[MacPorts] #52725: OpenSSH does not use PKCS11Provider, and calls for wrong key type
MacPorts
noreply at macports.org
Thu Oct 27 23:43:08 CEST 2016
#52725: OpenSSH does not use PKCS11Provider, and calls for wrong key type
-------------------------+--------------------------------
Reporter: mouse07410 | Owner: macports-tickets@…
Type: defect | Status: new
Priority: Normal | Milestone:
Component: ports | Version: 2.3.4
Resolution: | Keywords:
Port: openssl |
-------------------------+--------------------------------
Comment (by mouse07410):
The first issue was my fault - I wish I could edit the title to remove the
"PKCS11Provider" part.
I am using OpenSSH (the current Macports version) with an RSA smart card.
PKCS11 support is provided by OpenSC (the current GitHub master, well-
tested and working fine).
The problem is - despite the token being RSA, it tries to ask for ECDSA
keys, which of course results in 4 error messages. Since the connection
succeeds, one can consider it a nuisance rather than a show-stopper, but
it would be far nicer if you could help to get rid of those requests that
cause those errors.
Here's what it looks like:
{{{
$ ssh github.com
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
Enter PIN for 'PIV Card Holder pin (PIV_II)':
PTY allocation request failed on channel 0
Hi mouse07410! You've successfully authenticated, but GitHub does not
provide shell access.
Connection to github.com closed.
$
}}}
The connection/authentication succeeds - but before that ssh is trying to
request ECC parameters from an RSA token, which causes the above errors.
Here's the PKCS11SPY trace:
{{{
Log
This seems relevant. Note that the token is RSA and has nothing ECC-
related in/on it.
$ ssh -I /Library/OpenSC/lib/pkcs11-spy. github.com
pkcs11-spy.dylib pkcs11-spy.la pkcs11-spy.so
$ ssh -I /Library/OpenSC/lib/pkcs11-spy.dylib github.com
*************** OpenSC PKCS#11 spy *****************
Loaded: "/Library/OpenSC/lib/opensc-pkcs11.dylib"
0: C_GetFunctionList
2016-10-24 21:49:02.207
Returned: 0 CKR_OK
1: C_Initialize
2016-10-24 21:49:02.207
[in] pInitArgs = 0x0
Returned: 0 CKR_OK
2: C_GetInfo
2016-10-24 21:49:02.947
[out] pInfo:
cryptokiVersion: 2.20
manufacturerID: 'OpenSC Project '
flags: 0
libraryDescription: 'OpenSC smartcard framework '
libraryVersion: 0.16
Returned: 0 CKR_OK
3: C_GetSlotList
2016-10-24 21:49:02.947
[in] tokenPresent = 0x1
[out] pSlotList:
Count is 1
[out] *pulCount = 0x1
Returned: 0 CKR_OK
4: C_GetSlotList
2016-10-24 21:49:02.949
[in] tokenPresent = 0x1
[out] pSlotList:
Slot 0
[out] *pulCount = 0x1
Returned: 0 CKR_OK
5: C_GetTokenInfo
2016-10-24 21:49:02.950
[in] slotID = 0x0
[out] pInfo:
label: 'PIV Card Holder pin (PIV_II) '
manufacturerID: 'piv_II '
model: 'PKCS#15 emulated'
serialNumber: 'a0fxxxxxxxxxxxxx'
ulMaxSessionCount: 0
ulSessionCount: 0
ulMaxRwSessionCount: 0
ulRwSessionCount: 0
ulMaxPinLen: 8
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 0.0
firmwareVersion: 0.0
time: ' '
flags: 40d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
6: C_OpenSession
2016-10-24 21:49:02.968
[in] slotID = 0x0
[in] flags = 0x6
pApplication=0x0
Notify=0x0
[out] *phSession = 0x7fee5fd09720
Returned: 0 CKR_OK
7: C_FindObjectsInit
2016-10-24 21:49:02.968
[in] hSession = 0x7fee5fd09720
[in] pTemplate[1]:
CKA_CLASS CKO_PUBLIC_KEY
Returned: 0 CKR_OK
8: C_FindObjects
2016-10-24 21:49:02.968
[in] hSession = 0x7fee5fd09720
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x7fee5ff04490 matches
Returned: 0 CKR_OK
9: C_GetAttributeValue
2016-10-24 21:49:02.968
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff04490
[in] pTemplate[3]:
CKA_ID 0000000000000000 / 0
CKA_MODULUS 0000000000000000 / 0
CKA_PUBLIC_EXPONENT 0000000000000000 / 0
[out] pTemplate[3]:
CKA_ID 0000000000000000 / 1
CKA_MODULUS 0000000000000000 / 256
CKA_PUBLIC_EXPONENT 0000000000000000 / xxx
Returned: 0 CKR_OK
10: C_GetAttributeValue
2016-10-24 21:49:02.968
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff04490
[in] pTemplate[3]:
CKA_ID 00007fee5fc25b20 / 1
CKA_MODULUS 00007fee5fc26e30 / 256
CKA_PUBLIC_EXPONENT 00007fee5fc25240 / xxx
[out] pTemplate[3]:
CKA_ID 00007fee5fc25b20 / 1
00000000 01 .
CKA_MODULUS 00007fee5fc26e30 / 256
00000000 9D 78 A2 BF 06 FD 20 19 1B 14 F1 F6 7A BE 1B 01 .x....
.....z...
00000010 B1 9F E7 EF 82 64 D6 E1 3D 7D 94 E9 86 57 82 F7
.....d..=}...W..
. . . . .
000000F0 F2 55 C6 FA 93 8D 2F B1 F8 F8 82 45 98 FF B1 99
.U..../....E....
