Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
IdentitiesOnly and PKCS
dirkx at webweaving
Nov 30, 2021, 10:04 AM
Post #1 of 3 (434 views)
Permalink
Is it just me - or does, since version 3.0.7, IdentitiesOnly no longer include PKCS#11 keys ?

With IdentitiesOnly set to yes - I see them getting picked up:

debug2: pkcs11_fetch_keys: provider /Library/OpenSC/lib/onepin-opensc-pkcs11.so slot 0: RSA SHA256:etcetc
debug1: have 2 keys

but not being offered. With IdentitiesOnly set to no (or without; the default) - they get offered.

Is that intentional ? Or what is the thinking behind this ?

With kind regards,

Dw
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: IdentitiesOnly and PKCS [ In reply to ]
me at aaronmdjones
Nov 30, 2021, 3:50 PM
Post #2 of 3 (434 views)
Permalink
I use private keys in a smartcard (OpenPGP in my case, via
gpg-agent(1)'s SSH socket).

If you pass IdentityFile=/path/to/public-key, it will use it when
IdentitiesOnly=yes. In short, IdentitiesOnly=yes instructs ssh(1) to
*only* use the IdentityFile given to it explicitly. When the private key
is not on disk, you have to give it the *public* key instead to
accomplish this.

If it did in the past automatically fetch keys from an agent without you
having to give one to an IdentityFile, that seems like a bug, and it
being fixed probably explains the "regression" you're seeing.

Attached Files:

Re: IdentitiesOnly and PKCS [ In reply to ]
djm at mindrot
Dec 2, 2021, 7:46 PM
Post #3 of 3 (430 views)
Permalink
On Tue, 30 Nov 2021, Dirk-Willem van Gulik wrote:

> Is it just me - or does, since version 3.0.7, IdentitiesOnly no longer include PKCS#11 keys ?
>
> With IdentitiesOnly set to yes - I see them getting picked up:
>
> debug2: pkcs11_fetch_keys: provider /Library/OpenSC/lib/onepin-opensc-pkcs11.so slot 0: RSA SHA256:etcetc
> debug1: have 2 keys
>
> but not being offered. With IdentitiesOnly set to no (or without; the default) - they get offered.
>
> Is that intentional ? Or what is the thinking behind this ?

Yes, intentional. This changed in OpenSSH 6.2, almost 9 years ago :)

> commit cb6b68b209d8868a94a30b1a634beb1a65cb5265
> Author: Damien Miller <djm@mindrot.org>
> Date: Mon Dec 3 09:49:52 2012 +1100
>
> - djm@cvs.openbsd.org 2012/12/02 20:26:11
> [ssh_config.5 sshconnect2.c]
> Make IdentitiesOnly apply to keys obtained from a PKCS11Provider.
> This allows control of which keys are offered from tokens using
> IdentityFile. ok markus@

The behaviour changed to fix a bug: IdentitiesOnly was not being applied
to PKCS#11 hosted keys, making it impossible to control which ones were
being offered to a server.

Since the change, you are able to filter PKCS#11 keys using IdentityFile
directives. To do this, you need to specify the public key rather than
the private. The same thing works for keys held in ssh-agent.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal