Control: reassign -1 simple-tpm-pk11 On Tue, Dec 08, 2015 at 09:34:07AM +0100, Didier 'OdyX' Raboud wrote: > I'm using the following SSH config to use my X220's TPM through > simple-tpm-pk11: > > > Host test > > PKCS11Provider libsimple-tpm-pk11.so > > Working authentication: > > OpenSSH_6.9p1 Debian-3, OpenSSL 1.0.2e 3 Dec 2015 > > … > > debug1: manufacturerID <simple-tpm-pk11 manufacturer> cryptokiVersion 0.1 > > libraryDescription <simple-tpm-pk11 library> libraryVersion 0.1 > > debug1: label <Simple-TPM-PK11 token> manufacturerID <manuf id> model > > <model> serial <serial> flags 0x0 > > debug1: have 1 keys > > … > > Failing authentication: > > OpenSSH_7.1p1 Debian-1, OpenSSL 1.0.2e 3 Dec 2015 > > … > > debug1: manufacturerID <simple-tpm-pk11 manufacturer> cryptokiVersion 0.1 > > libraryDescription <simple-tpm-pk11 library> libraryVersion 0.1 > > debug2: pkcs11_add_provider: ignoring uninitialised token in slot 0 > > no keys > > … > > I haven't found a configuration stanza in ssh_config(5) that could solve that, > I'm therefore bound to assume it's a regression in how openssh-client and > libsimple-tpm-pk11.so interact.
This is because of the fix in https://bugzilla.mindrot.org/show_bug.cgi?id=2427 - OpenSSH now checks whether the token is initialised, but simple-tpm-pk11 doesn't set that flag. This is essentially the same as https://github.com/ThomasHabets/simple-tpm-pk11/issues/13. I think that cherry-picking this commit would do it, or simply upgrading to simple-tpm-pk11 0.04: https://github.com/ThomasHabets/simple-tpm-pk11/commit/bd8202d0f270e02e89b7df84c7373fbe1ace3e9e Cheers, -- Colin Watson [[email protected]]
