[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hardware device


Hi,
I dont know much about Windows, but this looks like the OpenSSL used on windows has some issue loading the pkcs11 engine. Is the libssh on windows built with the pkcs11 support as described in the following documentation?

https://gitlab.com/libssh/libssh-mirror/-/blob/master/doc/pkcs11.dox

Regards,
Jakub

On 12/22/22 23:59, dennis@xxxxxxxxx wrote:
I got past the "pkcs11provider" issue - had to add a p11-kit module file for the PKCS11 Provider library.

Now I seem it have an issue with the "libssh" library.  The simple code I'm testing with works on Linux (Fedora 37) but does not on Windows (10).

P11-kit recognizes the PKCS#11 library on both systems.

Same 0.10.0 library versions on both.

Is there a difference between the two versions of the library (Linux vs. Windows)?

I'm using the following URI

                 "pkcs11:token=CryptoServer%20Token0;object=SSH-key"

On Linux:

[2022/12/22 17:35:24.218615, 3] ssh_userauth_publickey_auto:  Trying to authenticate with pkcs11:token=CryptoServer%20Token0;object=SSH-key

[2022/12/22 17:35:24.218625, 2] ssh_userauth_publickey_auto: Authenticating with PKCS #11 URI.

[2022/12/22 17:35:24.219052, 2] pki_get_engine:  Engine loaded successfully

[2022/12/22 17:35:24.219102, 2] pki_get_engine:  Engine init success

[2022/12/22 17:35:24.299894, 3] ssh_key_algorithm_allowed:  Checking rsa-sha2-512 with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx>

[2022/12/22 17:35:24.299934, 3] ssh_key_algorithm_allowed:  Checking rsa-sha2-512 with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx>

[2022/12/22 17:35:24.300026, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket

[2022/12/22 17:35:24.300080, 3] packet_send2:  packet: wrote [type=50, len=368, padding_size=11, comp=356, payload=356]

[2022/12/22 17:35:24.300094, 4] ssh_socket_pollcallback:  Poll callback on socket 3 (POLLOUT ), out buffer 0

[2022/12/22 17:35:24.300127, 4] ssh_socket_pollcallback:  sending control flow event

[2022/12/22 17:35:24.300147, 4] ssh_packet_socket_controlflow_callback: sending channel_write_wontblock callback

[2022/12/22 17:35:24.339500, 4] ssh_socket_pollcallback:  Poll callback on socket 3 (POLLIN ), out buffer 0

[2022/12/22 17:35:24.339585, 3] ssh_packet_socket_callback:  packet: read type 60 [len=320,padding=19,comp=300,payload=300]

[2022/12/22 17:35:24.339606, 3] ssh_packet_process:  Dispatching handler for packet type 60

[2022/12/22 17:35:24.339622, 4] ssh_packet_userauth_pk_ok:  Received SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE

[2022/12/22 17:35:24.339637, 4] ssh_packet_userauth_pk_ok:  Assuming SSH_USERAUTH_PK_OK

Enter PKCS#11 token PIN for CryptoServer Token0:

[2022/12/22 17:35:29.875664, 3] ssh_key_algorithm_allowed:  Checking rsa-sha2-512 with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx>

[2022/12/22 17:35:29.875699, 3] ssh_key_algorithm_allowed:  Checking rsa-sha2-512 with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx>

[2022/12/22 17:35:29.875720, 3] ssh_key_algorithm_allowed:  Checking rsa-sha2-512 with list <ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-v01@xxxxxxxxxxx,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-v01@xxxxxxxxxxx,ssh-ed25519,ssh-ed25519-cert-v01@xxxxxxxxxxx,rsa-sha2-256,rsa-sha2-256-cert-v01@xxxxxxxxxxx,rsa-sha2-512,rsa-sha2-512-cert-v01@xxxxxxxxxxx>

[2022/12/22 17:35:29.882090, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT for socket

[2022/12/22 17:35:29.882117, 3] packet_send2:  packet: wrote [type=50, len=656, padding_size=19, comp=636, payload=636]

[2022/12/22 17:35:29.882127, 4] ssh_socket_pollcallback:  Poll callback on socket 3 (POLLOUT ), out buffer 0

[2022/12/22 17:35:29.882133, 4] ssh_socket_pollcallback:  sending control flow event

[2022/12/22 17:35:29.882139, 4] ssh_packet_socket_controlflow_callback: sending channel_write_wontblock callback

[2022/12/22 17:35:29.937821, 4] ssh_socket_pollcallback:  Poll callback on socket 3 (POLLIN ), out buffer 0

[2022/12/22 17:35:29.937878, 3] ssh_packet_socket_callback:  packet: read type 52 [len=16,padding=14,comp=1,payload=1]

[2022/12/22 17:35:29.937886, 3] ssh_packet_process:  Dispatching handler for packet type 52

[2022/12/22 17:35:29.937892, 3] ssh_packet_userauth_success: Authentication successful

[2022/12/22 17:35:29.937898, 4] ssh_packet_userauth_success:  Received SSH_USERAUTH_SUCCESS

[2022/12/22 17:35:29.937904, 3] ssh_packet_need_rekey:  rekey: [data_rekey_needed=0, out_blocks=92, in_blocks=34]

[2022/12/22 17:35:29.937912, 2] ssh_userauth_publickey_auto: Successfully authenticated using pkcs11:token=CryptoServer%20Token0;object=SSH-key

[2022/12/22 17:35:29.937924, 2] channel_open:  Creating a channel 43 with 64000 window and 32768 max packet

On Windows 10:

[2022/12/22 17:49:00.492712, 3] ssh_userauth_publickey_auto:  Trying to authenticate with pkcs11:token=CryptoServer%20Token0;object=SSH-key

[2022/12/22 17:49:00.507613, 2] ssh_userauth_publickey_auto: Authenticating with PKCS #11 URI.

[2022/12/22 17:49:00.539737, 1] ssh_pki_import_pubkey_file:  Error opening pkcs11:token=CryptoServer%20Token0;object=SSH-key: Invalid argument

[2022/12/22 17:49:00.554692, 1] ssh_pki_import_privkey_file:  Error opening pkcs11:token=CryptoServer%20Token0;object=SSH-key: Invalid argument

[2022/12/22 17:49:00.585873, 3] ssh_userauth_publickey_auto:  Private key pkcs11:token=CryptoServer%20Token0;object=SSH-key doesn't exist.

[2022/12/22 17:49:00.601394, 3] ssh_userauth_publickey_auto:  Trying to authenticate with C:\Users\Dennis/.ssh/id_ed25519

[2022/12/22 17:49:00.632921, 1] ssh_pki_import_pubkey_file:  Error opening C:\Users\Dennis/.ssh/id_ed25519.pub: No such file or directory

[2022/12/22 17:49:00.648312, 1] ssh_pki_import_privkey_file:  Error opening C:\Users\Dennis/.ssh/id_ed25519: No such file or directory

[2022/12/22 17:49:00.679591, 3] ssh_userauth_publickey_auto:  Private key C:\Users\Dennis/.ssh/id_ed25519 doesn't exist.

[2022/12/22 17:49:00.695713, 3] ssh_userauth_publickey_auto:  Trying to authenticate with C:\Users\Dennis/.ssh/id_ecdsa

[2022/12/22 17:49:00.726494, 1] ssh_pki_import_pubkey_file:  Error opening C:\Users\Dennis/.ssh/id_ecdsa.pub: No such file or directory

[2022/12/22 17:49:00.757865, 1] ssh_pki_import_privkey_file:  Error opening C:\Users\Dennis/.ssh/id_ecdsa: No such file or directory

[2022/12/22 17:49:00.773702, 3] ssh_userauth_publickey_auto:  Private key C:\Users\Dennis/.ssh/id_ecdsa doesn't exist.

[2022/12/22 17:49:00.805660, 3] ssh_userauth_publickey_auto:  Trying to authenticate with C:\Users\Dennis/.ssh/id_rsa

[2022/12/22 17:49:00.836304, 1] ssh_pki_import_pubkey_file:  Error opening C:\Users\Dennis/.ssh/id_rsa.pub: No such file or directory

[2022/12/22 17:49:00.851924, 1] ssh_pki_import_privkey_file:  Error opening C:\Users\Dennis/.ssh/id_rsa: No such file or directory

[2022/12/22 17:49:00.883218, 3] ssh_userauth_publickey_auto:  Private key C:\Users\Dennis/.ssh/id_rsa doesn't exist.

[2022/12/22 17:49:00.914533, 2] ssh_userauth_publickey_auto:  Tried every public key, none matched

User Authentication failed:

[2022/12/22 17:49:00.929338, 3] packet_send2:  packet: wrote [type=1, len=32, padding_size=11, comp=20, payload=20]

Error allocating SFTP session

-----Original Message-----
From: Jakub Jelen <jjelen@xxxxxxxxxx>
Sent: Wednesday, December 7, 2022 4:21 AM
To: libssh@xxxxxxxxxx
Subject: Re: Hardware device

On 12/5/22 14:38, Dennis Gnatowski wrote:

 > I am following the example from

> (https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in- <https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in->

 > libssh#build_and_use_libssh_with_pkcs__11

 > <https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in-

 > libssh#build_and_use_libssh_with_pkcs__11>)

 >

 >    int rc;

 >

 >    char priv_uri[1042] =

 > “pkcs11:token=my-token;object=my-object;type=private?pin-value=1234”;

 >

 >    rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, priv_uri);

 >

 >    assert_int_equal(rc, SSH_OK)

 >

 >    rc = ssh_userauth_publickey_auto(session, NULL, NULL);

 >

 > but using:

 >

 > char priv_uri[1042] =

 > "pkcs11:object=SSH-key-acme?pin-value=####;manufacturer=IBM?module-pat

 > h=/usr/lib64/pkcs11/PKCS11_API.so";

This does not look like a valid URI. There can be only one question mark, path is separated by semicolons and query parts are separated by ampersands so it should be something like:

pkcs11:object=SSH-key-acme;manufacturer=IBM?pin-value=####&module-path=/usr/lib64/pkcs11/PKCS11_API.so

see the uri syntax in https://datatracker.ietf.org/doc/html/rfc7512 <https://datatracker.ietf.org/doc/html/rfc7512>

Regards,

--

Jakub Jelen

Crypto Team, Security Engineering

Red Hat, Inc.


--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.


Archive administrator: postmaster@lists.cynapses.org