Re: Hardware device

[Jakub Jelen]

Hi,
I dont know much about Windows, but this looks like the OpenSSL used on 
windows has some issue loading the pkcs11 engine. Is the libssh on 
windows built with the pkcs11 support as described in the following 
documentation?

https://gitlab.com/libssh/libssh-mirror/-/blob/master/doc/pkcs11.dox

Regards,
Jakub

On 12/22/22 23:59, den...@ntropy.io wrote:
I got past the "pkcs11provider" issue - had to add a p11-kit module file 
for the PKCS11 Provider library.

Now I seem it have an issue with the "libssh" library.  The simple code 
I'm testing with works on Linux (Fedora 37) but does not on Windows (10).

P11-kit recognizes the PKCS#11 library on both systems.

Same 0.10.0 library versions on both.

Is there a difference between the two versions of the library (Linux vs. 
Windows)?

I'm using the following URI

                 "pkcs11:token=CryptoServer%20Token0;object=SSH-key"

On Linux:

[2022/12/22 17:35:24.218615, 3] ssh_userauth_publickey_auto:  Trying to 
authenticate with pkcs11:token=CryptoServer%20Token0;object=SSH-key

[2022/12/22 17:35:24.218625, 2] ssh_userauth_publickey_auto:  
Authenticating with PKCS #11 URI.

[2022/12/22 17:35:24.219052, 2] pki_get_engine:  Engine loaded successfully

[2022/12/22 17:35:24.219102, 2] pki_get_engine:  Engine init success

[2022/12/22 17:35:24.299894, 3] ssh_key_algorithm_allowed:  Checking 
rsa-sha2-512 with list 
<ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com>

[2022/12/22 17:35:24.299934, 3] ssh_key_algorithm_allowed:  Checking 
rsa-sha2-512 with list 
<ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com>

[2022/12/22 17:35:24.300026, 3] ssh_socket_unbuffered_write:  Enabling 
POLLOUT for socket

[2022/12/22 17:35:24.300080, 3] packet_send2:  packet: wrote [type=50, 
len=368, padding_size=11, comp=356, payload=356]

[2022/12/22 17:35:24.300094, 4] ssh_socket_pollcallback:  Poll callback 
on socket 3 (POLLOUT ), out buffer 0

[2022/12/22 17:35:24.300127, 4] ssh_socket_pollcallback:  sending 
control flow event

[2022/12/22 17:35:24.300147, 4] ssh_packet_socket_controlflow_callback:  
sending channel_write_wontblock callback

[2022/12/22 17:35:24.339500, 4] ssh_socket_pollcallback:  Poll callback 
on socket 3 (POLLIN ), out buffer 0

[2022/12/22 17:35:24.339585, 3] ssh_packet_socket_callback:  packet: 
read type 60 [len=320,padding=19,comp=300,payload=300]

[2022/12/22 17:35:24.339606, 3] ssh_packet_process:  Dispatching handler 
for packet type 60

[2022/12/22 17:35:24.339622, 4] ssh_packet_userauth_pk_ok:  Received 
SSH_USERAUTH_PK_OK/INFO_REQUEST/GSSAPI_RESPONSE

[2022/12/22 17:35:24.339637, 4] ssh_packet_userauth_pk_ok:  Assuming 
SSH_USERAUTH_PK_OK

Enter PKCS#11 token PIN for CryptoServer Token0:

[2022/12/22 17:35:29.875664, 3] ssh_key_algorithm_allowed:  Checking 
rsa-sha2-512 with list 
<ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com>

[2022/12/22 17:35:29.875699, 3] ssh_key_algorithm_allowed:  Checking 
rsa-sha2-512 with list 
<ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com>

[2022/12/22 17:35:29.875720, 3] ssh_key_algorithm_allowed:  Checking 
rsa-sha2-512 with list 
<ecdsa-sha2-nistp256,ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-ed25519,ssh-ed25519-cert-...@openssh.com,rsa-sha2-256,rsa-sha2-256-cert-...@openssh.com,rsa-sha2-512,rsa-sha2-512-cert-...@openssh.com>

[2022/12/22 17:35:29.882090, 3] ssh_socket_unbuffered_write:  Enabling 
POLLOUT for socket

[2022/12/22 17:35:29.882117, 3] packet_send2:  packet: wrote [type=50, 
len=656, padding_size=19, comp=636, payload=636]

[2022/12/22 17:35:29.882127, 4] ssh_socket_pollcallback:  Poll callback 
on socket 3 (POLLOUT ), out buffer 0

[2022/12/22 17:35:29.882133, 4] ssh_socket_pollcallback:  sending 
control flow event

[2022/12/22 17:35:29.882139, 4] ssh_packet_socket_controlflow_callback:  
sending channel_write_wontblock callback

[2022/12/22 17:35:29.937821, 4] ssh_socket_pollcallback:  Poll callback 
on socket 3 (POLLIN ), out buffer 0

[2022/12/22 17:35:29.937878, 3] ssh_packet_socket_callback:  packet: 
read type 52 [len=16,padding=14,comp=1,payload=1]

[2022/12/22 17:35:29.937886, 3] ssh_packet_process:  Dispatching handler 
for packet type 52

[2022/12/22 17:35:29.937892, 3] ssh_packet_userauth_success:  
Authentication successful

[2022/12/22 17:35:29.937898, 4] ssh_packet_userauth_success:  Received 
SSH_USERAUTH_SUCCESS

[2022/12/22 17:35:29.937904, 3] ssh_packet_need_rekey:  rekey: 
[data_rekey_needed=0, out_blocks=92, in_blocks=34]

[2022/12/22 17:35:29.937912, 2] ssh_userauth_publickey_auto:  
Successfully authenticated using 
pkcs11:token=CryptoServer%20Token0;object=SSH-key

[2022/12/22 17:35:29.937924, 2] channel_open:  Creating a channel 43 
with 64000 window and 32768 max packet

On Windows 10:

[2022/12/22 17:49:00.492712, 3] ssh_userauth_publickey_auto:  Trying to 
authenticate with pkcs11:token=CryptoServer%20Token0;object=SSH-key

[2022/12/22 17:49:00.507613, 2] ssh_userauth_publickey_auto:  
Authenticating with PKCS #11 URI.

