Ssh -I opensc-pkcs11.so

yah · August 19, 2018, 3:48am

Hi,
I’m having some issues with ssh -I, when I use the gemalto smartcard, I can get access to the authentication key.

$ ssh -I opensc-pkcs11.so $HOST
Enter PIN for 'User PIN (OpenPGP card)': 
Welcome to Ubuntu 16.04.5 LTS (GNU/Linux 4.4.0-131-generic i686)

When i use the nitro card, it fails


$ ssh -I opensc-pkcs11.so $HOST
Enter PIN for 'User PIN (OpenPGP card)': 
C_Login failed: 164
sign_and_send_pubkey: signing failed: error in libcrypto
no such identity: /home/yah/.ssh/id_ecdsa: No such file or directory
no such identity: /home/yah/.ssh/id_ed25519: No such file or directory
no such identity: /home/yah/.ssh/id_xmss: No such file or directory

I can see the nitrocard and the authentication subkey

$ gpg --card-status |head
Reader ...........: Nitrokey Nitrokey Pro (00000000000000000000629F) 00 00
Application ID ...: D27600012401030300050000629F0000
Version ..........: 3.3
Manufacturer .....: ZeitControl
Serial number ....: 0000629F

$ cat /tmp/t3
ssh-rsa ..
...
URY/yWYoE2Q/ZjSAWH8yeyjxxNAF/X34VvD5xU+ooalEqBFIp5G0n Authentication key
[yah@kermit ~]$ ssh-keygen -l -f /tmp/t3
2048 SHA256:+JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs Authentication key (RSA)

But when I use ssh -I, it fails

$ ssh -I opensc-pkcs11.so $HOST -vvv
OpenSSH_7.7p1, OpenSSL 1.1.0h  27 Mar 2018
debug1: Reading configuration data xxxxxxxx
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: resolve_canonicalize: hostname xxxx is address
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to xxxxxx port 22.
debug1: Connection established.
debug1: provider opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framework> libraryVersion 0.18
debug1: provider opensc-pkcs11.so slot 0: label <User PIN (OpenPGP card)> manufacturerID <ZeitControl> model <PKCS#15 emulate> serial <00050000629f> flags 0x4040d
debug1: have 1 keys
debug1: have 2 keys
debug1: provider opensc-pkcs11.so slot 1: label <User PIN (sig) (OpenPGP card)> manufacturerID <ZeitControl> model <PKCS#15 emulate> serial <00050000629f> flags 0x4040d
debug1: have 3 keys
...
debug1: Authentications that can continue: publickey,password
debug1: Offering public key: RSA SHA256:+JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs opensc-pkcs11.so
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 60
debug1: Server accepts key: pkalg rsa-sha2-512 blen 279
debug2: input_userauth_pk_ok: fp SHA256:+JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs
debug3: sign_and_send_pubkey: RSA SHA256:+JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs
Enter PIN for 'User PIN (OpenPGP card)': 
C_Login failed: 164
sign_and_send_pubkey: signing failed: error in libcrypto

The client uses the right key, +JSg4gdglSuWX9fQgyIyNlRbgoeKS0C3lVEctMzQ5xs, so there should not be any issues

I’m using archlinux. thanks

yah

nitroalex · August 23, 2018, 9:10am

Hi,

I guess the file in /tmp/t3 is the pubkey you saved on the server as well? How did you create it?

Kind regards
Alex

yah · August 23, 2018, 4:05pm

thanks for your email. so it looks like the workaround is to unplug the key after running a command such as gpg --card-edit

$ gpg --card-status |tail

  created ....: 2018-08-21 20:01:36

Authentication key: 0EC9 C122 2CC2 4A03 8DC1 F523 AD45 43BE D34B A256
created …: 2018-08-21 20:01:36
General key info…: pub rsa2048/842A8F72C48D541F 2018-08-21 yectli huerta (‘this is a test’)

rsa2048/842A8F72C48D541F created: 2018-08-21 expires: 2019-08-21
card-no: 0005 0000629F
rsa2048/AD4543BED34BA256 created: 2018-08-21 expires: 2019-08-21
card-no: 0005 0000629F
rsa2048/E28076DB869623C1 created: 2018-08-21 expires: 2019-08-21
card-no: 0005 0000629F
$ pkcs15-tool --read-ssh-key 3
No smart card readers found.

i then unplug and plug back the card and it works
$ pkcs15-tool --read-ssh-key 3
Using reader with a card: Nitrokey Nitrokey Pro (00000000000000000000629F) 00 00
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC7TsfYDOk2N04mTxoEnMUlqadv+jod/QF3ThpSfWKDRbhERTHyoXqZU2Rdk1y8Cu+xhXLySKYp6ROMVrNefFHS45zwDgWb/FUqfqWMUgmiUCrHmaf/Zkf/KOjFSa1SQplZpt4L/Nj0BUxxEDIUal1z1An0UWkuHwGe+iLyeeqo6wZGs1wTdDlp8skPzpp6ui5vmxwXhhboMRz7hetljAOO5Al9UiVYeRkkbW1ocD/zkOa9zfd8cFFRkiiJoLqCkqz9cR6iYrnImJbtxD9WYBS7aL3XnvpcrfshG+ewsh846GrtWfwjv96SuvYeQtVOKSYPU38yxTkSfXOuES/MYNHv Authentication key

no idea why

nitroalex · August 23, 2018, 4:21pm

Hi,

GnuPG makes exclusive use of the Nitrokey so that no other service can use the Nitrokey afterwards. This is why you got problems after using GnuPG first. Didn’t think about it first, sorry.

Kind regards
Alex

nitroalex · August 23, 2018, 4:22pm

Is there a specific reason you use OpenSC? If you don’t need it for another reason I recommend using gpg-agent as ssh-agent instead. This is hassle-free for me.

yah · August 23, 2018, 4:34pm

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐

nitroalex
August 23

Hi,

GnuPG makes exclusive use of the Nitrokey so that no other service can use the Nitrokey afterwards. This is why you got problems after using GnuPG first. Didn’t think about it first, sorry.

no problem. thanks for the explanation. nice product!

yah