Bug 186469

Summary: pkcs11 / smartcard support for openssh
Product: [Fedora] Fedora Reporter: Cornelius Kölbel <corny>
Component: opensshAssignee: Jan F. Chadima <jchadima>
Status: CLOSED WORKSFORME QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: adam, alon.barlev, dcolaiac, degts, evaldo, gvarisco, rrelyea, tmraz, todd.denniston, tuju
Target Milestone: ---Keywords: FutureFeature, Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-01-26 11:19:35 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
patch to Alon's patch to make it apply to Fedora 7's openssh source rpm
none
change to Fedora 7's openssh SRPMs spec to make Alon's patch work
none
patch to Alon's pkcs11-helper's spec file to make it build binary rpms on Fedora 7
none
A script to put the attached patches together with the SRPMs until a Fedora person does it right.
none
A script to get the smart card recognized by ssh-agent, to be ran from ~/.bashrc or .profile.
none
naively create an authorized_keys file with ssh-add. none

Description Cornelius Kölbel 2006-03-23 14:02:14 EST
Description of problem:
there is a patch by alon bar-lev that enhances openssh with a pkcs11 interface.
The same patch went into openvpn 2.1beta enabling openvpn to read certificates
and the private key from a smartcard.
The openssh team refuses to add this patch to the default source tree. 
Using this patch you can improve your security by storing your private key not
on the harddisk anymore but on the smartcard.
The openssh-package of fedore should contain this patch, to improve the
usability of smartcards under linux
Please contact alon.barlev@gmail.com for the patch.

Version-Release number of selected component (if applicable):
openssh 4.3p1
Comment 1 Tomas Mraz 2006-03-24 02:21:49 EST
We will consider this during FC6 development cycle.
Comment 2 Todd Denniston 2007-06-26 16:25:37 EDT
Created attachment 157950 [details]
patch to Alon's patch to make it apply to Fedora 7's openssh source rpm
Comment 3 Todd Denniston 2007-06-26 16:27:15 EDT
Created attachment 157951 [details]
change to Fedora 7's openssh SRPMs spec to make Alon's patch work
Comment 4 Todd Denniston 2007-06-26 16:28:36 EDT
Created attachment 157952 [details]
patch to Alon's pkcs11-helper's spec file to make it build binary rpms on Fedora 7
Comment 5 Todd Denniston 2007-06-26 16:30:01 EDT
Created attachment 157953 [details]
A script to put the attached patches together with the SRPMs until a Fedora person does it right.
Comment 6 Todd Denniston 2007-06-26 16:33:07 EDT
Created attachment 157954 [details]
A script to get the smart card recognized by ssh-agent, to be ran from ~/.bashrc or .profile.

might want to wrap this script with something like:
SSH_ADD_RETSTRING=`ssh-add -l 2>&1`
if echo $SSH_ADD_RETSTRING | \
 grep "The agent has no identities."
then
  #kick the card info into the agent.
  echo "starting ssh-card-init may take ~20 seconds."
  ssh-card-init
fi
Comment 7 Todd Denniston 2007-06-26 16:36:04 EDT
Created attachment 157955 [details]
naively create an authorized_keys file with ssh-add.
Comment 8 Todd Denniston 2007-06-26 16:42:31 EDT
FC6 has come and gone, yet Alon's patches have not made it into the upstream nor
Fedora.

I hope is that by makeing patches that apply to the SRPMs, someone who knows how
to fix RPMs correctly can get these correctly integrated into the Fedora system now.

Method for use:
put 
Buildssh.sh                               
openssh.spec.patch
openssh-4.5p1pkcs11-0.19.patch.FC7.patch  
pkcs11-helper.spec.1.03.patch
in a directory [$HOME/patches/ in the Buildssh.sh script]

run Buildssh.sh to build the binary RPMs.
install the new rpms
$TOPDIR/RPMS/i386/pkcs11-helper-*
$TOPDIR/RPMS/i386/openssh*

logout (to get a new ssh-agent with the new capabilities)
login
run `ssh-card-init` to let ssh-agent know about your card.
if needed build authorized_keys with 
generate_authorized_keys_naive > /whereSshdLooks/authorized_keys

ssh whereEverThoseKeysLetYouIn


Thanks.
Comment 9 Todd Denniston 2007-06-26 17:16:59 EDT
Bah!
did not realize that bugzilla pretty much throws away 
(does not display to the downloaders) the names of the attached files.

here is a map.
patch to Alon's patch to make it apply to Fedora 7's openssh source rpm
attachment (id=157950) is openssh-4.5p1pkcs11-0.19.patch.FC7.patch

change to Fedora 7's openssh SRPMs spec to make Alon's patch work
attachment (id=157951) is openssh.spec.patch
patch to Alon's pkcs11-helper's spec file to make it build binary rpms on Fedora 7
attachment (id=157952) is pkcs11-helper.spec.1.03.patch

