[Bug 2530] New: Client does not differentiate between more keys on Smart card, signs always with first one
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Fri Jan 22 23:01:29 AEDT 2016
https://bugzilla.mindrot.org/show_bug.cgi?id=2530
Bug ID: 2530
Summary: Client does not differentiate between more keys on
Smart card, signs always with first one
Product: Portable OpenSSH
Version: 7.1p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: Smartcard
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Based on the report in our bugzilla [1] (though on older version and
with different use case), I can reproduce the same behaviour with two
different key pairs on smartcard (opencryptoki softtoken), when only
the second is accepted.
This is caused by the fact, that when the public key is read from the
card, its CKA_ID is not stored alongside with the public key and ssh
later does not know which key use for signing (use the first one
implicitly, since it is first result of search).
So far, the key is identified by its pkcs11 provider library [2] and by
flag SSHKEY_FLAG_EXT [3], which is obviously not enough (see the
self-explaining comment /* XXX */ [2]).
Fortunately, similar question was asked before by different people and
there is RFC7512 describing PKCS#11 URI scheme, which quite suits these
needs. It can overgrow into ugly monstrosity, but for our case should
be enough to note the id (CKA_ID) in scheme.
Integration of this idea into openssh would require some changes, which
are more complex to do them without discussion as a patch for bugzilla.
If you feel this would be useful, I would like to hear upstream
acknowledgement.
[1] https://bugzilla.redhat.com/show_bug.cgi?id=1280422
[2] https://github.com/openssh/openssh-portable/blob/master/ssh.c#L1994
[3]
https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c#L541
[4] https://tools.ietf.org/html/rfc7512
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list