Description of problem: there is a patch by alon bar-lev that enhances openssh with a pkcs11 interface. The same patch went into openvpn 2.1beta enabling openvpn to read certificates and the private key from a smartcard. The openssh team refuses to add this patch to the default source tree. Using this patch you can improve your security by storing your private key not on the harddisk anymore but on the smartcard. The openssh-package of fedore should contain this patch, to improve the usability of smartcards under linux Please contact alon.barlev for the patch. Version-Release number of selected component (if applicable): openssh 4.3p1
We will consider this during FC6 development cycle.
Created attachment 157950 [details] patch to Alon's patch to make it apply to Fedora 7's openssh source rpm
Created attachment 157951 [details] change to Fedora 7's openssh SRPMs spec to make Alon's patch work
Created attachment 157952 [details] patch to Alon's pkcs11-helper's spec file to make it build binary rpms on Fedora 7
Created attachment 157953 [details] A script to put the attached patches together with the SRPMs until a Fedora person does it right.
Created attachment 157954 [details] A script to get the smart card recognized by ssh-agent, to be ran from ~/.bashrc or .profile. might want to wrap this script with something like: SSH_ADD_RETSTRING=`ssh-add -l 2>&1` if echo $SSH_ADD_RETSTRING | \ grep "The agent has no identities." then #kick the card info into the agent. echo "starting ssh-card-init may take ~20 seconds." ssh-card-init fi
Created attachment 157955 [details] naively create an authorized_keys file with ssh-add.
FC6 has come and gone, yet Alon's patches have not made it into the upstream nor Fedora. I hope is that by makeing patches that apply to the SRPMs, someone who knows how to fix RPMs correctly can get these correctly integrated into the Fedora system now. Method for use: put Buildssh.sh openssh.spec.patch openssh-4.5p1pkcs11-0.19.patch.FC7.patch pkcs11-helper.spec.1.03.patch in a directory [$HOME/patches/ in the Buildssh.sh script] run Buildssh.sh to build the binary RPMs. install the new rpms $TOPDIR/RPMS/i386/pkcs11-helper-* $TOPDIR/RPMS/i386/openssh* logout (to get a new ssh-agent with the new capabilities) login run `ssh-card-init` to let ssh-agent know about your card. if needed build authorized_keys with generate_authorized_keys_naive > /whereSshdLooks/authorized_keys ssh whereEverThoseKeysLetYouIn Thanks.
Bah! did not realize that bugzilla pretty much throws away (does not display to the downloaders) the names of the attached files. here is a map. patch to Alon's patch to make it apply to Fedora 7's openssh source rpm attachment (id=157950) is openssh-4.5p1pkcs11-0.19.patch.FC7.patch change to Fedora 7's openssh SRPMs spec to make Alon's patch work attachment (id=157951) is openssh.spec.patch patch to Alon's pkcs11-helper's spec file to make it build binary rpms on Fedora 7 attachment (id=157952) is pkcs11-helper.spec.1.03.patch A script to put the attached patches together with the SRPMs until a Fedora person does it right. attachment (id=157953) is Buildssh.sh A script to get the smart card recognized by ssh-agent, to be ran from ~/.bashrc or .profile. attachment (id=157954) is ssh-card-init naively create an authorized_keys file with ssh-add. attachment (id=157955) is generate_authorized_keys_naive
Hello, The following settings at attachment#157952 [details] are required because of coolkey specific PKCS#11 incompatibilities. @@ -44,6 +44,8 @@ %build %configure -q \ --disable-rpath \ + --disable-threading \ + --disable-slotevent \ %if %{?with_doc} --enable-doc %endif I do not recommend adding this as most users will require this when pkcs11-helper is used by different components (OpenVPN, gnupg-pkcs11-scd, qca-2) I have no access to open coolkey bugs and developers did not open the bugs for themself. There are two issues with coolkey: 1. Return empty metadata for manufacturerID, model, serialNumber. 2. Does not handle fork() correctly. Other than coolkey there are many fully working providers https://www.opensc-project.org/pkcs11-helper/wiki/WorkingProviders Also a note regarding the Redhat NSS "thing" -- in order to integrate application to smartcard, you can probably replace the underline crypto implementation of all projects. But the fact is that NSS is much too complex as it manage its own repository and policies. The best example is what happened to pam_pkcs11 after redhat developer messed it up with NSS leaving partial implementation in legacy and provide some other implementation with NSS. Please don't do this to OpenSSH. This patch provide a simple and light PKCS#11 and integration, as well as add support for multiple providers, token prompt and X.509 patch. Thank you.
We have experimental PKCS11 support through NSS in rawhide which aligns with the goal of crypto consolidation of Fedora (http://fedoraproject.org/wiki/FedoraCryptoConsolidation). I'm sorry but we will not add another PKCS11 patch without upstream acceptance.
Any update?
Please enable --with-opensc, which is available upstream without any patches, so we can use our smartcards. I have it working in other distributions and operating systems for a while.
