Description of problem: Cannot export public key with ssh-keygen and TPM 2.0 PKCS11 provider This problems occur in Fedora hosts, but works on Ubuntu hosts. BUG 1710832 may be related to this problem. Initially reported in https://github.com/tpm2-software/tpm2-pkcs11/issues/592 Version-Release number of selected component (if applicable): [root@7713a3df9acc ~]# rpm -qa openssh openssh-8.4p1-4.fc33.x86_64 How reproducible: This is reproducible from a container. The test to execute is the following: #!/bin/bash set -euxo pipefail export TPM2TOOLS_TCTI="device:/dev/tpmrm0" export TPM2_PKCS11_TCTI="device:/dev/tpmrm0" export TPM2_PKCS11_STORE="/etc/tpm2_pkcs11" export TPM2_PKCS11_LOG_LEVEL=0 rm ${TPM2_PKCS11_STORE} -fr || true mkdir -p ${TPM2_PKCS11_STORE} || true tpm2_clear tpm2_ptool init tpm2_ptool addtoken --pid=1 --sopin=sopin --userpin=userpin --label=label tpm2_ptool config --key tcti --value "device:/dev/tpmrm0" --label=label tpm2_ptool addkey --algorithm=rsa2048 --label=label --userpin=userpin ssh-keygen -D ${TPM2_PKCS11_MODULE} The Dockerfile to create the Fedora host is the following: FROM fedora:33 RUN dnf install -y \ tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools \ gnutls-utils openssl-pkcs11 openssh WORKDIR /root ENV TPM2_PKCS11_MODULE="/usr/lib64/pkcs11/libtpm2_pkcs11.so" COPY ./test.sh /root/test.sh RUN chmod u+x /root/test.sh CMD bash Then, to build and run (in Docker or Podman with podman-docker): docker build -f Dockerfile.fedora -t fedora-test . docker run -ti --device /dev/tpmrm0 fedora-test /root/test.sh Steps to Reproduce: 1. Build the container with the provided Dockerfile 2. Run the container with the provided command line 3. Inspect the output of the test Actual results: The output of the test is the following: + export TPM2TOOLS_TCTI=device:/dev/tpmrm0 + TPM2TOOLS_TCTI=device:/dev/tpmrm0 + export TPM2_PKCS11_TCTI=device:/dev/tpmrm0 + TPM2_PKCS11_TCTI=device:/dev/tpmrm0 + export TPM2_PKCS11_STORE=/etc/tpm2_pkcs11 + TPM2_PKCS11_STORE=/etc/tpm2_pkcs11 + export TPM2_PKCS11_LOG_LEVEL=0 + TPM2_PKCS11_LOG_LEVEL=0 + rm /etc/tpm2_pkcs11 -fr + mkdir -p /etc/tpm2_pkcs11 + tpm2_clear + tpm2_ptool init action: Created id: 1 + tpm2_ptool addtoken --pid=1 --sopin=sopin --userpin=userpin --label=label + tpm2_ptool config --key tcti --value device:/dev/tpmrm0 --label=label + tpm2_ptool addkey --algorithm=rsa2048 --label=label --userpin=userpin action: add private: CKA_ID: '30613236653662393036666365636532' public: CKA_ID: '30613236653662393036666365636532' + ssh-keygen -D /usr/lib64/pkcs11/libtpm2_pkcs11.so WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /run/tpm2-tss/eventlog/ does not exist, creating WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /root//.local/share/tpm2-tss/user/keystore does not exist, creating WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /var/lib/tpm2-tss/system/keystore/policy does not exist, creating ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:221:Fapi_List_Finish() FAPI not provisioned. ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List ERROR: Listing FAPI token objects failed. invalid attribute length failed to fetch key Enter PIN for 'label': invalid attribute length failed to fetch key cannot read public key from pkcs11 Expected results: If you ran the same test in an Ubuntu based container, the public key is extracted without problems. The logs are below: + export TPM2TOOLS_TCTI=device:/dev/tpmrm0 + TPM2TOOLS_TCTI=device:/dev/tpmrm0 + export TPM2_PKCS11_TCTI=device:/dev/tpmrm0 + TPM2_PKCS11_TCTI=device:/dev/tpmrm0 + export TPM2_PKCS11_STORE=/etc/tpm2_pkcs11 + TPM2_PKCS11_STORE=/etc/tpm2_pkcs11 + export TPM2_PKCS11_LOG_LEVEL=0 + TPM2_PKCS11_LOG_LEVEL=0 + rm /etc/tpm2_pkcs11 -fr + mkdir -p /etc/tpm2_pkcs11 + tpm2_clear + tpm2_ptool init action: Created id: 1 + tpm2_ptool addtoken --pid=1 --sopin=sopin --userpin=userpin --label=label + tpm2_ptool config --key tcti --value device:/dev/tpmrm0 --label=label + tpm2_ptool addkey --algorithm=rsa2048 --label=label --userpin=userpin action: add private: CKA_ID: '34323963383933663733633832323862' public: CKA_ID: '34323963383933663733633832323862' + ssh-keygen -D /usr/local/lib/libtpm2_pkcs11.so WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /root//.local/share/tpm2-tss/user/keystore does not exist, creating WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /usr/local/var/lib/tpm2-tss/system/keystore/policy does not exist, creating WARNING:fapi:src/tss2-fapi/api/Fapi_List.c:226:Fapi_List_Finish() Profile of path not provisioned: /HS/SRK ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List ERROR: Listing FAPI token objects failed. ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCk4uViXY06BFvjQwGUDI1HUqUK0JWI1U0AQkzBnHJ4ei4THKczbGA9NGARv0Qft1OxPAPjGYrweMVfAHfbWK96smfQ9LqPVN+LeFqKYmMvjKBTG/gQdS/QoGi2fcVf4kCihGU+Df1CmJGCxgzBby5yVMXoKfgEVizAbrEDlnfje+J4Shc0ge1VZiF8WYIDe1xm/dncq0/nfmJT0c+y4apUMXq6Jkd1WP/B9uGU2ojDB9Hgy+u2DcsiwZjKW3mCn6702QmUkkBjd5f+iPwU7x3stEBsfoRjIsH+mthMh6Da2rXEIp7rR+9U2fkDPpvCF6mWmZAbnHE3amFFZSzibich Additional info: For reference, the Dockerfile for the Ubuntu container to execute the test is the following, using the same packages version: FROM ubuntu:20.04 ENV TZ=America/Argentina RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone RUN apt-get update && apt-get -y install git RUN git clone https://github.com/tpm2-software/tpm2-tss && \ cd tpm2-tss && \ git checkout 3.0.1 && \ apt-get -y install \ autoconf-archive libcmocka0 libcmocka-dev procps iproute2 \ build-essential pkg-config gcc libtool automake libssl-dev \ uthash-dev autoconf doxygen libjson-c-dev libini-config-dev \ libcurl4-openssl-dev && \ ./bootstrap && ./configure && make -j4 && make install && \ export PKG_CONFIG_PATH=/usr/local/lib/pkgconfig/ && \ ldconfig RUN git clone https://github.com/tpm2-software/tpm2-tools && \ cd tpm2-tools && \ git checkout 4.3.0 && \ apt-get -y install \ autoconf automake libtool pkg-config gcc libssl-dev \ libcurl4-gnutls-dev uuid-dev python-yaml && \ ./bootstrap && ./configure && make -j4 && make install RUN git clone https://github.com/tpm2-software/tpm2-pkcs11 && \ cd tpm2-pkcs11 && \ git checkout 1.4.0 && \ apt-get -y install \ automake make gcc libsqlite3-dev autoconf-archive \ python3.8 python3-pip libyaml-dev && \ python3.8 -m pip install pip && \ ./bootstrap && ./configure && make -j4 && make install && \ cd tools && \ python3.8 -m pip install . && \ python3.8 -m pip install cffi && \ python3.8 setup.py install ENV TPM2_PKCS11_MODULE="/usr/local/lib/libtpm2_pkcs11.so" COPY ./test.sh /root/test.sh RUN chmod u+x /root/test.sh WORKDIR /root
Can you try to get more debugging information from the ssh-keygen by using verbose mode: ssh-keygen -vvv -D /usr/lib64/pkcs11/libtpm2_pkcs11.so It is not exactly clear where the issue comes from. From fast check of the code, it looks like the key will miss the label, which is not recommended but not invalid. Can you try with the following change: https://src.fedoraproject.org/rpms/openssh/pull-request/16 It should correctly accept empty labels for keys.
