[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: Hardware device
[Thread Prev] | [Thread Next]
[Date Prev] | [Date Next]
- Subject: RE: Hardware device
- From: dennis@xxxxxxxxx
- Reply-to: libssh@xxxxxxxxxx
- Date: Thu, 22 Dec 2022 17:59:27 -0500
- To: <libssh@xxxxxxxxxx>
I got past the "pkcs11provider" issue - had to add a p11-kit module file for the PKCS11 Provider library.
Now I seem it have an issue with the "libssh" library. The simple code I'm testing with works on Linux (Fedora 37) but does not on Windows (10).
P11-kit recognizes the PKCS#11 library on both systems.
Same 0.10.0 library versions on both.
Is there a difference between the two versions of the library (Linux vs. Windows)?
I'm using the following URI
"pkcs11:token=CryptoServer%20Token0;object=SSH-key"
On Linux:
[2022/12/22 17:35:24.218615, 3] ssh_userauth_publickey_auto: Trying to authenticate with pkcs11:token=CryptoServer%20Token0;object=SSH-key
[2022/12/22 17:35:24.218625, 2] ssh_userauth_publickey_auto: Authenticating with PKCS #11 URI.
[2022/12/22 17:35:24.219052, 2] pki_get_engine: Engine loaded successfully
[2022/12/22 17:35:24.219102, 2] pki_get_engine: Engine init success
[2022/12/22 17:35:24.299894, 3] ssh_key_algorithm_allowed: Checking rsa-sha2-512 with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx>
[2022/12/22 17:35:24.299934, 3] ssh_key_algorithm_allowed: Checking rsa-sha2-512 with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx>
[2022/12/22 17:35:24.300026, 3] ssh_socket_unbuffered_write: Enabling POLLOUT for socket
[2022/12/22 17:35:24.300080, 3] packet_send2: packet: wrote [type=50, len=368, padding_size=11, comp=356, payload=356]
[2022/12/22 17:35:24.300094, 4] ssh_socket_pollcallback: Poll callback on socket 3 (POLLOUT ), out buffer 0
[2022/12/22 17:35:24.300127, 4] ssh_socket_pollcallback: sending control flow event
[2022/12/22 17:35:24.300147, 4] ssh_packet_socket_controlflow_callback: sending channel_write_wontblock callback
[2022/12/22 17:35:24.339500, 4] ssh_socket_pollcallback: Poll callback on socket 3 (POLLIN ), out buffer 0
[2022/12/22 17:35:24.339585, 3] ssh_packet_socket_callback: packet: read type 60 [len=320,padding=19,comp=300,payload=300]
[2022/12/22 17:35:24.339606, 3] ssh_packet_process: Dispatching handler for packet type 60
[2022/12/22 17:35:24.339622, 4] ssh_packet_userauth_pk_ok: Received SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE
[2022/12/22 17:35:24.339637, 4] ssh_packet_userauth_pk_ok: Assuming SSH_USERAUTH_PK_OK
Enter PKCS#11 token PIN for CryptoServer Token0:
[2022/12/22 17:35:29.875664, 3] ssh_key_algorithm_allowed: Checking rsa-sha2-512 with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx>
[2022/12/22 17:35:29.875699, 3] ssh_key_algorithm_allowed: Checking rsa-sha2-512 with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx>
[2022/12/22 17:35:29.875720, 3] ssh_key_algorithm_allowed: Checking rsa-sha2-512 with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx>
[2022/12/22 17:35:29.882090, 3] ssh_socket_unbuffered_write: Enabling POLLOUT for socket
[2022/12/22 17:35:29.882117, 3] packet_send2: packet: wrote [type=50, len=656, padding_size=19, comp=636, payload=636]
[2022/12/22 17:35:29.882127, 4] ssh_socket_pollcallback: Poll callback on socket 3 (POLLOUT ), out buffer 0
[2022/12/22 17:35:29.882133, 4] ssh_socket_pollcallback: sending control flow event
[2022/12/22 17:35:29.882139, 4] ssh_packet_socket_controlflow_callback: sending channel_write_wontblock callback
[2022/12/22 17:35:29.937821, 4] ssh_socket_pollcallback: Poll callback on socket 3 (POLLIN ), out buffer 0
[2022/12/22 17:35:29.937878, 3] ssh_packet_socket_callback: packet: read type 52 [len=16,padding=14,comp=1,payload=1]
[2022/12/22 17:35:29.937886, 3] ssh_packet_process: Dispatching handler for packet type 52
[2022/12/22 17:35:29.937892, 3] ssh_packet_userauth_success: Authentication successful
[2022/12/22 17:35:29.937898, 4] ssh_packet_userauth_success: Received SSH_USERAUTH_SUCCESS
[2022/12/22 17:35:29.937904, 3] ssh_packet_need_rekey: rekey: [data_rekey_needed=0, out_blocks=92, in_blocks=34]
[2022/12/22 17:35:29.937912, 2] ssh_userauth_publickey_auto: Successfully authenticated using pkcs11:token=CryptoServer%20Token0;object=SSH-key
[2022/12/22 17:35:29.937924, 2] channel_open: Creating a channel 43 with 64000 window and 32768 max packet
On Windows 10:
[2022/12/22 17:49:00.492712, 3] ssh_userauth_publickey_auto: Trying to authenticate with pkcs11:token=CryptoServer%20Token0;object=SSH-key
[2022/12/22 17:49:00.507613, 2] ssh_userauth_publickey_auto: Authenticating with PKCS #11 URI.
