Mailing List Archive

ssh-agent pkcs11 uri to select certificate
Hello,


I have two hardware tokens (Thales/Safenet eToken 5110cc) that both
contain certificates for various uses. They obviously use the same
driver, libeToken.so (version 10.7.77). I have no issues using one of
them either directly (with -I/PKCS11Provider) with ssh or ssh-agent.

However, I have to keep both tokens connected and I need to add only one
specific certificate to ssh-agent. For test purposes both tokens use the
same pin code, as with every try if the pin code is different, the one
for which it is incorrect will increment the tentative counter on the
token thus ending locking it. If the two pin codes are different the
selection will be based on available certificates with that pin, so that
kinda works until one of the two tokens is locked.

From what I've read, p11-kit seems to be the piece of software that was
missing to glue various middlewares to 'consumer' software like ssh.

So, here are my two certificates:

$ p11tool --list-all-certs

pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo

pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=ABCDEF1234567890;token=bar

From what I've read, this syntax should be correct:

$ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo'

Or even

$ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
pkcs11:serial=1234567890ABCDEF

(I'm using ssh-add through p11-kit-proxy.so for now as I've not been
able to directly use the pkcs11 uri - not sure if that matters).

But the pkcs11 uri does not seem to be used and all certificates end up
being added to ssh-agent:

$ ssh-add -L
ssh-rsa AAAAB3<snip> foo
ssh-rsa AAAAC5<snip> bar

Is this because of the use of p11-kit-proxy, or something else I've
missed? If there is another method than p11-kit to achieve this I'm also
interested!

thanks,
pierre
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh-agent pkcs11 uri to select certificate [ In reply to ]
On 1/14/22 17:02, petrus@gozmail.bzh wrote:
> Hello,
>
>
> I have two hardware tokens (Thales/Safenet eToken 5110cc) that both
> contain certificates for various uses. They obviously use the same
> driver, libeToken.so (version 10.7.77). I have no issues using one of
> them either directly (with -I/PKCS11Provider) with ssh or ssh-agent.
>
> However, I have to keep both tokens connected and I need to add only one
> specific certificate to ssh-agent. For test purposes both tokens use the
> same pin code, as with every try if the pin code is different, the one
> for which it is incorrect will increment the tentative counter on the
> token thus ending locking it. If the two pin codes are different the
> selection will be based on available certificates with that pin, so that
> kinda works until one of the two tokens is locked.
>
> From what I've read, p11-kit seems to be the piece of software that was
> missing to glue various middlewares to 'consumer' software like ssh.
>
> So, here are my two certificates:
>
>     $ p11tool --list-all-certs
> pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo
>
> pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=ABCDEF1234567890;token=bar
>
>
> From what I've read, this syntax should be correct:
>
>     $ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
> 'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo'
>
>
> Or even
>
>     $ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
> pkcs11:serial=1234567890ABCDEF
>
> (I'm using ssh-add through p11-kit-proxy.so for now as I've not been
> able to directly use the pkcs11 uri - not sure if that matters).
>
> But the pkcs11 uri does not seem to be used and all certificates end up
> being added to ssh-agent:
>
>     $ ssh-add -L
>     ssh-rsa AAAAB3<snip> foo
>     ssh-rsa AAAAC5<snip> bar
>
> Is this because of the use of p11-kit-proxy, or something else I've
> missed? If there is another method than p11-kit to achieve this I'm also
> interested!

I implemented support for PKCS#11 URI and it is now in Fedora and RHEL8+
for couple of years. Unfortunately, it was not yet accepted and merged
into the openssh:

https://bugzilla.mindrot.org/show_bug.cgi?id=2817

The patch is a bit outdated so not ready to be merged. The updated one
is in Fedora if you want to try that out:

https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-pkcs11-uri.patch

Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: ssh-agent pkcs11 uri to select certificate [ In reply to ]
Hello Jakub,

Le 2022-01-24 16:39, Jakub Jelen a écrit :
>
> I implemented support for PKCS#11 URI and it is now in Fedora and
> RHEL8+ for couple of years. Unfortunately, it was not yet accepted and
> merged into the openssh:
>
> https://bugzilla.mindrot.org/show_bug.cgi?id=2817

This is great, but unfortunate indeed this is not upstream. I see that
the bugzilla entry is still open, hasn't this been merged because of
lack of maintainer time over relative interest, or are there any issues
preventing this from happening?

> The patch is a bit outdated so not ready to be merged. The updated one
> is in Fedora if you want to try that out:
>
> https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-pkcs11-uri.patch

Many thanks!
I'll try this patch and see how I can fix this until this is committed
upstream.

Regards,
pierre
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev