Opened 4 years ago

Last modified 4 years ago

#52725 new defect

openssh @7.3p1 calls for wrong key type

Reported by: mouse07410 (Mouse) Owned by: macports-tickets@…
Priority: Normal Milestone:
Component: ports Version: 2.3.4
Keywords: Cc:
Port: openssh

Description


Change History (7)

comment:1 Changed 4 years ago by mouse07410 (Mouse)

The first issue was my fault - I wish I could edit the title to remove the "PKCS11Provider" part.

I am using OpenSSH (the current Macports version) with an RSA smart card. PKCS11 support is provided by OpenSC (the current GitHub master, well-tested and working fine).

The problem is - despite the token being RSA, it tries to ask for ECDSA keys, which of course results in 4 error messages. Since the connection succeeds, one can consider it a nuisance rather than a show-stopper, but it would be far nicer if you could help to get rid of those requests that cause those errors.

Here's what it looks like:

$ ssh github.com
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
Enter PIN for 'PIV Card Holder pin (PIV_II)': 
PTY allocation request failed on channel 0
Hi mouse07410! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.
$ 

The connection/authentication succeeds - but before that ssh is trying to request ECC parameters from an RSA token, which causes the above errors.

Here's the PKCS11SPY trace:

Log

This seems relevant. Note that the token is RSA and has nothing ECC-related in/on it.

$ ssh -I /Library/OpenSC/lib/pkcs11-spy. github.com
pkcs11-spy.dylib  pkcs11-spy.la     pkcs11-spy.so     
$ ssh -I /Library/OpenSC/lib/pkcs11-spy.dylib github.com


*************** OpenSC PKCS#11 spy *****************
Loaded: "/Library/OpenSC/lib/opensc-pkcs11.dylib"

0: C_GetFunctionList
2016-10-24 21:49:02.207
Returned:  0 CKR_OK

1: C_Initialize
2016-10-24 21:49:02.207
[in] pInitArgs = 0x0
Returned:  0 CKR_OK

2: C_GetInfo
2016-10-24 21:49:02.947
[out] pInfo: 
      cryptokiVersion:         2.20
      manufacturerID:         'OpenSC Project                  '
      flags:                   0
      libraryDescription:     'OpenSC smartcard framework      '
      libraryVersion:          0.16
Returned:  0 CKR_OK

3: C_GetSlotList
2016-10-24 21:49:02.947
[in] tokenPresent = 0x1
[out] pSlotList: 
Count is 1
[out] *pulCount = 0x1
Returned:  0 CKR_OK

4: C_GetSlotList
2016-10-24 21:49:02.949
[in] tokenPresent = 0x1
[out] pSlotList: 
Slot 0
[out] *pulCount = 0x1
Returned:  0 CKR_OK

5: C_GetTokenInfo
2016-10-24 21:49:02.950
[in] slotID = 0x0
[out] pInfo: 
      label:                  'PIV Card Holder pin (PIV_II)    '
      manufacturerID:         'piv_II                          '
      model:                  'PKCS#15 emulated'
      serialNumber:           'a0fxxxxxxxxxxxxx'
      ulMaxSessionCount:       0
      ulSessionCount:          0
      ulMaxRwSessionCount:     0
      ulRwSessionCount:        0
      ulMaxPinLen:             8
      ulMinPinLen:             4
      ulTotalPublicMemory:     -1
      ulFreePublicMemory:      -1
      ulTotalPrivateMemory:    -1
      ulFreePrivateMemory:     -1
      hardwareVersion:         0.0
      firmwareVersion:         0.0
      time:                   '                '
      flags:                   40d
        CKF_RNG                          
        CKF_LOGIN_REQUIRED               
        CKF_USER_PIN_INITIALIZED         
        CKF_TOKEN_INITIALIZED            
Returned:  0 CKR_OK

6: C_OpenSession
2016-10-24 21:49:02.968
[in] slotID = 0x0
[in] flags = 0x6
pApplication=0x0
Notify=0x0
[out] *phSession = 0x7fee5fd09720
Returned:  0 CKR_OK

7: C_FindObjectsInit
2016-10-24 21:49:02.968
[in] hSession = 0x7fee5fd09720
[in] pTemplate[1]: 
    CKA_CLASS             CKO_PUBLIC_KEY       
Returned:  0 CKR_OK

8: C_FindObjects
2016-10-24 21:49:02.968
[in] hSession = 0x7fee5fd09720
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x7fee5ff04490 matches
Returned:  0 CKR_OK

9: C_GetAttributeValue
2016-10-24 21:49:02.968
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff04490
[in] pTemplate[3]: 
    CKA_ID                0000000000000000 / 0
    CKA_MODULUS           0000000000000000 / 0
    CKA_PUBLIC_EXPONENT   0000000000000000 / 0
[out] pTemplate[3]: 
    CKA_ID                0000000000000000 / 1
    CKA_MODULUS           0000000000000000 / 256
    CKA_PUBLIC_EXPONENT   0000000000000000 / xxx
Returned:  0 CKR_OK

10: C_GetAttributeValue
2016-10-24 21:49:02.968
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff04490
[in] pTemplate[3]: 
    CKA_ID                00007fee5fc25b20 / 1
    CKA_MODULUS           00007fee5fc26e30 / 256
    CKA_PUBLIC_EXPONENT   00007fee5fc25240 / xxx
[out] pTemplate[3]: 
    CKA_ID                00007fee5fc25b20 / 1
    00000000  01                                               .               
    CKA_MODULUS           00007fee5fc26e30 / 256
    00000000  9D 78 A2 BF 06 FD 20 19 1B 14 F1 F6 7A BE 1B 01  .x.... .....z...
    00000010  B1 9F E7 EF 82 64 D6 E1 3D 7D 94 E9 86 57 82 F7  .....d..=}...W..
    . . . . .
    000000F0  F2 55 C6 FA 93 8D 2F B1 F8 F8 82 45 98 FF B1 99  .U..../....E....
    CKA_PUBLIC_EXPONENT   00007fee5fc25240 / xxx
    . . . . .            
Returned:  0 CKR_OK

11: C_FindObjects
2016-10-24 21:49:02.969
[in] hSession = 0x7fee5fd09720
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x7fee5ff044f0 matches
Returned:  0 CKR_OK

12: C_GetAttributeValue
2016-10-24 21:49:02.969
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff044f0
[in] pTemplate[3]: 
    CKA_ID                0000000000000000 / 0
    CKA_MODULUS           0000000000000000 / 0
    CKA_PUBLIC_EXPONENT   0000000000000000 / 0
[out] pTemplate[3]: 
    CKA_ID                0000000000000000 / 1
    CKA_MODULUS           0000000000000000 / 256
    CKA_PUBLIC_EXPONENT   0000000000000000 / xxx
Returned:  0 CKR_OK

13: C_GetAttributeValue
2016-10-24 21:49:02.969
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff044f0
[in] pTemplate[3]: 
    CKA_ID                00007fee5ff00bd0 / 1
    CKA_MODULUS           00007fee5ff07550 / 256
    CKA_PUBLIC_EXPONENT   00007fee5ff00be0 / xxx
[out] pTemplate[3]: 
    CKA_ID                00007fee5ff00bd0 / 1
    00000000  02                                               .               
    CKA_MODULUS           00007fee5ff07550 / 256
    00000000  BF 03 6F 94 56 56 89 D1 91 8B 1D F5 63 7F 8F 5C  ..o.VV......c.\
    . . . . .
    000000F0  52 ED EC EA 97 83 46 D9 0A 34 51 19 60 BD 5E EB  R.....F..4Q.`.^.
    CKA_PUBLIC_EXPONENT   00007fee5ff00be0 / xxx
    . . . . .             
Returned:  0 CKR_OK

14: C_FindObjects
2016-10-24 21:49:02.969
[in] hSession = 0x7fee5fd09720
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x7fee5ff04550 matches
Returned:  0 CKR_OK
. . . . .

   [so far everything was CKR_OK]

26: C_GetAttributeValue
2016-10-24 21:49:02.971
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff044f0
[in] pTemplate[3]: 
    CKA_ID                0000000000000000 / 0
    CKA_ECDSA_PARAMS      0000000000000000 / 0
    CKA_EC_POINT          0000000000000000 / 0
[out] pTemplate[3]: 
    CKA_ID                0000000000000000 / 1
    CKA_ECDSA_PARAMS      0000000000000000 / -1
    CKA_EC_POINT          0000000000000000 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
C_GetAttributeValue failed: 18

27: C_FindObjects
2016-10-24 21:49:02.971
[in] hSession = 0x7fee5fd09720
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x7fee5ff04550 matches
Returned:  0 CKR_OK

28: C_GetAttributeValue
2016-10-24 21:49:02.971
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff04550
[in] pTemplate[3]: 
    CKA_ID                0000000000000000 / 0
    CKA_ECDSA_PARAMS      0000000000000000 / 0
    CKA_EC_POINT          0000000000000000 / 0
[out] pTemplate[3]: 
    CKA_ID                0000000000000000 / 1
    CKA_ECDSA_PARAMS      0000000000000000 / -1
    CKA_EC_POINT          0000000000000000 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
C_GetAttributeValue failed: 18

29: C_FindObjects
2016-10-24 21:49:02.971
[in] hSession = 0x7fee5fd09720
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x7fee5ff045b0 matches
Returned:  0 CKR_OK