Running ssh-keygen with -vvv + ssh-keygen -vvv -D /usr/lib64/pkcs11/libtpm2_pkcs11.so debug1: pkcs11_add_provider_by_uri: called, provider_uri = pkcs11:?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /run/tpm2-tss/eventlog/ does not exist, creating WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /root//.local/share/tpm2-tss/user/keystore does not exist, creating WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /var/lib/tpm2-tss/system/keystore/policy does not exist, creating ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:221:Fapi_List_Finish() FAPI not provisioned. ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List ERROR: Listing FAPI token objects failed. debug1: provider /usr/lib64/pkcs11/libtpm2_pkcs11.so: manufacturerID <tpm2-software.github.io> cryptokiVersion 2.40 libraryDescription <TPM2.0 Cryptoki> libraryVersion 0.0 debug1: provider pkcs11:?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so slot 0: label <label> manufacturerID <MSFT> model <IoT Software TP> serial <000000000000000> flags 0x40d invalid attribute length failed to fetch key debug3: pkcs11_register_provider_by_uri: Trying to login as there were no keys found Enter PIN for 'label': invalid attribute length failed to fetch key debug2: pkcs11_register_provider_by_uri: ignoring uninitialised token in provider pkcs11:?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so slot 1 debug1: pkcs11_provider_finalize: 0x55ecca106840 refcount 1 valid 1 debug1: pkcs11_module_unref: 0x55ecca108240 refcount 1 debug1: pkcs11_module_finalize: 0x55ecca108240 refcount 0 valid 1 debug1: pkcs11_provider_unref: 0x55ecca106840 refcount 1 debug1: pkcs11_add_provider_by_uri: provider pkcs11:?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so returned no keys cannot read public key from pkcs11 And this is the output of the same in the ubuntu container + ssh-keygen -vvv -D /usr/local/lib/libtpm2_pkcs11.so WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /root//.local/share/tpm2-tss/user/keystore does not exist, creating WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /usr/local/var/lib/tpm2-tss/system/keystore/policy does not exist, creating ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:221:Fapi_List_Finish() FAPI not provisioned. ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List ERROR: Listing FAPI token objects failed. debug1: provider /usr/local/lib/libtpm2_pkcs11.so: manufacturerID <tpm2-software.github.io> cryptokiVersion 2.40 libraryDescription <TPM2.0 Cryptoki> libraryVersion 0.0 debug1: provider /usr/local/lib/libtpm2_pkcs11.so slot 0: label <label> manufacturerID <MSFT> model <IoT Software TP> serial <000000000000000> flags 0x40d debug1: have 1 keys debug2: pkcs11_register_provider: ignoring uninitialised token in provider /usr/local/lib/libtpm2_pkcs11.so slot 1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDyTUtBLCWoCCs9PikNQBy+Ie8TOfOILa3+mADG3nydUXr2ClG7syBxxM0Mzr0VlT61RCEJ9CY5qnCuIIRZYQ3wrKevgNpPzq5SSRxTtQgzmUgbX3k0QxPn8J/Gr0Gg1+5O9rZdV4VCZ6NwZ7qrYcCTYVF9PisUZCA1cetyjRK6O4+SJgpdAOevOZijn6t0YjL2hFpgx0ZUyjABgHtpKjhX0vCIQC9f2u4v3839kgCJSjUNF5R7BylZDXAedkuwbaFA/WyMrw2D7aBQMj40FC0vqG4M2oq9HwxbsZjKCnL+Q7ay40ELCoNKx5JQG6rBAO49EdqyhnhgWdJt1YJaI3UB debug1: pkcs11_k11_free: parent 0x55da32491a00 ptr 0x55da324734d0 idx 1 debug1: pkcs11_provider_unref: 0x55da324438b0 refcount 2 debug1: pkcs11_provider_finalize: 0x55da324438b0 refcount 1 valid 1 debug1: pkcs11_provider_unref: 0x55da324438b0 refcount 1
I am unable to install any of the rpms in https://kojipkgs.fedoraproject.org//work/tasks/87/60210087/ because for testing in my fedora:33 container: [root@38d2beae9488 ~]# rpm -ivh ./openssh-8.4p1-4.fc34.x86_64.rpm error: Failed dependencies: libc.so.6(GLIBC_2.33)(64bit) is needed by openssh-8.4p1-4.fc34.x86_64 can you generate an rpm for f33 to test?
I am 99% sure that the fix will work so I pushed it already to rawhide (with couple of other issues). Here is a Fedora 33 scratch build to test: https://koji.fedoraproject.org/koji/taskinfo?taskID=60445865 Thanks.
You were 100% right! :) + ssh-keygen -vvv -D /usr/lib64/pkcs11/libtpm2_pkcs11.so debug1: pkcs11_add_provider_by_uri: called, provider_uri = pkcs11:?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /run/tpm2-tss/eventlog/ does not exist, creating WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /root//.local/share/tpm2-tss/user/keystore does not exist, creating WARNING:fapi:src/tss2-fapi/ifapi_io.c:282:ifapi_io_check_create_dir() Directory /var/lib/tpm2-tss/system/keystore/policy does not exist, creating ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:221:Fapi_List_Finish() FAPI not provisioned. ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List ERROR: Listing FAPI token objects failed. debug1: provider /usr/lib64/pkcs11/libtpm2_pkcs11.so: manufacturerID <tpm2-software.github.io> cryptokiVersion 2.40 libraryDescription <TPM2.0 Cryptoki> libraryVersion 0.0 debug1: provider pkcs11:?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so slot 0: label <label> manufacturerID <MSFT> model <IoT Software TP> serial <000000000000000> flags 0x40d debug1: have 1 keys debug2: pkcs11_register_provider_by_uri: ignoring uninitialised token in provider pkcs11:?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so slot 1 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCQCtN3iKmfdy7z0ZoKjSOKxut8s5nEPfkFMd/+OpOMe4DFgbDpDiSUrx+/zzEUza9oh56u7ZXm3Z9NqEVAU01BT59mwqehjGEgJbIbFo48gpKNHExdYjYbVMcZVYWEc1rJXmZCb5pYCOsKMDRUiBoz6x6nL+o0Wpe8siqGQ0q90MM2tBhhz3OPZZ0tnudby1gTVU8TccgWh/gNe2SWLO5sBobt3xN8gq02D3DagFGMUFzJ+MKPpszkMoCCQ+pXCfF0AN6WdiI4X5m8SwtC7edCbeMl3zckGeT2Ys9QQqs9dSDXyWPloj9+Q7TKfMF6U22JguanMA3eeZYGRv0V9oqr pkcs11:id=%63%34%36%65%61%61%65%36%66%38%62%39%38%35%31%36;token=label;manufacturer=MSFT?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so debug1: pkcs11_k11_free: parent 0x564a7c4b0ec0 ptr 0x564a7c4b1000 idx 1 debug1: pkcs11_provider_unref: 0x564a7c455880 refcount 2 debug1: pkcs11_provider_finalize: 0x564a7c455880 refcount 1 valid 1 debug1: pkcs11_module_unref: 0x564a7c457280 refcount 1 debug1: pkcs11_module_finalize: 0x564a7c457280 refcount 0 valid 1 debug1: pkcs11_provider_unref: 0x564a7c455880 refcount 1
I am now able to generate the public key, but I still have problems to stablish the ssh connection. The problem is that ssh is provided by the openssh-clients package, which depends on openssh-8.4, which overrides the fix (in Fedora 33) When I try to ssh, it complains about the same issue "invalid attribute length - failed to fetch key" Is this a different issue on the openssh-clients package? [root@fedora-server issue-592]# ssh -vvv -I /usr/lib64/pkcs11/libtpm2_pkcs11.so test.net OpenSSH_8.4p1, OpenSSL 1.1.1i FIPS 8 Dec 2020 debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug2: checking match for 'final all' host fedora-server.mshome.net originally fedora-server.mshome.net debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final' debug2: match not found debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only) debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: kex names ok: [curve25519-sha256,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-h ellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug1: configuration requests final Match pass debug1: re-parsing configuration debug1: Reading configuration data /etc/ssh/ssh_config debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0 debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf debug2: checking match for 'final all' host fedora-server.mshome.net originally fedora-server.mshome.net debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final' debug2: match found debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-] debug3: kex names ok: [curve25519-sha256,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-h ellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512] debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/root/.ssh/known_hosts' debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/root/.ssh/known_hosts2' debug2: resolving "fedora-server.mshome.net" port 22 debug2: ssh_connect_direct debug1: Connecting to fedora-server.mshome.net [172.18.88.118] port 22. debug1: Connection established. debug1: identity file /root/.ssh/id_rsa type 0 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa_sk type -1 debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: identity file /root/.ssh/id_ed25519_sk type -1 debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /root/.ssh/id_xmss type -1 debug1: identity file /root/.ssh/id_xmss-cert type -1 debug1: identity file 'pkcs11:?