New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SmartCard-HSM EC keys with OpenSSH #803

Closed
RaymiiOrg opened this Issue Jun 18, 2016 · 3 comments

Comments

Projects
None yet
4 participants
@RaymiiOrg

RaymiiOrg commented Jun 18, 2016

I want to use an EC key with OpenSSH. First I generate a key:

pkcs11-tool --module opensc-pkcs11.so --login --pin 648219 --keypairgen --key-type EC:secp256r1 --id 2 --label "SSH Key"

Then I get the pubkey:

pkcs15-tool --read-public-key 2 > eckey.pub
#cat eckey.pub:
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEPDJy6vEmcsjUoRovCW8ZNifKUYev
XIEiSORGp1MLXXsY1OcaQohZfMYMZ//z7rVvfOBP6HXciEEo0PxoLoWtKw==
-----END PUBLIC KEY-----

Convert that to OpenSSH format:

ssh-keygen -i -m PKCS8 -f eckey.pub

Output:

ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDwycurxJnLI1KEaLwlvGTYnylGHr1yBIkjkRqdTC117GNTnGkKIWXzGDGf/8+61b3zgT+h13IhBKND8aC6FrSs=

Place that in the authorized_keys file on a modern (Ubuntu 16.04) machine. Try to SSH with the HSM and it fails:

$ ssh -o "PKCS11Provider opensc-pkcs11.so" root@server
C_GetAttributeValue failed: 18
no keys
root@server's password:

The regular way of getting an SSH key also doesnt work with an EC key:

$ pkcs15-tool --verbose --read-ssh-key 2 
Using reader with a card: Nitrokey Nitrokey HSM (010000000000000000000000) 00 00
Connecting to card in reader Nitrokey Nitrokey HSM (010000000000000000000000) 00 00...
Using card driver SmartCard-HSM.
Trying to find a PKCS#15 compatible card...
Found SmartCard-HSM!
Reading ssh key with ID '2'

How do I use an EC key with OpenSSH?

@mouse07410

This comment has been minimized.

Show comment
Hide comment
@mouse07410

mouse07410 Jun 19, 2016

Contributor

I tried the same with Yubikey NEO provisioned with ECC keys (on P256 curve), and faced the same problem, trying to extract public key in SSH format. Here's the log:
ec-ssh-pubkey.out.txt

Other ways to use SSH to read keys from the EC token also failed:

$ ssh-keygen -D /Library/OpenSC/lib/opensc-pkcs11.so -e
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
no keys
cannot read public key from pkcs11
$ pkcs15-tool -c
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
X.509 Certificate [Certificate for PIV Authentication]
    Object Flags   : [0x0]
    Authority      : no
    Path           :
    ID             : 01
    Encoded serial : 02 04 566476B2
X.509 Certificate [Certificate for Digital Signature]
    Object Flags   : [0x0]
    Authority      : no
    Path           :
    ID             : 02
    Encoded serial : 02 04 5664770C
X.509 Certificate [Certificate for Key Management]
    Object Flags   : [0x0]
    Authority      : no
    Path           :
    ID             : 03
    Encoded serial : 02 04 574A67C6
X.509 Certificate [Certificate for Card Authentication]
    Object Flags   : [0x0]
    Authority      : no
    Path           :
    ID             : 04
    Encoded serial : 02 04 5664786E
$
Contributor

mouse07410 commented Jun 19, 2016

I tried the same with Yubikey NEO provisioned with ECC keys (on P256 curve), and faced the same problem, trying to extract public key in SSH format. Here's the log:
ec-ssh-pubkey.out.txt

Other ways to use SSH to read keys from the EC token also failed:

$ ssh-keygen -D /Library/OpenSC/lib/opensc-pkcs11.so -e
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
C_GetAttributeValue failed: 18
no keys
cannot read public key from pkcs11
$ pkcs15-tool -c
Using reader with a card: Yubico Yubikey NEO OTP+U2F+CCID
X.509 Certificate [Certificate for PIV Authentication]
    Object Flags   : [0x0]
    Authority      : no
    Path           :
    ID             : 01
    Encoded serial : 02 04 566476B2
X.509 Certificate [Certificate for Digital Signature]
    Object Flags   : [0x0]
    Authority      : no
    Path           :
    ID             : 02
    Encoded serial : 02 04 5664770C
X.509 Certificate [Certificate for Key Management]
    Object Flags   : [0x0]
    Authority      : no
    Path           :
    ID             : 03
    Encoded serial : 02 04 574A67C6
X.509 Certificate [Certificate for Card Authentication]
    Object Flags   : [0x0]
    Authority      : no
    Path           :
    ID             : 04
    Encoded serial : 02 04 5664786E
$
@Jakuje

This comment has been minimized.

Show comment
Hide comment
@Jakuje

Jakuje Jun 20, 2016

Contributor

Unfortunately OpenSSH PKCS#11 interface does not support ECC. There are several patches hanging around openssh bugzilla. Adding this support needs to refactor a lot of code and is probably not a priority for upstream developers. I personally want to have a look into this in next months.

So there is no issue with OpenSC. If you want to use SSH keys on smart card, RSA is your only hope, these days.

Contributor

Jakuje commented Jun 20, 2016

Unfortunately OpenSSH PKCS#11 interface does not support ECC. There are several patches hanging around openssh bugzilla. Adding this support needs to refactor a lot of code and is probably not a priority for upstream developers. I personally want to have a look into this in next months.

So there is no issue with OpenSC. If you want to use SSH keys on smart card, RSA is your only hope, these days.

@frankmorgner

This comment has been minimized.

Show comment
Hide comment
@frankmorgner

frankmorgner Jun 24, 2016

Member

thanks for the clearification

Member

frankmorgner commented Jun 24, 2016

thanks for the clearification

popovec added a commit to popovec/OpenSC that referenced this issue Jan 5, 2018

pkcs15-tool: added support for reading NIST ssh keys
'pkcs15-tool --read-ssh-key' is now able to read NIST ECC keys from card.
Only 256, 384 and 521 field lengths are supported (same as allowed in
ssh-keygen -t ecdsa). Issue #803 is partialy fixed by this patch.
Openssh PKCS11 interface patches for ECC are now available, please check
https://bugzilla.mindrot.org/show_bug.cgi?id=2474

popovec added a commit to popovec/OpenSC that referenced this issue Jan 9, 2018

pkcs15-tool: added support for reading NIST ssh keys
'pkcs15-tool --read-ssh-key' is now able to read NIST ECC keys from card.
Only 256, 384 and 521 field lengths are supported (same as allowed in
ssh-keygen -t ecdsa). Issue #803 is partialy fixed by this patch.
Openssh PKCS11 interface patches for ECC are now available, please check
https://bugzilla.mindrot.org/show_bug.cgi?id=2474

popovec added a commit to popovec/OpenSC that referenced this issue Jan 9, 2018

pkcs15-tool: added support for reading NIST ssh keys
'pkcs15-tool --read-ssh-key' is now able to read NIST ECC keys from card.
Only 256, 384 and 521 field lengths are supported (same as allowed in
ssh-keygen -t ecdsa). Issue #803 is partialy fixed by this patch.
Openssh PKCS11 interface patches for ECC are now available, please check
https://bugzilla.mindrot.org/show_bug.cgi?id=2474

frankmorgner added a commit that referenced this issue Jun 21, 2018

pkcs15-tool: added support for reading NIST ssh keys
'pkcs15-tool --read-ssh-key' is now able to read NIST ECC keys from card.
Only 256, 384 and 521 field lengths are supported (same as allowed in
ssh-keygen -t ecdsa). Issue #803 is partialy fixed by this patch.
Openssh PKCS11 interface patches for ECC are now available, please check
https://bugzilla.mindrot.org/show_bug.cgi?id=2474
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment