Opened 8 years ago
Last modified 3 years ago
#52725 new defect
openssh @7.3p1 calls for wrong key type
| Reported by: | mouse07410 (Mouse) | Owned by: | macports-tickets@… |
|---|---|---|---|
| Priority: | Normal | Milestone: | |
| Component: | ports | Version: | 2.3.4 |
| Keywords: | Cc: | cooljeanius (Eric Gallager) | |
| Port: | openssh |
Description
Change History (8)
comment:1 Changed 8 years ago by mouse07410 (Mouse)
comment:2 Changed 8 years ago by ryandesign (Ryan Carsten Schmidt)
| Cc: | nomaintainer@… removed |
|---|---|
| Port: | openssh added; openssl removed |
| Summary: | OpenSSH does not use PKCS11Provider, and calls for wrong key type → openssh @7.3p1 calls for wrong key type |
comment:3 Changed 8 years ago by mouse07410 (Mouse)
Above "as" => "ASK". ssh did not ASK the token for the key type.
Since so far ssh only supports RSA tokens, I might understand not asking for the key type - but then it's rather strange to see it asking for ECDSA_PARAMS.
And since in general (not on PKCS#11 tokens) ssh does support ECC keys - I could understand asking for ECDSA_PARAMS, but then - only after checking the key type, which ssh did not.
So something is broken. Possibly upstream.
comment:5 Changed 8 years ago by raimue (Rainer Müller)
Replying to mouse07410:
Is this port maintained?
As port info openssh shows in the last line, unfortunately there are no volunteers to maintain the openssh port at the moment. Therefore nobody was notified to look into this issue. Your problem is quite specific to the use of the openssh client with an RSA token. I would assume there is only a very small amount of users that have a similar setup, and even fewer that are regularly reading the tickets.
Have you tried this with /usr/bin/ssh? Does it show the same behavior?
As you suggested yourself, this would be a problem where you have a better chance of asking upstream for help. Either at a discussion forum for your RSA smart card, OpenSC or OpenSSH.
comment:6 Changed 8 years ago by mouse07410 (Mouse)
/usr/bin/ssh works correctly in this use case:
$ /opt/local/bin/ssh git@github.com C_GetAttributeValue failed: 18 C_GetAttributeValue failed: 18 C_GetAttributeValue failed: 18 C_GetAttributeValue failed: 18 Enter PIN for 'PIV Card Holder pin (PIV_II)': PTY allocation request failed on channel 0 Hi mouse07410! You've successfully authenticated, but GitHub does not provide shell access. Connection to github.com closed. $ /usr/bin/ssh git@github.com Enter PIN for 'PIV Card Holder pin (PIV_II)': PTY allocation request failed on channel 0 Hi mouse07410! You've successfully authenticated, but GitHub does not provide shell access. Connection to github.com closed. $
It doesn't seem to be an OpenSC-related problem (I discussed it with OpenSC developers), and definitely not a smart card problem - after all, the smart card is never asked by openssh what type its key is.
I will report the problem to OpenSSH dev list, and post here if I hear anything useful.
If there's nobody else who seems to care, should I assume maintenance of this port???
comment:7 Changed 8 years ago by raimue (Rainer Müller)
/usr/bin/ssh is usually older (OpenSSH 7.2 in Sierra) or Apple applied some patches that fix this. They did not yet release their sources to https://opensource.apple.com/, though. But maybe such a patch was already in older releases?
It might also be a regression in OpenSSH 7.3 that MacPorts provides.
You are welcome to maintain the port and provide updates. Just attach a patch if you can work out a solution. The guide has more information on this.
comment:8 Changed 3 years ago by cooljeanius (Eric Gallager)
| Cc: | cooljeanius added |
|---|
The first issue was my fault - I wish I could edit the title to remove the "PKCS11Provider" part.
I am using OpenSSH (the current Macports version) with an RSA smart card. PKCS11 support is provided by OpenSC (the current GitHub master, well-tested and working fine).
The problem is - despite the token being RSA, it tries to ask for ECDSA keys, which of course results in 4 error messages. Since the connection succeeds, one can consider it a nuisance rather than a show-stopper, but it would be far nicer if you could help to get rid of those requests that cause those errors.
Here's what it looks like:
The connection/authentication succeeds - but before that ssh is trying to request ECC parameters from an RSA token, which causes the above errors.
Here's the PKCS11SPY trace:
Log This seems relevant. Note that the token is RSA and has nothing ECC-related in/on it. $ ssh -I /Library/OpenSC/lib/pkcs11-spy. github.com pkcs11-spy.dylib pkcs11-spy.la pkcs11-spy.so $ ssh -I /Library/OpenSC/lib/pkcs11-spy.dylib github.com *************** OpenSC PKCS#11 spy ***************** Loaded: "/Library/OpenSC/lib/opensc-pkcs11.dylib" 0: C_GetFunctionList 2016-10-24 21:49:02.207 Returned: 0 CKR_OK 1: C_Initialize 2016-10-24 21:49:02.207 [in] pInitArgs = 0x0 Returned: 0 CKR_OK 2: C_GetInfo 2016-10-24 21:49:02.947 [out] pInfo: cryptokiVersion: 2.20 manufacturerID: 'OpenSC Project ' flags: 0 libraryDescription: 'OpenSC smartcard framework ' libraryVersion: 0.16 Returned: 0 CKR_OK 3: C_GetSlotList 2016-10-24 21:49:02.947 [in] tokenPresent = 0x1 [out] pSlotList: Count is 1 [out] *pulCount = 0x1 Returned: 0 CKR_OK 4: C_GetSlotList 2016-10-24 21:49:02.949 [in] tokenPresent = 0x1 [out] pSlotList: Slot 0 [out] *pulCount = 0x1 Returned: 0 CKR_OK 5: C_GetTokenInfo 2016-10-24 21:49:02.950 [in] slotID = 0x0 [out] pInfo: label: 'PIV Card Holder pin (PIV_II) ' manufacturerID: 'piv_II ' model: 'PKCS#15 emulated' serialNumber: 'a0fxxxxxxxxxxxxx' ulMaxSessionCount: 0 ulSessionCount: 0 ulMaxRwSessionCount: 0 ulRwSessionCount: 0 ulMaxPinLen: 8 ulMinPinLen: 4 ulTotalPublicMemory: -1 ulFreePublicMemory: -1 ulTotalPrivateMemory: -1 ulFreePrivateMemory: -1 hardwareVersion: 0.0 firmwareVersion: 0.0 time: ' ' flags: 40d CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_TOKEN_INITIALIZED Returned: 0 CKR_OK 6: C_OpenSession 2016-10-24 21:49:02.968 [in] slotID = 0x0 [in] flags = 0x6 pApplication=0x0 Notify=0x0 [out] *phSession = 0x7fee5fd09720 Returned: 0 CKR_OK 7: C_FindObjectsInit 2016-10-24 21:49:02.968 [in] hSession = 0x7fee5fd09720 [in] pTemplate[1]: CKA_CLASS CKO_PUBLIC_KEY Returned: 0 CKR_OK 8: C_FindObjects 2016-10-24 21:49:02.968 [in] hSession = 0x7fee5fd09720 [in] ulMaxObjectCount = 0x1 [out] ulObjectCount = 0x1 Object 0x7fee5ff04490 matches Returned: 0 CKR_OK 9: C_GetAttributeValue 2016-10-24 21:49:02.968 [in] hSession = 0x7fee5fd09720 [in] hObject = 0x7fee5ff04490 [in] pTemplate[3]: CKA_ID 0000000000000000 / 0 CKA_MODULUS 0000000000000000 / 0 CKA_PUBLIC_EXPONENT 0000000000000000 / 0 [out] pTemplate[3]: CKA_ID 0000000000000000 / 1 CKA_MODULUS 0000000000000000 / 256 CKA_PUBLIC_EXPONENT 0000000000000000 / xxx Returned: 0 CKR_OK 10: C_GetAttributeValue 2016-10-24 21:49:02.968 [in] hSession = 0x7fee5fd09720 [in] hObject = 0x7fee5ff04490 [in] pTemplate[3]: CKA_ID 00007fee5fc25b20 / 1 CKA_MODULUS 00007fee5fc26e30 / 256 CKA_PUBLIC_EXPONENT 00007fee5fc25240 / xxx [out] pTemplate[3]: CKA_ID 00007fee5fc25b20 / 1 00000000 01 . CKA_MODULUS 00007fee5fc26e30 / 256 00000000 9D 78 A2 BF 06 FD 20 19 1B 14 F1 F6 7A BE 1B 01 .x.... .....z... 00000010 B1 9F E7 EF 82 64 D6 E1 3D 7D 94 E9 86 57 82 F7 .....d..=}...W.. . . . . . 000000F0 F2 55 C6 FA 93 8D 2F B1 F8 F8 82 45 98 FF B1 99 .U..../....E.... CKA_PUBLIC_EXPONENT 00007fee5fc25240 / xxx . . . . . Returned: 0 CKR_OK 11: C_FindObjects 2016-10-24 21:49:02.969 [in] hSession = 0x7fee5fd09720 [in] ulMaxObjectCount = 0x1 [out] ulObjectCount = 0x1 Object 0x7fee5ff044f0 matches Returned: 0 CKR_OK 12: C_GetAttributeValue 2016-10-24 21:49:02.969 [in] hSession = 0x7fee5fd09720 [in] hObject = 0x7fee5ff044f0 [in] pTemplate[3]: CKA_ID 0000000000000000 / 0 CKA_MODULUS 0000000000000000 / 0 CKA_PUBLIC_EXPONENT 0000000000000000 / 0 [out] pTemplate[3]: CKA_ID 0000000000000000 / 1 CKA_MODULUS 0000000000000000 / 256 CKA_PUBLIC_EXPONENT 0000000000000000 / xxx Returned: 0 CKR_OK 13: C_GetAttributeValue 2016-10-24 21:49:02.969 [in] hSession = 0x7fee5fd09720 [in] hObject = 0x7fee5ff044f0 [in] pTemplate[3]: CKA_ID 00007fee5ff00bd0 / 1 CKA_MODULUS 00007fee5ff07550 / 256 CKA_PUBLIC_EXPONENT 00007fee5ff00be0 / xxx [out] pTemplate[3]: CKA_ID 00007fee5ff00bd0 / 1 00000000 02 . CKA_MODULUS 00007fee5ff07550 / 256 00000000 BF 03 6F 94 56 56 89 D1 91 8B 1D F5 63 7F 8F 5C ..o.VV......c.\ . . . . . 000000F0 52 ED EC EA 97 83 46 D9 0A 34 51 19 60 BD 5E EB R.....F..4Q.`.^. CKA_PUBLIC_EXPONENT 00007fee5ff00be0 / xxx . . . . . Returned: 0 CKR_OK 14: C_FindObjects 2016-10-24 21:49:02.969 [in] hSession = 0x7fee5fd09720 [in] ulMaxObjectCount = 0x1 [out] ulObjectCount = 0x1 Object 0x7fee5ff04550 matches Returned: 0 CKR_OK . . . . . [so far everything was CKR_OK] 26: C_GetAttributeValue 2016-10-24 21:49:02.971 [in] hSession = 0x7fee5fd09720 [in] hObject = 0x7fee5ff044f0 [in] pTemplate[3]: CKA_ID 0000000000000000 / 0 CKA_ECDSA_PARAMS 0000000000000000 / 0 CKA_EC_POINT 0000000000000000 / 0 [out] pTemplate[3]: CKA_ID 0000000000000000 / 1 CKA_ECDSA_PARAMS 0000000000000000 / -1 CKA_EC_POINT 0000000000000000 / -1 Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID C_GetAttributeValue failed: 18 27: C_FindObjects 2016-10-24 21:49:02.971 [in] hSession = 0x7fee5fd09720 [in] ulMaxObjectCount = 0x1 [out] ulObjectCount = 0x1 Object 0x7fee5ff04550 matches Returned: 0 CKR_OK 28: C_GetAttributeValue 2016-10-24 21:49:02.971 [in] hSession = 0x7fee5fd09720 [in] hObject = 0x7fee5ff04550 [in] pTemplate[3]: CKA_ID 0000000000000000 / 0 CKA_ECDSA_PARAMS 0000000000000000 / 0 CKA_EC_POINT 0000000000000000 / 0 [out] pTemplate[3]: CKA_ID 0000000000000000 / 1 CKA_ECDSA_PARAMS 0000000000000000 / -1 CKA_EC_POINT 0000000000000000 / -1 Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID C_GetAttributeValue failed: 18 29: C_FindObjects 2016-10-24 21:49:02.971 [in] hSession = 0x7fee5fd09720 [in] ulMaxObjectCount = 0x1 [out] ulObjectCount = 0x1 Object 0x7fee5ff045b0 matches Returned: 0 CKR_OK 30: C_GetAttributeValue 2016-10-24 21:49:02.971 [in] hSession = 0x7fee5fd09720 [in] hObject = 0x7fee5ff045b0 [in] pTemplate[3]: CKA_ID 0000000000000000 / 0 CKA_ECDSA_PARAMS 0000000000000000 / 0 CKA_EC_POINT 0000000000000000 / 0 [out] pTemplate[3]: CKA_ID 0000000000000000 / 1 CKA_ECDSA_PARAMS 0000000000000000 / -1 CKA_EC_POINT 0000000000000000 / -1 Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID C_GetAttributeValue failed: 18 [from this point on everything is CKR_OK again] 31: C_FindObjects 2016-10-24 21:49:02.971 [in] hSession = 0x7fee5fd09720 [in] ulMaxObjectCount = 0x1 [out] ulObjectCount = 0x0 Returned: 0 CKR_OK . . . . . 53: C_Sign 2016-10-24 21:49:07.640 [in] hSession = 0x7fee5fd09720 [in] pData[ulDataLen] 00007fee5fd0a900 / 35 00000000 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 07 0!0...+......... 00000010 75 C2 02 90 F3 76 FD 6F AE A6 91 7A 55 CE 26 B5 u....v.o...zU.&. 00000020 35 7D A7 5}. [out] pSignature[*pulSignatureLen] 00007fee5fd0a800 / 256 00000000 01 DD 20 C2 E5 DD D5 B9 A2 45 74 57 12 BB A5 8F .. ......EtW.... 00000010 71 65 82 3F AF 8D B7 D8 68 4B 91 C4 54 51 AD DE qe.?....hK..TQ.. . . . . . 000000F0 DA 1E 87 89 7F 7C A1 F1 D0 28 57 D3 42 3E 6D D5 ....|...(W.B>m. Returned: 0 CKR_OK PTY allocation request failed on channel 0 Hi mouse07410! You've successfully authenticated, but GitHub does not provide shell access. Connection to github.com closed. $Note that ssh did not at any point as for the key type (which could help it figure out whether to ask for ECDSA_PARAMS and EC_POINT or not.
Your help is appreciated!