:31.286889, 2] pki_get_engine:  Engine init success
Failed to enumerate slots
PKCS11_load_public_key returned NULL
[2022/12/05 08:33:31.346527, 1] pki_uri_import:  Could not load key: error:40800067:pkcs11 engine::invalid parameter
[2022/12/05 08:33:31.346619, 1] ssh_userauth_publickey_auto:  Failed to import public key: pkcs11:object=SSH-key-acme?pin-value=####;manufacturer=IBM?module-path=/usr/lib64/pkcs11/PKCS11_API.so
User Authentication failed: Failed to import public key: pkcs11:object=SSH-key-acme?pin-value=####;manufacturer=IBM?module-path=/usr/lib64/pkcs11/PKCS11_API.so
authenticate_pubkey_auto() failed

I’ll add that I do not have PKCS#11 modules defined with/for p11-kit.  I would prefer to pass in the provider via the PKCS URI.

-Dennis

From: Jakub Jelen <jjelen@xxxxxxxxxx>
Date: Monday, December 5, 2022 at 6:05 AM
To: libssh@xxxxxxxxxx <libssh@xxxxxxxxxx>
Subject: Re: Hardware device
On 12/3/22 17:46, Dennis Gnatowski wrote:
> I’m trying to use the library with keys stored in a hardware device to
> transfer file(s) via SFTP to a remote server.
>
> I did get things working using the sftp client (Linux) with the “-i
> <pkcs11 uri>” and “-o <PKCS11Provider=>” options.

This is OpenSSH, completely different implementation than libssh. But
the usage should be as close as possible.

> I tried putting the PKCS11 URI in the SSH_OPTIONS_IDENTITY option with
> no success.

What errors you got? Libssh 0.10.x should already have support for the
pkcs11 uris.

> How do I specify or pass-in the PKCS11 Provider to the library?

In Fedora, the libssh is using p11-kit proxy, which groups all the
registered in p11-kit. Or you can pass the pkcs11 provider path through
the pkcs11 uri.

Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.



References:
Hardware deviceDennis Gnatowski <dennis@xxxxxxxxx>
Re: Hardware deviceJakub Jelen <jjelen@xxxxxxxxxx>
Re: Hardware deviceDennis Gnatowski <dennis@xxxxxxxxx>
Archive administrator: postmaster@lists.cynapses.org