Opened 8 years ago
Last modified 3 years ago
#52725 new defect
openssh @7.3p1 calls for wrong key type
Reported by: | mouse07410 (Mouse) | Owned by: | macports-tickets@… |
---|---|---|---|
Priority: | Normal | Milestone: | |
Component: | ports | Version: | 2.3.4 |
Keywords: | Cc: | cooljeanius (Eric Gallager) | |
Port: | openssh |
Description
Change History (8)
comment:1 Changed 8 years ago by mouse07410 (Mouse)
comment:2 Changed 8 years ago by ryandesign (Ryan Carsten Schmidt)
Cc: | nomaintainer@… removed |
---|---|
Port: | openssh added; openssl removed |
Summary: | OpenSSH does not use PKCS11Provider, and calls for wrong key type → openssh @7.3p1 calls for wrong key type |
comment:3 Changed 8 years ago by mouse07410 (Mouse)
Above "as" => "ASK". ssh did not ASK the token for the key type.
Since so far ssh only supports RSA tokens, I might understand not asking for the key type - but then it's rather strange to see it asking for ECDSA_PARAMS.
And since in general (not on PKCS#11 tokens) ssh does support ECC keys - I could understand asking for ECDSA_PARAMS, but then - only after checking the key type, which ssh did not.
So something is broken. Possibly upstream.
comment:5 Changed 8 years ago by raimue (Rainer Müller)
Replying to mouse07410:
Is this port maintained?
As port info openssh
shows in the last line, unfortunately there are no volunteers to maintain the openssh port at the moment. Therefore nobody was notified to look into this issue. Your problem is quite specific to the use of the openssh client with an RSA token. I would assume there is only a very small amount of users that have a similar setup, and even fewer that are regularly reading the tickets.
Have you tried this with /usr/bin/ssh
? Does it show the same behavior?
As you suggested yourself, this would be a problem where you have a better chance of asking upstream for help. Either at a discussion forum for your RSA smart card, OpenSC or OpenSSH.
comment:6 Changed 8 years ago by mouse07410 (Mouse)
/usr/bin/ssh works correctly in this use case:
$ /opt/local/bin/ssh git@github.com C_GetAttributeValue failed: 18 C_GetAttributeValue failed: 18 C_GetAttributeValue failed: 18 C_GetAttributeValue failed: 18 Enter PIN for 'PIV Card Holder pin (PIV_II)': PTY allocation request failed on channel 0 Hi mouse07410! You've successfully authenticated, but GitHub does not provide shell access. Connection to github.com closed. $ /usr/bin/ssh git@github.com Enter PIN for 'PIV Card Holder pin (PIV_II)': PTY allocation request failed on channel 0 Hi mouse07410! You've successfully authenticated, but GitHub does not provide shell access. Connection to github.com closed. $
It doesn't seem to be an OpenSC-related problem (I discussed it with OpenSC developers), and definitely not a smart card problem - after all, the smart card is never asked by openssh what type its key is.
I will report the problem to OpenSSH dev list, and post here if I hear anything useful.
If there's nobody else who seems to care, should I assume maintenance of this port???
comment:7 Changed 8 years ago by raimue (Rainer Müller)
/usr/bin/ssh
is usually older (OpenSSH 7.2 in Sierra) or Apple applied some patches that fix this. They did not yet release their sources to https://opensource.apple.com/, though. But maybe such a patch was already in older releases?
It might also be a regression in OpenSSH 7.3 that MacPorts provides.
You are welcome to maintain the port and provide updates. Just attach a patch if you can work out a solution. The guide has more information on this.
comment:8 Changed 3 years ago by cooljeanius (Eric Gallager)
Cc: | cooljeanius added |
---|
The first issue was my fault - I wish I could edit the title to remove the "PKCS11Provider" part.
I am using OpenSSH (the current Macports version) with an RSA smart card. PKCS11 support is provided by OpenSC (the current GitHub master, well-tested and working fine).
The problem is - despite the token being RSA, it tries to ask for ECDSA keys, which of course results in 4 error messages. Since the connection succeeds, one can consider it a nuisance rather than a show-stopper, but it would be far nicer if you could help to get rid of those requests that cause those errors.
Here's what it looks like:
The connection/authentication succeeds - but before that ssh is trying to request ECC parameters from an RSA token, which causes the above errors.
Here's the PKCS11SPY trace:
Note that ssh did not at any point as for the key type (which could help it figure out whether to ask for ECDSA_PARAMS and EC_POINT or not.
Your help is appreciated!