[2022/12/22 17:49:00.539737, 1] ssh_pki_import_pubkey_file: Error opening pkcs11:token=CryptoServer%20Token0;object=SSH-key: Invalid argument
[2022/12/22 17:49:00.554692, 1] ssh_pki_import_privkey_file: Error opening pkcs11:token=CryptoServer%20Token0;object=SSH-key: Invalid argument
[2022/12/22 17:49:00.585873, 3] ssh_userauth_publickey_auto: Private key pkcs11:token=CryptoServer%20Token0;object=SSH-key doesn't exist.
[2022/12/22 17:49:00.601394, 3] ssh_userauth_publickey_auto: Trying to authenticate with C:\Users\Dennis/.ssh/id_ed25519
[2022/12/22 17:49:00.632921, 1] ssh_pki_import_pubkey_file: Error opening C:\Users\Dennis/.ssh/id_ed25519.pub: No such file or directory
[2022/12/22 17:49:00.648312, 1] ssh_pki_import_privkey_file: Error opening C:\Users\Dennis/.ssh/id_ed25519: No such file or directory
[2022/12/22 17:49:00.679591, 3] ssh_userauth_publickey_auto: Private key C:\Users\Dennis/.ssh/id_ed25519 doesn't exist.
[2022/12/22 17:49:00.695713, 3] ssh_userauth_publickey_auto: Trying to authenticate with C:\Users\Dennis/.ssh/id_ecdsa
[2022/12/22 17:49:00.726494, 1] ssh_pki_import_pubkey_file: Error opening C:\Users\Dennis/.ssh/id_ecdsa.pub: No such file or directory
[2022/12/22 17:49:00.757865, 1] ssh_pki_import_privkey_file: Error opening C:\Users\Dennis/.ssh/id_ecdsa: No such file or directory
[2022/12/22 17:49:00.773702, 3] ssh_userauth_publickey_auto: Private key C:\Users\Dennis/.ssh/id_ecdsa doesn't exist.
[2022/12/22 17:49:00.805660, 3] ssh_userauth_publickey_auto: Trying to authenticate with C:\Users\Dennis/.ssh/id_rsa
[2022/12/22 17:49:00.836304, 1] ssh_pki_import_pubkey_file: Error opening C:\Users\Dennis/.ssh/id_rsa.pub: No such file or directory
[2022/12/22 17:49:00.851924, 1] ssh_pki_import_privkey_file: Error opening C:\Users\Dennis/.ssh/id_rsa: No such file or directory
[2022/12/22 17:49:00.883218, 3] ssh_userauth_publickey_auto: Private key C:\Users\Dennis/.ssh/id_rsa doesn't exist.
[2022/12/22 17:49:00.914533, 2] ssh_userauth_publickey_auto: Tried every public key, none matched
User Authentication failed:
[2022/12/22 17:49:00.929338, 3] packet_send2: packet: wrote [type=1, len=32, padding_size=11, comp=20, payload=20]
Error allocating SFTP session
-----Original Message-----
From: Jakub Jelen <jjelen@xxxxxxxxxx>
Sent: Wednesday, December 7, 2022 4:21 AM
To: libssh@xxxxxxxxxx
Subject: Re: Hardware device
On 12/5/22 14:38, Dennis Gnatowski wrote:
> I am following the example from
> ( <https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in-> https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in-
> libssh#build_and_use_libssh_with_pkcs__11
> <https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in-
> libssh#build_and_use_libssh_with_pkcs__11>)
>
> int rc;
>
> char priv_uri[1042] =
> “pkcs11:token=my-token;object=my-object;type=private?pin-value=1234”;
>
> rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, priv_uri);
>
> assert_int_equal(rc, SSH_OK)
>
> rc = ssh_userauth_publickey_auto(session, NULL, NULL);
>
> but using:
>
> char priv_uri[1042] =
> "pkcs11:object=SSH-key-acme?pin-value=####;manufacturer=IBM?module-pat
> h=/usr/lib64/pkcs11/PKCS11_API.so";
This does not look like a valid URI. There can be only one question mark, path is separated by semicolons and query parts are separated by ampersands so it should be something like:
pkcs11:object=SSH-key-acme;manufacturer=IBM?pin-value=####&module-path=/usr/lib64/pkcs11/PKCS11_API.so
see the uri syntax in <https://datatracker.ietf.org/doc/html/rfc7512> https://datatracker.ietf.org/doc/html/rfc7512
Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.
| Hardware device | Dennis Gnatowski <dennis@xxxxxxxxx> |
| Re: Hardware device | Jakub Jelen <jjelen@xxxxxxxxxx> |
| Re: Hardware device | Dennis Gnatowski <dennis@xxxxxxxxx> |
| Re: Hardware device | Jakub Jelen <jjelen@xxxxxxxxxx> |