A script to put the attached patches together with the SRPMs until a Fedora
person does it right.   	
attachment (id=157953) is Buildssh.sh

A script to get the smart card recognized by ssh-agent, to be ran from ~/.bashrc
or .profile.
attachment (id=157954) is ssh-card-init

naively create an authorized_keys file with ssh-add.
attachment (id=157955) is generate_authorized_keys_naive
Comment 10 Alon Bar-Lev 2007-06-27 13:28:22 EDT
Hello,

The following settings at attachment#157952 [details] are required because of coolkey 
specific PKCS#11 incompatibilities.
@@ -44,6 +44,8 @@
 %build
 %configure -q \
 	--disable-rpath \
+	--disable-threading \
+	--disable-slotevent \
 %if %{?with_doc}
 	--enable-doc
 %endif

I do not recommend adding this as most users will require this when 
pkcs11-helper is used by different components (OpenVPN, gnupg-pkcs11-scd, 
qca-2)

I have no access to open coolkey bugs and developers did not open the bugs for 
themself. There are two issues with coolkey:
1. Return empty metadata for manufacturerID, model, serialNumber.
2. Does not handle fork() correctly.

Other than coolkey there are many fully working providers
https://www.opensc-project.org/pkcs11-helper/wiki/WorkingProviders

Also a note regarding the Redhat NSS "thing" -- in order to integrate 
application to smartcard, you can probably replace the underline crypto 
implementation of all projects. But the fact is that NSS is much too complex 
as it manage its own repository and policies.

The best example is what happened to pam_pkcs11 after redhat developer messed 
it up with NSS leaving partial implementation in legacy and provide some other 
implementation with NSS.

Please don't do this to OpenSSH.

This patch provide a simple and light PKCS#11 and integration, as well as add 
support for multiple providers, token prompt and X.509 patch.

Thank you.
Comment 11 Tomas Mraz 2007-09-24 15:38:29 EDT
We have experimental PKCS11 support through NSS in rawhide which aligns with the
goal of crypto consolidation of Fedora
(http://fedoraproject.org/wiki/FedoraCryptoConsolidation).

I'm sorry but we will not add another PKCS11 patch without upstream acceptance.
Comment 12 Giuseppe Paterno 2009-02-18 07:58:21 EST
Any update?
Comment 13 Evaldo Gardenali 2009-03-12 00:24:47 EDT
Please enable --with-opensc, which is available upstream without any patches, so we can use our smartcards. I have it working in other distributions and operating systems for a while.
Comment 14 Evaldo Gardenali 2009-10-26 11:27:28 EDT
Why is it closed? I still do not see OpenSSH working with smartcards...

Test Machine Details
Fedora release 11.92 (Rawhide)
openssh-5.2p1-28.fc12.x86_64
opensc-0.11.9-2.fc12.x86_64

Agent in debug-mode
# ssh-agent -d
SSH_AUTH_SOCK=/tmp/ssh-VRNAA11085/agent.11085; export SSH_AUTH_SOCK;
echo Agent pid 11085;
debug1: type 1
debug1: type 11
debug1: XXX shrink: 3 < 4
debug1: type 20
Unknown message 20
debug1: XXX shrink: 3 < 4

Test
# opensc-tool -a
Using reader with a card: Schlumberger E-Gate
3b:95:18:40:ff:62:01:02:01:04
# opensc-tool -n
Using reader with a card: Schlumberger E-Gate
Cryptoflex 32K e-gate
# SSH_AUTH_SOCK=/tmp/ssh-VRNAA11085/agent.11085; export SSH_AUTH_SOCK;
# ssh-add -s 0
Enter passphrase for smartcard: 
SSH_AGENT_FAILURE
Could not add card: 0

