playing with smartcard: rsa key upload?

Danny De Cock godot at ulyssis.org
Thu Oct 31 00:19:39 EST 2002 

hi,

my the subscription to this list is still in progress, i.e., could you
include my emailaddress when replying to this email.

I am using the opensc-cvs-snapshot of october 29th, in combination with
openssh 3.5p1 on a woody debian machine with pcsclite-1.1.2, and have been
trying to get a gemplus gpk16000 smartcard working with openssh.

the problem I am faced with is a segmentation fault of a command such as
`ssh -I 0 server`

the commands I have been using are these:

pkcs15-init -dddddd -E -C
pkcs15-init -dddddd -P -a 45 -i 45
pkcs15-init -dddddd -S privkey.pem -a 45 -i 45
pkcs15-init -dddddd -X cert.pem
ssh -I 0 192.168.1.2 -v

the log file /var/log/auth.log of the other machine indicates this after
the ssh-client has failed:
Oct 30 13:00:13 g sshd[24750]: Did not receive identification string from 192.168.1.11

fyi: the led of the smartcard reader starts to blink just before the
segmentation fault.

does any of you have any idea how to solve this problem?

many thanks, danny.

---------------------------

the first four these commands have accomplished their tasks
succesfully:

<output of pkcs15-tool --list-pins  -c -k>
Connecting to card in reader Towitoko Chipdrive Reader 0 0...
Using card driver: Gemplus GPK driver
Trying to find a PKCS#15 compatible card...
Found OpenSC Card!
Card has 1 certificate(s).

X.509 Certificate [Certificate]
        Flags    : 2
        Authority: no
        Path     : 3F0050159000
        ID       : 45

Card has 1 private key(s).

Private RSA Key [Private Key]
        Com. Flags  : 1D
        Usage       : [0x4], sign
        Access Flags: [0x0]
        ModLength   : 1024
        Key ref     : 0
        Native      : yes
        Path        : 3F0050150006
        Auth ID     : 45
        ID          : 45

Card has 2 PIN code(s).

PIN [Security Officer PIN]
        Com. Flags: 0x3
        Auth ID   : FF
        Flags     : [0xB2], local, initialized, needs-padding, soPin
        Length    : 6..8
        Pad char  : 0x00
        Reference : 8
        Type      : 1
        Path      : 3F005015

PIN []
        Com. Flags: 0x3
        Auth ID   : 45
        Flags     : [0x32], local, initialized, needs-padding
        Length    : 4..8
        Pad char  : 0x00
        Reference : 12
        Type      : 1
        Path      : 3F005015

but the fifth command fails badly:
<output>
ssh -I 0 192.168.1.2 -v
OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: ssh_connect: needpriv 0
debug1: Connecting to lien [192.168.1.2] port 22.
debug1: Connection established.
debug1: sc_get_keys called: id = 0
debug1: sc_read_pubkey() with cert id 45
Segmentation fault
</output>

> On Thu, 17 Oct 2002, Andreas Hasenack wrote:
>
> > Is there a tool to upload an openssh rsa key to a smart card so that I
> > can use it with ssh -I later on? Should I just upload it as a regular
> > file? Any pointers to some documentation explaining how to do this with
> > openssh?
>
> The current SC related code in openssh is a bit absurd anyway.
> I'm currently rewriting the code into some more generic,
> like pkcs#11 support. After this you can use opensc-pkcs11.so
> to upload your keys.
>
> Hopefully Theo and the rest of OpenSSH guys are willing to
> ditch the current code base, ugly sectok and less ugly opensc
> support entirely.
>
> -Antti
>
> _______________________________________________
> openssh-unix-dev at mindrot.org mailing list
> http://www.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list