CKA_PUBLIC_EXPONENT 00007fee5fc25240 / xxx
. . . . .
Returned: 0 CKR_OK
11: C_FindObjects
2016-10-24 21:49:02.969
[in] hSession = 0x7fee5fd09720
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x7fee5ff044f0 matches
Returned: 0 CKR_OK
12: C_GetAttributeValue
2016-10-24 21:49:02.969
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff044f0
[in] pTemplate[3]:
CKA_ID 0000000000000000 / 0
CKA_MODULUS 0000000000000000 / 0
CKA_PUBLIC_EXPONENT 0000000000000000 / 0
[out] pTemplate[3]:
CKA_ID 0000000000000000 / 1
CKA_MODULUS 0000000000000000 / 256
CKA_PUBLIC_EXPONENT 0000000000000000 / xxx
Returned: 0 CKR_OK
13: C_GetAttributeValue
2016-10-24 21:49:02.969
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff044f0
[in] pTemplate[3]:
CKA_ID 00007fee5ff00bd0 / 1
CKA_MODULUS 00007fee5ff07550 / 256
CKA_PUBLIC_EXPONENT 00007fee5ff00be0 / xxx
[out] pTemplate[3]:
CKA_ID 00007fee5ff00bd0 / 1
00000000 02 .
CKA_MODULUS 00007fee5ff07550 / 256
00000000 BF 03 6F 94 56 56 89 D1 91 8B 1D F5 63 7F 8F 5C
..o.VV......c.\
. . . . .
000000F0 52 ED EC EA 97 83 46 D9 0A 34 51 19 60 BD 5E EB
R.....F..4Q.`.^.
CKA_PUBLIC_EXPONENT 00007fee5ff00be0 / xxx
. . . . .
Returned: 0 CKR_OK
14: C_FindObjects
2016-10-24 21:49:02.969
[in] hSession = 0x7fee5fd09720
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x7fee5ff04550 matches
Returned: 0 CKR_OK
. . . . .
[so far everything was CKR_OK]
26: C_GetAttributeValue
2016-10-24 21:49:02.971
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff044f0
[in] pTemplate[3]:
CKA_ID 0000000000000000 / 0
CKA_ECDSA_PARAMS 0000000000000000 / 0
CKA_EC_POINT 0000000000000000 / 0
[out] pTemplate[3]:
CKA_ID 0000000000000000 / 1
CKA_ECDSA_PARAMS 0000000000000000 / -1
CKA_EC_POINT 0000000000000000 / -1
Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
C_GetAttributeValue failed: 18
27: C_FindObjects
2016-10-24 21:49:02.971
[in] hSession = 0x7fee5fd09720
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x7fee5ff04550 matches
Returned: 0 CKR_OK
28: C_GetAttributeValue
2016-10-24 21:49:02.971
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff04550
[in] pTemplate[3]:
CKA_ID 0000000000000000 / 0
CKA_ECDSA_PARAMS 0000000000000000 / 0
CKA_EC_POINT 0000000000000000 / 0
[out] pTemplate[3]:
CKA_ID 0000000000000000 / 1
CKA_ECDSA_PARAMS 0000000000000000 / -1
CKA_EC_POINT 0000000000000000 / -1
Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
C_GetAttributeValue failed: 18
29: C_FindObjects
2016-10-24 21:49:02.971
[in] hSession = 0x7fee5fd09720
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x7fee5ff045b0 matches
Returned: 0 CKR_OK
30: C_GetAttributeValue
2016-10-24 21:49:02.971
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff045b0
[in] pTemplate[3]:
CKA_ID 0000000000000000 / 0
CKA_ECDSA_PARAMS 0000000000000000 / 0
CKA_EC_POINT 0000000000000000 / 0
[out] pTemplate[3]:
CKA_ID 0000000000000000 / 1
CKA_ECDSA_PARAMS 0000000000000000 / -1
CKA_EC_POINT 0000000000000000 / -1
Returned: 18 CKR_ATTRIBUTE_TYPE_INVALID
C_GetAttributeValue failed: 18
[from this point on everything is CKR_OK again]
31: C_FindObjects
2016-10-24 21:49:02.971
[in] hSession = 0x7fee5fd09720
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned: 0 CKR_OK
. . . . .
53: C_Sign
2016-10-24 21:49:07.640
[in] hSession = 0x7fee5fd09720
[in] pData[ulDataLen] 00007fee5fd0a900 / 35
00000000 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 07
0!0...+.........
00000010 75 C2 02 90 F3 76 FD 6F AE A6 91 7A 55 CE 26 B5
u....v.o...zU.&.
00000020 35 7D A7 5}.
[out] pSignature[*pulSignatureLen] 00007fee5fd0a800 / 256
00000000 01 DD 20 C2 E5 DD D5 B9 A2 45 74 57 12 BB A5 8F ..
......EtW....
00000010 71 65 82 3F AF 8D B7 D8 68 4B 91 C4 54 51 AD DE
qe.?....hK..TQ..
. . . . .
000000F0 DA 1E 87 89 7F 7C A1 F1 D0 28 57 D3 42 3E 6D D5
....|...(W.B>m.
Returned: 0 CKR_OK
PTY allocation request failed on channel 0
Hi mouse07410! You've successfully authenticated, but GitHub does not
provide shell access.
Connection to github.com closed.
$
}}}
Note that ssh did not at any point as for the key type (which could help
it figure out whether to ask for ECDSA_PARAMS and EC_POINT or not.
Your help is appreciated!
--
Ticket URL: <https://trac.macports.org/ticket/52725#comment:1>
MacPorts <https://www.macports.org/>
Ports system for OS X
More information about the macports-tickets
mailing list