[Bug 1736] New: OpenSSH doesn't seem to work with my MuscleCard PKCS#11 library

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu Mar 18 06:16:17 EST 2010


https://bugzilla.mindrot.org/show_bug.cgi?id=1736

           Summary: OpenSSH doesn't seem to work with my MuscleCard
                    PKCS#11 library
           Product: Portable OpenSSH
           Version: 5.4p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Smartcard
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: daniel at benoy.name


Here's what I get when I try to use my MuscleCard PKCS#11 library with
SSH:

----------
$ ssh -v -I /usr/local/lib/libmusclepkcs11.so root at jackson
OpenSSH_5.4p1, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: ssh_set_validator: ignore responder url
debug1: Connecting to jackson [2001:470:1d:160:224:8cff:fe92:3230] port
22.
debug1: Connection established.
debug1: manufacturerID <SCHLUMBERGER> cryptokiVersion 2.11
libraryDescription <SLB PKCS #11 module> libraryVersion 1.0
debug1: label <MuscleCard Applet> manufacturerID <Unknown MFR> model
<Unknown Model> serial <1> flags 0x40d
C_GetAttributeValue failed: 18
debug1: have 1 keys
C_GetAttributeValue failed: 18
debug1: have 2 keys
debug1: identity file /home/dbenoy/.ssh/id_rsa type -1
debug1: identity file /home/dbenoy/.ssh/id_rsa-cert type -1
debug1: identity file /home/dbenoy/.ssh/id_dsa type -1
debug1: identity file /home/dbenoy/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_5.2
debug1: match: OpenSSH_5.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'jackson' is known and matches the RSA host key.
debug1: Found key in /home/dbenoy/.ssh/known_hosts:15
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue:
publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering public key: /usr/local/lib/libmusclepkcs11.so
debug1: Authentications that can continue:
publickey,keyboard-interactive
debug1: Offering public key: /usr/local/lib/libmusclepkcs11.so
debug1: Server accepts key: pkalg ssh-rsa blen 151
Enter PIN for 'MuscleCard Applet': 
C_FindObjects failed (0 nfound): 0
ssh_rsa_sign: RSA_sign failed: error:00000000:lib(0):func(0):reason(0)
debug1: Trying private key: /home/dbenoy/.ssh/id_rsa
debug1: Trying private key: /home/dbenoy/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password: 
----------

This PKCS#11 module works fine with Evolution, Firefox, and prior
versions of SSH which I applied a patch to.

The patch was: http://sites.google.com/site/alonbarlev/openssh-pkcs11 
(Although with that patch I had to use it as 'ssh -#
/usr/local/lib/libmusclepkcs11.so:0:15' for some reason the :0:15 was
important)

Also, my install of OpenSSH works successfully with the OpenSC PKCS#11
library.

So it seems the specific combination of MuscleCard and OpenSSH isn't
working, even though they both work with other software.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list