[2022/12/22 17:49:00.539737, 1] ssh_pki_import_pubkey_file:  Error 
opening pkcs11:token=CryptoServer%20Token0;object=SSH-key: Invalid argument

[2022/12/22 17:49:00.554692, 1] ssh_pki_import_privkey_file:  Error 
opening pkcs11:token=CryptoServer%20Token0;object=SSH-key: Invalid argument

[2022/12/22 17:49:00.585873, 3] ssh_userauth_publickey_auto:  Private 
key pkcs11:token=CryptoServer%20Token0;object=SSH-key doesn't exist.

[2022/12/22 17:49:00.601394, 3] ssh_userauth_publickey_auto:  Trying to 
authenticate with C:\Users\Dennis/.ssh/id_ed25519

[2022/12/22 17:49:00.632921, 1] ssh_pki_import_pubkey_file:  Error 
opening C:\Users\Dennis/.ssh/id_ed25519.pub: No such file or directory

[2022/12/22 17:49:00.648312, 1] ssh_pki_import_privkey_file:  Error 
opening C:\Users\Dennis/.ssh/id_ed25519: No such file or directory

[2022/12/22 17:49:00.679591, 3] ssh_userauth_publickey_auto:  Private 
key C:\Users\Dennis/.ssh/id_ed25519 doesn't exist.

[2022/12/22 17:49:00.695713, 3] ssh_userauth_publickey_auto:  Trying to 
authenticate with C:\Users\Dennis/.ssh/id_ecdsa

[2022/12/22 17:49:00.726494, 1] ssh_pki_import_pubkey_file:  Error 
opening C:\Users\Dennis/.ssh/id_ecdsa.pub: No such file or directory

[2022/12/22 17:49:00.757865, 1] ssh_pki_import_privkey_file:  Error 
opening C:\Users\Dennis/.ssh/id_ecdsa: No such file or directory

[2022/12/22 17:49:00.773702, 3] ssh_userauth_publickey_auto:  Private 
key C:\Users\Dennis/.ssh/id_ecdsa doesn't exist.

[2022/12/22 17:49:00.805660, 3] ssh_userauth_publickey_auto:  Trying to 
authenticate with C:\Users\Dennis/.ssh/id_rsa

[2022/12/22 17:49:00.836304, 1] ssh_pki_import_pubkey_file:  Error 
opening C:\Users\Dennis/.ssh/id_rsa.pub: No such file or directory

[2022/12/22 17:49:00.851924, 1] ssh_pki_import_privkey_file:  Error 
opening C:\Users\Dennis/.ssh/id_rsa: No such file or directory

[2022/12/22 17:49:00.883218, 3] ssh_userauth_publickey_auto:  Private 
key C:\Users\Dennis/.ssh/id_rsa doesn't exist.

[2022/12/22 17:49:00.914533, 2] ssh_userauth_publickey_auto:  Tried 
every public key, none matched

User Authentication failed:

[2022/12/22 17:49:00.929338, 3] packet_send2:  packet: wrote [type=1, 
len=32, padding_size=11, comp=20, payload=20]

Error allocating SFTP session

-----Original Message-----
From: Jakub Jelen <jje...@redhat.com>
Sent: Wednesday, December 7, 2022 4:21 AM
To: libssh@libssh.org
Subject: Re: Hardware device

On 12/5/22 14:38, Dennis Gnatowski wrote:

 > I am following the example from

 > 
(https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in- 
<https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in->

 > libssh#build_and_use_libssh_with_pkcs__11

 > <https://developers.redhat.com/blog/2020/10/28/smart-cards-support-in-

 > libssh#build_and_use_libssh_with_pkcs__11>)

 >

 >    int rc;

 >

 >    char priv_uri[1042] =

 > “pkcs11:token=my-token;object=my-object;type=private?pin-value=1234”;

 >

 >    rc = ssh_options_set(session, SSH_OPTIONS_IDENTITY, priv_uri);

 >

 >    assert_int_equal(rc, SSH_OK)

 >

 >    rc = ssh_userauth_publickey_auto(session, NULL, NULL);

 >

 > but using:

 >

 > char priv_uri[1042] =

 > "pkcs11:object=SSH-key-acme?pin-value=####;manufacturer=IBM?module-pat

 > h=/usr/lib64/pkcs11/PKCS11_API.so";

This does not look like a valid URI. There can be only one question 
mark, path is separated by semicolons and query parts are separated by 
ampersands so it should be something like:

pkcs11:object=SSH-key-acme;manufacturer=IBM?pin-value=####&module-path=/usr/lib64/pkcs11/PKCS11_API.so

see the uri syntax in https://datatracker.ietf.org/doc/html/rfc7512 
<https://datatracker.ietf.org/doc/html/rfc7512>

Regards,

--

Jakub Jelen

Crypto Team, Security Engineering

Red Hat, Inc.


--
Jakub Jelen
Crypto Team, Security Engineering
Red Hat, Inc.