RE: Hardware device

[dennis]

I got past the "pkcs11provider" issue - had to add a p11-kit module file for 
the PKCS11 Provider library.

Now I seem it have an issue with the "libssh" library.  The simple code I'm 
testing with works on Linux (Fedora 37) but does not on Windows (10).

P11-kit recognizes the PKCS#11 library on both systems.

Same 0.10.0 library versions on both.

Is there a difference between the two versions of the library (Linux vs. 
Windows)?

 

I'm using the following URI

                "pkcs11:token=CryptoServer%20Token0;object=SSH-key"

 

On Linux:

 

[2022/12/22 17:35:24.218615, 3] ssh_userauth_publickey_auto:  Trying to 
authenticate with pkcs11:token=CryptoServer%20Token0;object=SSH-key

[2022/12/22 17:35:24.218625, 2] ssh_userauth_publickey_auto:  Authenticating 
with PKCS #11 URI.

[2022/12/22 17:35:24.219052, 2] pki_get_engine:  Engine loaded successfully

[2022/12/22 17:35:24.219102, 2] pki_get_engine:  Engine init success

[2022/12/22 17:35:24.299894, 3] ssh_key_algorithm_allowed:  Checking 
rsa-sha2-512 with list 
<ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com>

[2022/12/22 17:35:24.299934, 3] ssh_key_algorithm_allowed:  Checking 
rsa-sha2-512 with list 
<ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com>

[2022/12/22 17:35:24.300026, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT 
for socket

[2022/12/22 17:35:24.300080, 3] packet_send2:  packet: wrote [type=50, len=368, 
padding_size=11, comp=356, payload=356]

[2022/12/22 17:35:24.300094, 4] ssh_socket_pollcallback:  Poll callback on 
socket 3 (POLLOUT ), out buffer 0

[2022/12/22 17:35:24.300127, 4] ssh_socket_pollcallback:  sending control flow 
event

[2022/12/22 17:35:24.300147, 4] ssh_packet_socket_controlflow_callback:  
sending channel_write_wontblock callback

[2022/12/22 17:35:24.339500, 4] ssh_socket_pollcallback:  Poll callback on 
socket 3 (POLLIN ), out buffer 0

[2022/12/22 17:35:24.339585, 3] ssh_packet_socket_callback:  packet: read type 
60 [len=320,padding=19,comp=300,payload=300]

[2022/12/22 17:35:24.339606, 3] ssh_packet_process:  Dispatching handler for 
packet type 60

[2022/12/22 17:35:24.339622, 4] ssh_packet_userauth_pk_ok:  Received 
SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE

[2022/12/22 17:35:24.339637, 4] ssh_packet_userauth_pk_ok:  Assuming 
SSH_USERAUTH_PK_OK

 

Enter PKCS#11 token PIN for CryptoServer Token0:

 

[2022/12/22 17:35:29.875664, 3] ssh_key_algorithm_allowed:  Checking 
rsa-sha2-512 with list 
<ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com>

[2022/12/22 17:35:29.875699, 3] ssh_key_algorithm_allowed:  Checking 
rsa-sha2-512 with list 
<ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com>

[2022/12/22 17:35:29.875720, 3] ssh_key_algorithm_allowed:  Checking 
rsa-sha2-512 with list 
<ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com>

[2022/12/22 17:35:29.882090, 3] ssh_socket_unbuffered_write:  Enabling POLLOUT 
for socket

[2022/12/22 17:35:29.882117, 3] packet_send2:  packet: wrote [type=50, len=656, 
padding_size=19, comp=636, payload=636]

[2022/12/22 17:35:29.882127, 4] ssh_socket_pollcallback:  Poll callback on 
socket 3 (POLLOUT ), out buffer 0

[2022/12/22 17:35:29.882133, 4] ssh_socket_pollcallback:  sending control flow 
event

[2022/12/22 17:35:29.882139, 4] ssh_packet_socket_controlflow_callback:  
sending channel_write_wontblock callback

[2022/12/22 17:35:29.937821, 4] ssh_socket_pollcallback:  Poll callback on 
socket 3 (POLLIN ), out buffer 0

[2022/12/22 17:35:29.937878, 3] ssh_packet_socket_callback:  packet: read type 
52 [len=16,padding=14,comp=1,payload=1]

[2022/12/22 17:35:29.937886, 3] ssh_packet_process:  Dispatching handler for 
packet type 52

[2022/12/22 17:35:29.937892, 3] ssh_packet_userauth_success:  Authentication 
successful

[2022/12/22 17:35:29.937898, 4] ssh_packet_userauth_success:  Received 
SSH_USERAUTH_SUCCESS

[2022/12/22 17:35:29.937904, 3] ssh_packet_need_rekey:  rekey: 
[data_rekey_needed=0, out_blocks=92, in_blocks=34]

[2022/12/22 17:35:29.937912, 2] ssh_userauth_publickey_auto:  Successfully 
authenticated using pkcs11:token=CryptoServer%20Token0;object=SSH-key

[2022/12/22 17:35:29.937924, 2] channel_open:  Creating a channel 43 with 64000 
window and 32768 max packet

 

On Windows 10:

 

[2022/12/22 17:49:00.492712, 3] ssh_userauth_publickey_auto:  Trying to 
authenticate with pkcs11:token=CryptoServer%20Token0;object=SSH-key

[2022/12/22 17:49:00.507613, 2] ssh_userauth_publickey_auto:  Authenticating 
with PKCS #11 URI.