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so' from pkcs#11 debug3: pkcs11_uri_parse: Setting PKCS11Provider = /usr/lib64/pkcs11/libtpm2_pkcs11.so from PKCS#11 URI debug1: pkcs11_add_provider_by_uri: called, provider_uri = pkcs11:?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:221:Fapi_List_Finish() FAPI not provisioned. ERROR:fapi:src/tss2-fapi/api/Fapi_List.c:81:Fapi_List() ErrorCode (0x00060034) Entities_List ERROR: Listing FAPI token objects failed. debug1: provider /usr/lib64/pkcs11/libtpm2_pkcs11.so: manufacturerID <tpm2-software.github.io> cryptokiVersion 2.40 libraryDescription <TPM2.0 Cryptoki> libraryVersion 0.0 debug1: provider pkcs11:?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so slot 0: label <label> manufacturerID <MSFT> model <IoT Software TP> serial <000000000000000> flags 0x40d invalid attribute length failed to fetch key debug3: pkcs11_register_provider_by_uri: Trying to login as there were no keys found Enter PIN for 'label': invalid attribute length failed to fetch key debug2: pkcs11_register_provider_by_uri: ignoring uninitialised token in provider pkcs11:?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so slot 1 debug1: pkcs11_provider_finalize: 0x557e163b2ca0 refcount 1 valid 1 debug1: pkcs11_module_unref: 0x557e163b40a0 refcount 1 debug1: pkcs11_module_finalize: 0x557e163b40a0 refcount 0 valid 1 debug1: pkcs11_provider_unref: 0x557e163b2ca0 refcount 1 debug1: pkcs11_add_provider_by_uri: provider pkcs11:?module-path=/usr/lib64/pkcs11/libtpm2_pkcs11.so returned no keys debug1: Local version string SSH-2.0-OpenSSH_8.4 debug1: Remote protocol version 2.0, remote software version OpenSSH_8.4 debug1: match: OpenSSH_8.4 pat OpenSSH* compat 0x04000000 debug2: fd 5 setting O_NONBLOCK debug1: Authenticating to fedora-server.mshome.net:22 as 'test' debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:3 debug3: load_hostkeys: loaded 1 keys from fedora-server.mshome.net debug3: order_hostkeyalgs: have matching best-preference key type ecdsa-sha2-nistp256-cert-v01, using HostkeyAlgorithms verbatim debug3: send packet: type 20 debug1: SSH2_MSG_KEXINIT sent debug3: receive packet: type 20 debug1: SSH2_MSG_KEXINIT received debug2: local client KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie- hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,ext-info-c debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01,ecdsa-sha2-nistp384-cert-v01,ecdsa-sha2-nistp521-cert-v01,sk-ecdsa-sha2-nistp2 56-cert-v01,ssh-ed25519-cert-v01,sk-ssh-ed25519-cert-v01,rsa-sha2-512-cert-v01,rsa-sha2-256-cert-v01,ssh-rsa-cer t-v01,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,sk-ecdsa-sha2-nistp256,ssh-ed25519,sk-ssh-ed25519,rsa-sha2-512,rsa-sha 2-256,ssh-rsa debug2: ciphers ctos: aes256-gcm,chacha20-poly1305,aes256-ctr,aes128-gcm,aes128-ctr debug2: ciphers stoc: aes256-gcm,chacha20-poly1305,aes256-ctr,aes128-gcm,aes128-ctr debug2: MACs ctos: hmac-sha2-256-etm,hmac-sha1-etm,umac-128-etm,hmac-sha2-512-etm,hmac-sha2-256,hmac-sha1,umac-128 om,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm,hmac-sha1-etm,umac-128-etm,hmac-sha2-512-etm,hmac-sha2-256,hmac-sha1,umac-128 om,hmac-sha2-512 debug2: compression ctos: none,zlib,zlib debug2: compression stoc: none,zlib,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug2: peer server KEXINIT proposal debug2: KEX algorithms: curve25519-sha256,curve25519-sha256,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie- hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512 debug2: host key algorithms: rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519 debug2: ciphers ctos: aes256-gcm,chacha20-poly1305,aes256-ctr,aes128-gcm,aes128-ctr debug2: ciphers stoc: aes256-gcm,chacha20-poly1305,aes256-ctr,aes128-gcm,aes128-ctr debug2: MACs ctos: hmac-sha2-256-etm,hmac-sha1-etm,umac-128-etm,hmac-sha2-512-etm,hmac-sha2-256,hmac-sha1,umac-128 om,hmac-sha2-512 debug2: MACs stoc: hmac-sha2-256-etm,hmac-sha1-etm,umac-128-etm,hmac-sha2-512-etm,hmac-sha2-256,hmac-sha1,umac-128 om,hmac-sha2-512 debug2: compression ctos: none,zlib debug2: compression stoc: none,zlib debug2: languages ctos: debug2: languages stoc: debug2: first_kex_follows 0 debug2: reserved 0 debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: aes256-gcm MAC: <implicit> compression: none debug1: kex: client->server cipher: aes256-gcm MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=32 dh_need=32 debug1: kex: curve25519-sha256 need=32 dh_need=32 debug3: send packet: type 30 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug3: receive packet: type 31 debug1: Server host key: ecdsa-sha2-nistp256 SHA256:Y8m6oz0i/+I06dgal7Kck9e75iQCm3Gkvq/AuLrDaCM debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:3 debug3: load_hostkeys: loaded 1 keys from fedora-server.mshome.net debug3: hostkeys_foreach: reading file "/root/.ssh/known_hosts" debug3: record_hostkey: found key type ECDSA in file /root/.ssh/known_hosts:3 debug3: load_hostkeys: loaded 1 keys from 172.18.88.118 debug1: Host 'fedora-server.mshome.net' is known and matches the ECDSA host key. debug1: Found key in /root/.ssh/known_hosts:3 debug3: send packet: type 21 debug2: set_newkeys: mode 1 debug1: rekey out after 4294967296 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug3: receive packet: type 21 debug1: SSH2_MSG_NEWKEYS received debug2: set_newkeys: mode 0 debug1: rekey in after 4294967296 blocks debug1: Will attempt key: /root/.ssh/id_rsa RSA SHA256:C2F+ATA4RSiB4gLhaIt7TIfreD5i75/Uv+zOOmxKP88 debug1: Will attempt key: /root/.ssh/id_dsa debug1: Will attempt key: /root/.ssh/id_ecdsa debug1: Will attempt key: /root/.ssh/id_ecdsa_sk debug1: Will attempt key: /root/.ssh/id_ed25519 debug1: Will attempt key: /root/.ssh/id_ed25519_sk debug1: Will attempt key: /root/.ssh/id_xmss debug2: pubkey_prepare: done debug3: send packet: type 5 debug3: receive packet: type 7 debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,sk-ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa- sha2-nistp521,sk-ecdsa-sha2-nistp256,webauthn-sk-ecdsa-sha2-nistp256> debug3: receive packet: type 6 debug2: service_accept: ssh-userauth debug1: SSH2_MSG_SERVICE_ACCEPT received debug3: send packet: type 50 debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug3: start over, passed a different list publickey,gssapi-keyex,gssapi-with-mic,password debug3: preferred gssapi-with-mic,publickey,keyboard-interactive,password debug3: authmethod_lookup gssapi-with-mic debug3: remaining preferred: publickey,keyboard-interactive,password debug3: authmethod_is_enabled gssapi-with-mic debug1: Next authentication method: gssapi-with-mic debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KCM:) debug1: Unspecified GSS failure. Minor code may provide more information No Kerberos credentials available (default cache: KCM:) debug2: we did not send a packet, disable method debug3: authmethod_lookup publickey debug3: remaining preferred: keyboard-interactive,password debug3: authmethod_is_enabled publickey debug1: Next authentication method: publickey debug1: Offering public key: /root/.ssh/id_rsa RSA SHA256:C2F+ATA4RSiB4gLhaIt7TIfreD5i75/Uv+zOOmxKP88 debug3: send packet: type 50 debug2: we sent a publickey packet, wait for reply debug3: receive packet: type 51 debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,password debug1: Trying private key: /root/.ssh/id_dsa debug3: no such identity: /root/.ssh/id_dsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ecdsa debug3: no such identity: /root/.ssh/id_ecdsa: No such file or directory debug1: Trying private key: /root/.ssh/id_ecdsa_sk debug3: no such identity: /root/.ssh/id_ecdsa_sk: No such file or directory debug1: Trying private key: /root/.ssh/id_ed25519 debug3: no such identity: /root/.ssh/id_ed25519: No such file or directory debug1: Trying private key: /root/.ssh/id_ed25519_sk debug3: no such identity: /root/.ssh/id_ed25519_sk: No such file or directory debug1: Trying private key: /root/.ssh/id_xmss debug3: no such identity: /root/.ssh/id_xmss: No such file or directory debug2: we did not send a packet, disable method debug3: authmethod_lookup password debug3: remaining preferred: ,password debug3: authmethod_is_enabled password debug1: Next authentication method: password test.net's password:
Does the same step work on the Ubuntu? There are only three places where this error "invalid attribute length" can show up. The two of them I changed to match upstream behavior (accepting empty labels). The other possibility when it can show up is when either CKA_SUBJECT of certificate is not found. All the other fields are mandatory to have working certificate/keys.