Why is it closed? I still do not see OpenSSH working with smartcards... Test Machine Details Fedora release 11.92 (Rawhide) openssh-5.2p1-28.fc12.x86_64 opensc-0.11.9-2.fc12.x86_64 Agent in debug-mode # ssh-agent -d SSH_AUTH_SOCK=/tmp/ssh-VRNAA11085/agent.11085; export SSH_AUTH_SOCK; echo Agent pid 11085; debug1: type 1 debug1: type 11 debug1: XXX shrink: 3 < 4 debug1: type 20 Unknown message 20 debug1: XXX shrink: 3 < 4 Test # opensc-tool -a Using reader with a card: Schlumberger E-Gate 3b:95:18:40:ff:62:01:02:01:04 # opensc-tool -n Using reader with a card: Schlumberger E-Gate Cryptoflex 32K e-gate # SSH_AUTH_SOCK=/tmp/ssh-VRNAA11085/agent.11085; export SSH_AUTH_SOCK; # ssh-add -s 0 Enter passphrase for smartcard: SSH_AGENT_FAILURE Could not add card: 0 Proof of token in working conditions # pkcs11-tool --login -t --slot 0 Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK RIPEMD160: OK Signatures (currently only RSA signatures) testing key 0 (Private Key) all 4 signature functions seem to work testing signature mechanisms: RSA-X-509: openssl error during verification: 0xffffffff (-1) RSA-PKCS: openssl error during verification: 0xffffffff (-1) SHA1-RSA-PKCS: openssl error during verification: 0xffffffff (-1) MD5-RSA-PKCS: OK RIPEMD160-RSA-PKCS: OK Verify (currently only for RSA): testing key 0 (Private Key) RSA-X-509: OK RSA-PKCS: OK SHA1-RSA-PKCS: ERR: C_Verify() returned CKR_GENERAL_ERROR (0x5) Key unwrap (RSA) testing key 0 (Private Key) DES-CBC: OK DES-EDE3-CBC: OK BF-CBC: OK CAST5-CFB: OK Decryption (RSA) testing key 0 (Private Key) RSA-X-509: OK RSA-PKCS: OK Testing card detection Please press return to continue, x to exit: Available slots: Slot 0 Schlumberger E-Gate token label: Evaldo Gardenali (User PIN) token manuf: OpenSC Project token model: PKCS#15 token flags: rng, login required, PIN initialized, token initialized serial num : 0002DD6900E40000 Slot 1 (empty) ...
Use the NSS support to enable ssh and ssh-agent to use your key on the smart card. As opensc provides a pkcs11 library it is possible to do that without problems. See README.nss for how to use the NSS support.
Hi Still no luck, I guess. Can you please point me what I am doing wrong? Evaldo [evaldo@goldstein .ssh]$ certutil -N -d . Enter a password which will be used to encrypt your keys. The password should be at least 8 characters long, and should contain at least one non-alphabetic character. Enter new password: Re-enter password: [evaldo@goldstein .ssh]$ ls cert8.db key3.db known_hosts secmod.db [evaldo@goldstein .ssh]$ modutil -add opensc -libfile /usr/lib64/opensc-pkcs11.so -dbdir . WARNING: Performing this operation while the browser is running could cause corruption of your security databases. If the browser is currently running, you should exit browser before continuing this operation. Type 'q <enter>' to abort, or <enter> to continue: Module "opensc" added to database. [evaldo@goldstein .ssh]$ modutil -list -dbdir . Listing of PKCS #11 Modules ----------------------------------------------------------- 1. NSS Internal PKCS #11 Module slots: 2 slots attached status: loaded slot: NSS Internal Cryptographic Services token: NSS Generic Crypto Services slot: NSS User Private Key and Certificate Services token: NSS Certificate DB 2. opensc library name: /usr/lib64/opensc-pkcs11.so slots: 16 slots attached status: loaded slot: Schlumberger E-Gate token: Evaldo Gardenali (User PIN) slot: Schlumberger E-Gate token: slot: Schlumberger E-Gate token: ...... [evaldo@goldstein ~]$ ssh-add -l The agent has no identities. [evaldo@goldstein ~]$ ssh-add -n Enter passphrase for token Evaldo Gardenali (User PIN): Error reading response length from authentication socket. Could not add key: Evaldo Gardenali (User PIN):Private Key Enter passphrase for token Evaldo Gardenali (User PIN): Error writing to authentication socket. Could not add key: Evaldo Gardenali (User PIN):Private Key [evaldo@goldstein ~]$ ssh-add -n -T 'Evaldo Gardenali' Enter passphrase for token Evaldo Gardenali (User PIN): Error reading response length from authentication socket. Could not add key: Evaldo Gardenali (User PIN):Private Key Enter passphrase for token Evaldo Gardenali (User PIN): Error writing to authentication socket. Could not add key: Evaldo Gardenali (User PIN):Private Key
Forgot to mention, but I am able to use the token for mail signing and decryption, as well as client-certificate-login with SeaMonkey (Firefox is in the middle of a fight with radeon X driver and kernel) And yes, I remembered to log out from all other nss/pkcs11 instances before trying ssh.
Yes, the comment 16 describes a bug in the ssh-add which was fixed in openssh-5.2p1-29. Jan, could you please get this fix into F-12?
The patch is added to fedora 12 candidates now.
Confirmed working on latest rawhide with the following OpenSSH, for my Cryptoflex e-gate 32K card. openssh-clients-5.2p1-29.fc12.x86_64 openssh-server-5.2p1-29.fc12.x86_64 openssh-5.2p1-29.fc12.x86_64 openssh-askpass-5.2p1-29.fc12.x86_64
Note: the default SSH_AUTH_SOCK for Fedora points to gnome-keyring, which does not honor .ssh/<nss_files>. Need investigation to see if it supports pkcs#11 at all. To use this successfully, I am using: ssh-agent bash ssh-add -n ssh foo@bar
(In reply to comment #19) > The patch is added to fedora 12 candidates now. Could we get those into f11 too?