[2022/12/22 17:49:00.539737, 1] ssh_pki_import_pubkey_file:  Error opening 
pkcs11:token=CryptoServer%20Token0;object=SSH-key: Invalid argument

[2022/12/22 17:49:00.554692, 1] ssh_pki_import_privkey_file:  Error opening 
pkcs11:token=CryptoServer%20Token0;object=SSH-key: Invalid argument

[2022/12/22 17:49:00.585873, 3] ssh_userauth_publickey_auto:  Private key 
pkcs11:token=CryptoServer%20Token0;object=SSH-key doesn't exist.

[2022/12/22 17:49:00.601394, 3] ssh_userauth_publickey_auto:  Trying to 
authenticate with C:\Users\Dennis/.ssh/id_ed25519

[2022/12/22 17:49:00.632921, 1] ssh_pki_import_pubkey_file:  Error opening 
C:\Users\Dennis/.ssh/id_ed25519.pub: No such file or directory

[2022/12/22 17:49:00.648312, 1] ssh_pki_import_privkey_file:  Error opening 
C:\Users\Dennis/.ssh/id_ed25519: No such file or directory

[2022/12/22 17:49:00.679591, 3] ssh_userauth_publickey_auto:  Private key 
C:\Users\Dennis/.ssh/id_ed25519 doesn't exist.

[2022/12/22 17:49:00.695713, 3] ssh_userauth_publickey_auto:  Trying to 
authenticate with C:\Users\Dennis/.ssh/id_ecdsa

[2022/12/22 17:49:00.726494, 1] ssh_pki_import_pubkey_file:  Error opening 
C:\Users\Dennis/.ssh/id_ecdsa.pub: No such file or directory

[2022/12/22 17:49:00.757865, 1] ssh_pki_import_privkey_file:  Error opening 
C:\Users\Dennis/.ssh/id_ecdsa: No such file or directory

[2022/12/22 17:49:00.773702, 3] ssh_userauth_publickey_auto:  Private key 
C:\Users\Dennis/.ssh/id_ecdsa doesn't exist.

[2022/12/22 17:49:00.805660, 3] ssh_userauth_publickey_auto:  Trying to 
authenticate with C:\Users\Dennis/.ssh/id_rsa

[2022/12/22 17:49:00.836304, 1] ssh_pki_import_pubkey_file:  Error opening 
C:\Users\Dennis/.ssh/id_rsa.pub: No such file or directory

[2022/12/22 17:49:00.851924, 1] ssh_pki_import_privkey_file:  Error opening 
C:\Users\Dennis/.ssh/id_rsa: No such file or directory

[2022/12/22 17:49:00.883218, 3] ssh_userauth_publickey_auto:  Private key 
C:\Users\Dennis/.ssh/id_rsa doesn't exist.

[2022/12/22 17:49:00.914533, 2] ssh_userauth_publickey_auto:  Tried every 
public key, none matched

User Authentication failed:

[2022/12/22 17:49:00.929338, 3] packet_send2:  packet: wrote [type=1, len=32, 
padding_size=11, comp=20, payload=20]

Error allocating SFTP session

 

-----Original Message-----
From: Jakub Jelen <jje...@redhat.com> 
Sent: Wednesday, December 7, 2022 4:21 AM
To: libssh@libssh.org
Subject: Re: Hardware device

 

On 12/5/22 14:38, Dennis Gnatowski wrote:

> I am following the example from

> ( <https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in-> 
> https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in-

> libssh#build_and_use_libssh_with_pkcs__11 

> <https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in-

> libssh#build_and_use_libssh_with_pkcs__11>)

> 

>    int rc;

> 

>    char priv_uri[1042] =

> “pkcs11:token=my-token;object=my-object;type=private?pin-value=1234”;

> 

>    rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, priv_uri);

> 

>    assert_int_equal(rc, SSH_OK)

> 

>    rc = ssh_userauth_publickey_auto(session, NULL, NULL);

> 

> but using:

> 

> char priv_uri[1042] =

> "pkcs11:object=SSH-key-acme?pin-value=####;manufacturer=IBM?module-pat

> h=/usr/lib64/pkcs11/PKCS11_API.so";

 

This does not look like a valid URI. There can be only one question mark, path 
is separated by semicolons and query parts are separated by ampersands so it 
should be something like:

 

pkcs11:object=SSH-key-acme;manufacturer=IBM?pin-value=####&module-path=/usr/lib64/pkcs11/PKCS11_API.so

 

see the uri syntax in  <https://datatracker.ietf.org/doc/html/rfc7512> 
https://datatracker.ietf.org/doc/html/rfc7512

 

Regards,

--

Jakub Jelen

Crypto Team, Security Engineering

Red Hat, Inc.