On 1/14/22 17:02, petrus@xxxxxxxxxxx wrote:
Hello,
I have two hardware tokens (Thales/Safenet eToken 5110cc) that both
contain certificates for various uses. They obviously use the same
driver, libeToken.so (version 10.7.77). I have no issues using one of
them either directly (with -I/PKCS11Provider) with ssh or ssh-agent.
However, I have to keep both tokens connected and I need to add only one
specific certificate to ssh-agent. For test purposes both tokens use the
same pin code, as with every try if the pin code is different, the one
for which it is incorrect will increment the tentative counter on the
token thus ending locking it. If the two pin codes are different the
selection will be based on available certificates with that pin, so that
kinda works until one of the two tokens is locked.
From what I've read, p11-kit seems to be the piece of software that was
missing to glue various middlewares to 'consumer' software like ssh.
So, here are my two certificates:
$ p11tool --list-all-certs
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo
pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=ABCDEF1234567890;token=bar
From what I've read, this syntax should be correct:
$ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo'
Or even
$ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so
pkcs11:serial=1234567890ABCDEF
(I'm using ssh-add through p11-kit-proxy.so for now as I've not been
able to directly use the pkcs11 uri - not sure if that matters).
But the pkcs11 uri does not seem to be used and all certificates end up
being added to ssh-agent:
$ ssh-add -L
ssh-rsa AAAAB3<snip> foo
ssh-rsa AAAAC5<snip> bar
Is this because of the use of p11-kit-proxy, or something else I've
missed? If there is another method than p11-kit to achieve this I'm also
interested!
I implemented support for PKCS#11 URI and it is now in Fedora and RHEL8+
for couple of years. Unfortunately, it was not yet accepted and merged
into the openssh:
https://bugzilla.mindrot.org/show_bug.cgi?id=2817
The patch is a bit outdated so not ready to be merged. The updated one
is in Fedora if you want to try that out:
https://src.fedoraproject.org/rpms/openssh/blob/rawhide/f/openssh-8.0p1-pkcs11-uri.patch
Regards,
--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
