-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Show key labels for PKCS#11 keys instead of library name #138
Conversation
Currently, ssh-agent uses the name of the PKCS#11 library as the key comment returned by ssh-add -l. This is a problem when you have a single smartcard that stores multiple private keys. This patch makes ssh-agent ask the PKCS#11 driver for the key label and uses that instead.
Uses the same PKCS#11 label interface exposed by the previous commit.
Suggest you go upstream with this patch. |
I don't think we want to add another member to sshkey for this. ssh-agent has a per-key comment field that just gets filled with the PKCS11 provider path at the moment. IMO that would be better to use. |
I considered that. (And, fwiw, the comment field is in fact where this eventually goes - see ssh-agent.c:616 in the change list.) The issue is how the label gets from the PKCS#11 library to ssh-agent, since the comment field is in a struct defined locally to ssh-agent.c. The call path is as follows: ssh-agent.c:process_add_smartcard_key(SocketEntry *) If we don't want to modify the sshkey struct, then the labels will have to exist in an array parallel to ***keysp. This means modifying the function signature of the four functions above to add a char ***labelsp parameter along with fixing every reference to those functions to add the extra NULL. And since pkcs11_fetch_keys() is only one of the functions that pkcs11_register_provider calls to assist with populating the ***keysp array, every other function - which I think is only pkcs11_fetch_certs() at present, though that might change - will also become responsible for maintaining and extending the ***labelsp array to stay parallel with ***keysp. It's certainly doable, and I actually started down that path before I discovered how many complications it would entail, and I judged that it would be less invasive, with fewer chances for regression, just to modify the sshkey struct. And, since sshkey has been modified to add new members in the past, most recently to add the private key shield functionality in post-8.0, I figured that maintaining strict ABI compatibility wasn't high on the priority list. That said, I'm not involved with the project, so I can't speak to what the priorities are. If you want, I'll rewrite this PR to do this without touching struct sshkey, but I wanted to let you know what would be involved there. |
I have similar patch including support for the PKCS#11 URIs which also improves the naming in the comments. More updated version is available in Fedora and in my github branch. Feel free to try and test it. |
@Jakuje I finally had a chance to test your branch - looks like we're working on slightly different problems here. The PKCS#11 URI support looks fantastic, but pkcs11: uris aren't a whole lot better for readability than simple file pathnames. Case in point, see what happens if you let @djmdjm Can I get some feedback on this? I'm certainly willing to make changes here but I'm curious how you'd address the issues I mentioned above. |
Thank you for the comment. This really depends on how your cards are enrolled and whether it has sensible labels (you can not always bet on that). The same way as library paths can work for someone with single key on the card and labels work for you, there might be others with different setup, where this would not be enough. Even though the PKCS#11 URIs are not that "nice", they are always unique so whenever you need to distinguish two keys on the card, it is trivial (unlike with just the paths to pkcs11 library, which is always the same). I agree here with @djmdjm that this should not go to the Whether the PKCS#11 URIS will ever get to upstream, I don't know. I already pushed for other PKCS#11 related fixes and features that are finally in and make the pkcs11 support usable, but this one is bigger and changes significantly more code paths, but I use it for few years in Fedora without issues. |
Extract the key label or X.509 subject string when PKCS#11 keys are retrieved from the token and plumb this through to places where it may be used as a comment. based on openssh/openssh-portable#138 by Danielle Church
Extract the key label or X.509 subject string when PKCS#11 keys are retrieved from the token and plumb this through to places where it may be used as a comment. based on openssh/openssh-portable#138 by Danielle Church feedback and ok markus@
Extract the key label or X.509 subject string when PKCS#11 keys are retrieved from the token and plumb this through to places where it may be used as a comment. based on #138 by Danielle Church feedback and ok markus@ OpenBSD-Commit-ID: cae1fda10d9e10971dea29520916e27cfec7ca35
I just committed in 89a8d45 a version of this patch reworked as per my comment above, but also to use the X.509 subject as the key label for keys extracted from x.509 certificates on PKCS#11 tokens. |
Extract the key label or X.509 subject string when PKCS#11 keys are retrieved from the token and plumb this through to places where it may be used as a comment. based on openssh/openssh-portable#138 by Danielle Church
Extract the key label or X.509 subject string when PKCS#11 keys are retrieved from the token and plumb this through to places where it may be used as a comment. based on openssh/openssh-portable#138 by Danielle Church feedback and ok markus@
Extract the key label or X.509 subject string when PKCS#11 keys are retrieved from the token and plumb this through to places where it may be used as a comment. based on openssh/openssh-portable#138 by Danielle Church feedback and ok markus@
This is useful e.g. for Yubikeys, which can have many RSA keys defined. It extends the sshkey struct to add a *label member, which is filled by pkcs11_add_provider, and ssh-agent and ssh-keygen use that field.