[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hardware device
[Thread Prev] | [Thread Next]
- Subject: Re: Hardware device
- From: Dennis Gnatowski <dennis@xxxxxxxxx>
- Reply-to: libssh@xxxxxxxxxx
- Date: Mon, 5 Dec 2022 20:06:03 +0000
- To: "libssh@xxxxxxxxxx" <libssh@xxxxxxxxxx>
To add; I tried using curl with the URI and get similar results (on Fedora 37/arm64 and CentOS 9 Stream/x86_64): * Connected to 1.2.3.4 port 22 (#0) * User: <user><mailto:dgnatowski@xxxxxxxxx> * Authentication using SSH public key file Failed to enumerate slots Failed to enumerate slots PKCS11_get_private_key returned NULL * Could not load private key file pkcs11:manufacturer=IBM?module=/usr/lib64/pkcs11/PKCS11_API.so;model=Soft;token=CentOS%20Token * Closing connection 0 curl: (67) Could not load private key file pkcs11:manufacturer=IBM?module=/usr/lib64/pkcs11/PKCS11_API.so;model=Soft;token=CentOS%20Token From: Dennis Gnatowski <dennis@xxxxxxxxx> Date: Monday, December 5, 2022 at 8:38 AM To: libssh@xxxxxxxxxx <libssh@xxxxxxxxxx> Subject: Re: Hardware device I am following the example from (https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in-libssh#build_and_use_libssh_with_pkcs__11) int rc; char priv_uri[1042] = “pkcs11:token=my-token;object=my-object;type=private?pin-value=1234”; rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, priv_uri); assert_int_equal(rc, SSH_OK) rc = ssh_userauth_publickey_auto(session, NULL, NULL); but using: char priv_uri[1042] = "pkcs11:object=SSH-key-acme?pin-value=####;manufacturer=IBM?module-path=/usr/lib64/pkcs11/PKCS11_API.so"; What I see in TRACE log output is an attempt to authenticate using my local ID (dennis@fedora) instead of the ID/User I’m passing in: [2022/12/05 08:33:31.286721, 3] ssh_userauth_agent: Public key of dennis@fedora refused by server [2022/12/05 08:33:31.286728, 3] ssh_userauth_publickey_auto: Trying to authenticate with pkcs11:object=SSH-key-acme?pin-value=####;manufacturer=IBM?module-path=/usr/lib64/pkcs11/PKCS11_API.so [2022/12/05 08:33:31.286731, 2] ssh_userauth_publickey_auto: Authenticating with PKCS #11 URI. [2022/12/05 08:33:31.286883, 2] pki_get_engine: Engine loaded successfully [2022/12/05 08:33:31.286889, 2] pki_get_engine: Engine init success Failed to enumerate slots PKCS11_load_public_key returned NULL [2022/12/05 08:33:31.346527, 1] pki_uri_import: Could not load key: error:40800067:pkcs11 engine::invalid parameter [2022/12/05 08:33:31.346619, 1] ssh_userauth_publickey_auto: Failed to import public key: pkcs11:object=SSH-key-acme?pin-value=####;manufacturer=IBM?module-path=/usr/lib64/pkcs11/PKCS11_API.so User Authentication failed: Failed to import public key: pkcs11:object=SSH-key-acme?pin-value=####;manufacturer=IBM?module-path=/usr/lib64/pkcs11/PKCS11_API.so authenticate_pubkey_auto() failed I’ll add that I do not have PKCS#11 modules defined with/for p11-kit. I would prefer to pass in the provider via the PKCS URI. -Dennis From: Jakub Jelen <jjelen@xxxxxxxxxx> Date: Monday, December 5, 2022 at 6:05 AM To: libssh@xxxxxxxxxx <libssh@xxxxxxxxxx> Subject: Re: Hardware device On 12/3/22 17:46, Dennis Gnatowski wrote: > I’m trying to use the library with keys stored in a hardware device to > transfer file(s) via SFTP to a remote server. > > I did get things working using the sftp client (Linux) with the “-i > <pkcs11 uri>” and “-o <PKCS11Provider=>” options. This is OpenSSH, completely different implementation than libssh. But the usage should be as close as possible. > I tried putting the PKCS11 URI in the SSH_OPTIONS_IDENTITY option with > no success. What errors you got? Libssh 0.10.x should already have support for the pkcs11 uris. > How do I specify or pass-in the PKCS11 Provider to the library? In Fedora, the libssh is using p11-kit proxy, which groups all the registered in p11-kit. Or you can pass the pkcs11 provider path through the pkcs11 uri. Regards, -- Jakub Jelen Crypto Team, Security Engineering Red Hat, Inc.
Hardware device | Dennis Gnatowski <dennis@xxxxxxxxx> |
Re: Hardware device | Jakub Jelen <jjelen@xxxxxxxxxx> |
Re: Hardware device | Dennis Gnatowski <dennis@xxxxxxxxx> |