Here's what I get when I try to use my MuscleCard PKCS#11 library with SSH: ---------- $ ssh -v -I /usr/local/lib/libmusclepkcs11.so root@jackson OpenSSH_5.4p1, OpenSSL 0.9.8k 25 Mar 2009 debug1: Reading configuration data /etc/ssh/ssh_config debug1: ssh_set_validator: ignore responder url debug1: Connecting to jackson [2001:470:1d:160:224:8cff:fe92:3230] port 22. debug1: Connection established. debug1: manufacturerID <SCHLUMBERGER> cryptokiVersion 2.11 libraryDescription <SLB PKCS #11 module> libraryVersion 1.0 debug1: label <MuscleCard Applet> manufacturerID <Unknown MFR> model <Unknown Model> serial <1> flags 0x40d C_GetAttributeValue failed: 18 debug1: have 1 keys C_GetAttributeValue failed: 18 debug1: have 2 keys debug1: identity file /home/dbenoy/.ssh/id_rsa type -1 debug1: identity file /home/dbenoy/.ssh/id_rsa-cert type -1 debug1: identity file /home/dbenoy/.ssh/id_dsa type -1 debug1: identity file /home/dbenoy/.ssh/id_dsa-cert type -1 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2 debug1: match: OpenSSH_5.2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_5.4 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Host 'jackson' is known and matches the RSA host key. debug1: Found key in /home/dbenoy/.ssh/known_hosts:15 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering public key: /usr/local/lib/libmusclepkcs11.so debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Offering public key: /usr/local/lib/libmusclepkcs11.so debug1: Server accepts key: pkalg ssh-rsa blen 151 Enter PIN for 'MuscleCard Applet': C_FindObjects failed (0 nfound): 0 ssh_rsa_sign: RSA_sign failed: error:00000000:lib(0):func(0):reason(0) debug1: Trying private key: /home/dbenoy/.ssh/id_rsa debug1: Trying private key: /home/dbenoy/.ssh/id_dsa debug1: Next authentication method: keyboard-interactive Password: ---------- This PKCS#11 module works fine with Evolution, Firefox, and prior versions of SSH which I applied a patch to. The patch was: http://sites.google.com/site/alonbarlev/openssh-pkcs11 (Although with that patch I had to use it as 'ssh -# /usr/local/lib/libmusclepkcs11.so:0:15' for some reason the :0:15 was important) Also, my install of OpenSSH works successfully with the OpenSC PKCS#11 library. So it seems the specific combination of MuscleCard and OpenSSH isn't working, even though they both work with other software.
FYI: I'm using libmusclepkcs11.so from muscleframework version 1.1.7 from here: https://alioth.debian.org/projects/muscleplugins/
what do the following commands print out: ssh-keygen -vvvD /usr/local/lib/libmusclepkcs11.so pkcs11-tool --module /usr/local/lib/libmusclepkcs11.so -O do you have the original output from ssh -vvv# /usr/local/lib/libmusclepkcs11.so:0:15 xxxxx
Created attachment 1812 [details] print out key ID for debugging Could you please retry ssh -vI ... with this patch and attach the new output? thanks!
Created attachment 1813 [details] Debug command output
(In reply to comment #2) > what do the following commands print out: > > ssh-keygen -vvvD /usr/local/lib/libmusclepkcs11.so > pkcs11-tool --module /usr/local/lib/libmusclepkcs11.so -O attached. > do you have the original output from > ssh -vvv# /usr/local/lib/libmusclepkcs11.so:0:15 xxxxx 'fraid not :(
Created attachment 1814 [details] Debug command output 2
(In reply to comment #3) > Created an attachment (id=1812) [details] > print out key ID for debugging > > Could you please retry ssh -vI ... with this patch and attach > the new output? thanks! Attached. I believe this is the line you're looking for: pkcs11_rsa_private_encrypt/20: 24b1986496cb599e52da591ff46c98cd8dd74418
Muscle cards are highly experimental under GNU/Linux. It is recommended to use a traditional PKI card, compatible with OpenSC. This will work out of the box. You can try the FEITIAN PKI card for example, but there are other cards. Avoid Muscle cards.
I have an aladdin etoken which I'm using in the meantime until this bug gets fixed.
could you please try PKCS11SPY=/usr/local/lib/libmusclepkcs11.so export PKCS11SPY and then % ssh -vvvI /usr/local/lib/pkcs11-spy.so host pkcs11 spy should be part of opensc
Created attachment 1829 [details] Debug command output 3
Created attachment 1835 [details] don't add attribut 'sign=true' when looking up the private rsa key Could you please try this?
It worked! :D Thanks :)
Created attachment 1836 [details] try to find private key object w/CKA_SIGN first, retry w/o Thanks. Could you please try this, too? this should both work with the MUSCLE card and the E-Token. thanks, -m
Created attachment 1837 [details] really try to find private key object w/CKA_SIGN first, retry w/o this one should work
(In reply to comment #15) > Created an attachment (id=1837) [details] > really try to find private key object w/CKA_SIGN first, retry w/o > > this one should work Yep! It worked with both my MUSCLE card and my Aladdin eToken Pro 32k via OpenSC.
Markus has committed the fix in attachment #1837 [details]. It will be in OpenSSH 5.6.
Move resolved bugs to CLOSED after 5.7 release