Proof of token in working conditions
# pkcs11-tool --login -t --slot 0
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only RSA signatures)
  testing key 0 (Private Key) 
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: openssl error during verification: 0xffffffff (-1)
    RSA-PKCS: openssl error during verification: 0xffffffff (-1)
    SHA1-RSA-PKCS: openssl error during verification: 0xffffffff (-1)
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
Verify (currently only for RSA):
  testing key 0 (Private Key)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS:   ERR: C_Verify() returned CKR_GENERAL_ERROR (0x5)
Key unwrap (RSA)
  testing key 0 (Private Key) 
    DES-CBC: OK
    DES-EDE3-CBC: OK
    BF-CBC: OK
    CAST5-CFB: OK
Decryption (RSA)
  testing key 0 (Private Key) 
    RSA-X-509: OK
    RSA-PKCS: OK
Testing card detection
Please press return to continue, x to exit: 
Available slots:
Slot 0           Schlumberger E-Gate
  token label:   Evaldo Gardenali (User PIN)
  token manuf:   OpenSC Project
  token model:   PKCS#15
  token flags:   rng, login required, PIN initialized, token initialized
  serial num  :  0002DD6900E40000
Slot 1           (empty)
...
Comment 15 Tomas Mraz 2009-10-26 11:43:49 EDT
Use the NSS support to enable ssh and ssh-agent to use your key on the smart card.
As opensc provides a pkcs11 library it is possible to do that without problems. See README.nss for how to use the NSS support.
Comment 16 Evaldo Gardenali 2009-10-26 12:06:07 EDT
Hi

Still no luck, I guess. Can you please point me what I am doing wrong?

Evaldo

[evaldo@goldstein .ssh]$ certutil -N -d .
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.

Enter new password: 
Re-enter password: 

[evaldo@goldstein .ssh]$ ls
cert8.db  key3.db  known_hosts  secmod.db

[evaldo@goldstein .ssh]$ modutil -add opensc -libfile /usr/lib64/opensc-pkcs11.so -dbdir .

WARNING: Performing this operation while the browser is running could cause
corruption of your security databases. If the browser is currently running,
you should exit browser before continuing this operation. Type 
'q <enter>' to abort, or <enter> to continue: 

Module "opensc" added to database.

[evaldo@goldstein .ssh]$ modutil -list -dbdir .

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
	 slots: 2 slots attached
	status: loaded

	 slot: NSS Internal Cryptographic Services
	token: NSS Generic Crypto Services

	 slot: NSS User Private Key and Certificate Services
	token: NSS Certificate DB

  2. opensc
	library name: /usr/lib64/opensc-pkcs11.so
	 slots: 16 slots attached
	status: loaded

	 slot: Schlumberger E-Gate
	token: Evaldo Gardenali (User PIN)

	 slot: Schlumberger E-Gate
	token: 

	 slot: Schlumberger E-Gate
	token: 
......

[evaldo@goldstein ~]$ ssh-add -l
The agent has no identities.

[evaldo@goldstein ~]$ ssh-add -n
Enter passphrase for token Evaldo Gardenali (User PIN): 
Error reading response length from authentication socket.
Could not add key: Evaldo Gardenali (User PIN):Private Key
Enter passphrase for token Evaldo Gardenali (User PIN): 
Error writing to authentication socket.
Could not add key: Evaldo Gardenali (User PIN):Private Key

[evaldo@goldstein ~]$ ssh-add -n -T 'Evaldo Gardenali'
Enter passphrase for token Evaldo Gardenali (User PIN): 
Error reading response length from authentication socket.
Could not add key: Evaldo Gardenali (User PIN):Private Key
Enter passphrase for token Evaldo Gardenali (User PIN): 
Error writing to authentication socket.
Could not add key: Evaldo Gardenali (User PIN):Private Key
Comment 17 Evaldo Gardenali 2009-10-26 12:08:04 EDT
Forgot to mention, but I am able to use the token for mail signing and decryption, as well as client-certificate-login with SeaMonkey (Firefox is in the middle of a fight with radeon X driver and kernel)

And yes, I remembered to log out from all other nss/pkcs11 instances before trying ssh.
Comment 18 Tomas Mraz 2009-10-26 12:19:50 EDT
Yes, the comment 16 describes a bug in the ssh-add which was fixed in openssh-5.2p1-29. Jan, could you please get this fix into F-12?
Comment 19 Jan F. Chadima 2009-10-27 12:30:35 EDT
The patch is added to fedora 12 candidates now.
Comment 20 Evaldo Gardenali 2009-10-28 14:49:14 EDT
Confirmed working on latest rawhide with the following OpenSSH, for my Cryptoflex e-gate 32K card.
openssh-clients-5.2p1-29.fc12.x86_64
openssh-server-5.2p1-29.fc12.x86_64
openssh-5.2p1-29.fc12.x86_64
openssh-askpass-5.2p1-29.fc12.x86_64
Comment 21 Evaldo Gardenali 2009-10-28 15:00:18 EDT
Note: the default SSH_AUTH_SOCK for Fedora points to gnome-keyring, which does not honor .ssh/<nss_files>. Need investigation to see if it supports pkcs#11 at all.

To use this successfully, I am using:
ssh-agent bash
ssh-add -n
ssh foo@bar
Comment 22 Juha Tuomala 2010-01-28 14:28:25 EST
(In reply to comment #19)
> The patch is added to fedora 12 candidates now.    

Could we get those into f11 too?