30: C_GetAttributeValue
2016-10-24 21:49:02.971
[in] hSession = 0x7fee5fd09720
[in] hObject = 0x7fee5ff045b0
[in] pTemplate[3]: 
    CKA_ID                0000000000000000 / 0
    CKA_ECDSA_PARAMS      0000000000000000 / 0
    CKA_EC_POINT          0000000000000000 / 0
[out] pTemplate[3]: 
    CKA_ID                0000000000000000 / 1
    CKA_ECDSA_PARAMS      0000000000000000 / -1
    CKA_EC_POINT          0000000000000000 / -1
Returned:  18 CKR_ATTRIBUTE_TYPE_INVALID
C_GetAttributeValue failed: 18

[from this point on everything is CKR_OK again]

31: C_FindObjects
2016-10-24 21:49:02.971
[in] hSession = 0x7fee5fd09720
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x0
Returned:  0 CKR_OK
. . . . .
53: C_Sign
2016-10-24 21:49:07.640
[in] hSession = 0x7fee5fd09720
[in] pData[ulDataLen] 00007fee5fd0a900 / 35
    00000000  30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 07  0!0...+.........
    00000010  75 C2 02 90 F3 76 FD 6F AE A6 91 7A 55 CE 26 B5  u....v.o...zU.&.
    00000020  35 7D A7                                         5}.             
[out] pSignature[*pulSignatureLen] 00007fee5fd0a800 / 256
    00000000  01 DD 20 C2 E5 DD D5 B9 A2 45 74 57 12 BB A5 8F  .. ......EtW....
    00000010  71 65 82 3F AF 8D B7 D8 68 4B 91 C4 54 51 AD DE  qe.?....hK..TQ..
     . . . . .
    000000F0  DA 1E 87 89 7F 7C A1 F1 D0 28 57 D3 42 3E 6D D5  ....|...(W.B>m.
Returned:  0 CKR_OK
PTY allocation request failed on channel 0
Hi mouse07410! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.
$

Note that ssh did not at any point as for the key type (which could help it figure out whether to ask for ECDSA_PARAMS and EC_POINT or not.

Your help is appreciated!

comment:2 Changed 4 years ago by ryandesign (Ryan Schmidt)

Cc: nomaintainer@… removed
Port: openssh added; openssl removed
Summary: OpenSSH does not use PKCS11Provider, and calls for wrong key typeopenssh @7.3p1 calls for wrong key type

comment:3 Changed 4 years ago by mouse07410 (Mouse)

Above "as" => "ASK". ssh did not ASK the token for the key type.

Since so far ssh only supports RSA tokens, I might understand not asking for the key type - but then it's rather strange to see it asking for ECDSA_PARAMS.

And since in general (not on PKCS#11 tokens) ssh does support ECC keys - I could understand asking for ECDSA_PARAMS, but then - only after checking the key type, which ssh did not.

So something is broken. Possibly upstream.

comment:4 Changed 4 years ago by mouse07410 (Mouse)

Is this port maintained?

comment:5 in reply to:  4 Changed 4 years ago by raimue (Rainer Müller)

Replying to mouse07410:

Is this port maintained?

As port info openssh shows in the last line, unfortunately there are no volunteers to maintain the openssh port at the moment. Therefore nobody was notified to look into this issue. Your problem is quite specific to the use of the openssh client with an RSA token. I would assume there is only a very small amount of users that have a similar setup, and even fewer that are regularly reading the tickets.

Have you tried this with /usr/bin/ssh? Does it show the same behavior?

As you suggested yourself, this would be a problem where you have a better chance of asking upstream for help. Either at a discussion forum for your RSA smart card, OpenSC or OpenSSH.

comment:6 Changed 4 years ago by mouse07410 (Mouse)

/usr/bin/ssh works correctly in this use case:

$ /opt/local/bin/ssh git@github.com
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
Enter PIN for 'PIV Card Holder pin (PIV_II)': 
PTY allocation request failed on channel 0
Hi mouse07410! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.

$ /usr/bin/ssh git@github.com
Enter PIN for 'PIV Card Holder pin (PIV_II)': 
PTY allocation request failed on channel 0
Hi mouse07410! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.
$ 

It doesn't seem to be an OpenSC-related problem (I discussed it with OpenSC developers), and definitely not a smart card problem - after all, the smart card is never asked by openssh what type its key is.

I will report the problem to OpenSSH dev list, and post here if I hear anything useful.

If there's nobody else who seems to care, should I assume maintenance of this port???

comment:7 Changed 4 years ago by raimue (Rainer Müller)

/usr/bin/ssh is usually older (OpenSSH 7.2 in Sierra) or Apple applied some patches that fix this. They did not yet release their sources to https://opensource.apple.com/, though. But maybe such a patch was already in older releases?

It might also be a regression in OpenSSH 7.3 that MacPorts provides.

You are welcome to maintain the port and provide updates. Just attach a patch if you can work out a solution. The guide has more information on this.

Note: See TracTickets for help on using tickets.