Bug 2207793

Summary: ssh smart card login fails with error in libcrypto
Product: Red Hat Enterprise Linux 9 Reporter: Scott Poore <spoore>
Component: opensshAssignee: Dmitry Belyavskiy <dbelyavs>
Status: VERIFIED --- QA Contact: Marek Havrila <mhavrila>
Severity: medium Docs Contact:
Priority: high    
Version: 9.3CC: atikhono, dbelyavs, jjelen, mhavrila
Target Milestone: rcKeywords: Regression, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: openssh-8.7p1-32.el9 Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Scott Poore 2023-05-16 22:17:53 UTC 
Description of problem:

With an IPA client configured for Smart Card authentication, we are seeing issues with SSH:

# ssh -I /usr/lib64/opensc-pkcs11.so -l ipauser1 localhost whoami
sign_and_send_pubkey: signing failed for RSA "pkcs11:?module-path=/usr/lib64/opensc-pkcs11.so": error in libcrypto


Version-Release number of selected component (if applicable):
openssh-server-8.7p1-30.el9.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Configure IPA environment for smart card authentication
2. ssh -I /usr/lib64/opensc-pkcs11.so -l ipauser1 localhost

Actual results:
fails to prompt for PIN and returns error seen above.

Expected results:
Prompts for PIN and logs user into remote system.

Additional info:
Comment 3 Scott Poore 2023-05-16 22:23:54 UTC 
Forgot to mention the version that worked:

openssh-server-8.7p1-28.el9.x86_64
Comment 4 Jakub Jelen 2023-05-17 07:35:36 UTC 
Thanks for the logs. From the pkcs11 spy, it is visible only that the keys are listed correctly, but after that, OpenSSH does not continue to the `C_Login()` for some reason.

So we will need some more debugging inside of OpenSSH to figure out why it fails to sign using pkcs11-provided key as it never reaches the OpenSC.