My bad! I missed the openssh-clients package in https://kojipkgs.fedoraproject.org//work/tasks/5911/60445911/. I fixed the Dockerfile for fedora and the test, and now it works! Thank you! Just to leave this documented, here is the Dockerfile and the test: FROM fedora:33 RUN dnf install -y \ tpm2-pkcs11 tpm2-pkcs11-tools tpm2-tools \ gnutls-utils openssl-pkcs11 WORKDIR /root ENV TPM2_PKCS11_MODULE="/usr/lib64/pkcs11/libtpm2_pkcs11.so" RUN curl https://kojipkgs.fedoraproject.org//work/tasks/5911/60445911/openssh-8.4p1-5.fc33.x86_64.rpm --output openssh-8.4p1-5.fc33.x86_64.rpm && \ rpm -ivh openssh-8.4p1-5.fc33.x86_64.rpm RUN dnf install -y libedit libfido2 RUN curl https://kojipkgs.fedoraproject.org//work/tasks/5911/60445911/openssh-clients-8.4p1-5.fc33.x86_64.rpm --output openssh-clients-8.4p1-5.fc33.x86_64.rpm && \ rpm -ivh https://kojipkgs.fedoraproject.org//work/tasks/5911/60445911/openssh-clients-8.4p1-5.fc33.x86_64.rpm RUN dnf install -y bind-utils sshpass COPY ./test.sh /root/test.sh RUN chmod u+x /root/test.sh #!/bin/bash set -euxo pipefail export TPM2TOOLS_TCTI="device:/dev/tpmrm0" export TPM2_PKCS11_TCTI="device:/dev/tpmrm0" export TPM2_PKCS11_STORE="/etc/tpm2_pkcs11" export TPM2_PKCS11_LOG_LEVEL=0 rm ${TPM2_PKCS11_STORE} -fr || true mkdir -p ${TPM2_PKCS11_STORE} || true tpm2_clear tpm2_ptool init tpm2_ptool addtoken --pid=1 --sopin=sopin --userpin=userpin --label=label tpm2_ptool config --key tcti --value "device:/dev/tpmrm0" --label=label tpm2_ptool addkey --algorithm=rsa2048 --label=label --userpin=userpin SSH_SERVER_HOST='fedora-server.mshome.net' SSH_SERVER_USER='test' SSH_SERVER_PASS='*************' mkdir -p ~/.ssh ssh-keygen -vvv -D ${TPM2_PKCS11_MODULE} > id_rsa.pub ssh-keyscan -H ${SSH_SERVER_HOST} > ~/.ssh/known_hosts ssh-keyscan -H $(host ${SSH_SERVER_HOST} | awk '{ print $4 }') >> ~/.ssh/known_host sshpass -p ${SSH_SERVER_PASS} ssh-copy-id -f -i id_rsa.pub ${SSH_SERVER_USER}@${SSH_SERVER_HOST} ssh -I ${TPM2_PKCS11_MODULE} ${SSH_SERVER_USER}@${SSH_SERVER_HOST}
Thanks for checking and good to hear it works.
Could you release this for FC33 ?
Sure. Its on the way.
FEDORA-2021-e025f25ac7 has been submitted as an update to Fedora 33. https://bodhi.fedoraproject.org/updates/FEDORA-2021-e025f25ac7
FEDORA-2021-e025f25ac7 has been pushed to the Fedora 33 testing repository. Soon you'll be able to install the update with the following command: `sudo dnf upgrade --enablerepo=updates-testing --advisory=FEDORA-2021-e025f25ac7` You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2021-e025f25ac7 See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2021-e025f25ac7 has been pushed to the Fedora 33 stable repository. If problem still persists, please make note of it in this bug report.