Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssh-add: Skip PKCS11 pin prompt with TEE identity #318

Open
wants to merge 1 commit into
base: master
Choose a base branch
from

Conversation

varder
Copy link

@varder varder commented May 11, 2022

TEE Identity-based authentication provides functionality to
log in without a pin but using a User or Group identity.
The feature is valuable for embedded devices where there is no
user interaction.

With the TEE Identity authentication, the pin should be empty.

The use case is:
CKTEEC_LOGIN_TYPE=user ssh-add -s /usr/lib/libckteec.so.0

For TEE Identity-based auth pin should be provided as an
empty string. But in the current implementation, if a pin
is empty the message structure will not be populated with
the pin(see sshbuf_put_string). As a result, the error:
"pin required". As a solution add a new line character.

The details about the TEE Identity-based authentication:
OP-TEE/optee_os#4222

Signed-off-by: Valerii Chubar valerii_chubar@epam.com

TEE Identity-based authentication provides functionality to
log in without a pin but using a User or Group identity.
The feature is valuable for embedded devices where there is no
user interaction.

With the TEE Identity authentication, the pin should be empty.

The use case is:
CKTEEC_LOGIN_TYPE=user ssh-add -s /usr/lib/libckteec.so.0

For TEE Identity-based auth pin should be provided as an
empty string. But in the current implementation, if a pin
is empty the message structure will not be populated with
the pin(see sshbuf_put_string). As a result, the error:
"pin required". As a solution add a new line character.

The details about the TEE Identity-based authentication:
OP-TEE/optee_os#4222

Signed-off-by: Valerii Chubar <valerii_chubar@epam.com>
@djmdjm
Copy link
Contributor

djmdjm commented May 27, 2022

A couple of comments - I think it would be better to control this using a command-line flag than an environment variable. There are at least other cases where users are likely to want to use PKCS#11-hosted keys without providing a PIN at ssh-add time:

  1. Devices that don't require a PIN at all (though I don't know whether/how PKCS#11 supports these generally)
  2. Devices that implement CKF_PROTECTED_AUTHENTICATION_PATH (e.g. ones that do not require a PIN or have on-device PIN entry)
  3. Deferring PIN entry to time of key use, with the user being prompted via ssh-askpass. We've done something similar recently for FIDO keys in 39d17e1 and IMO it makes sense to do the same for PKCS#11 keys.

So I think we could add a flag to ssh-add that suppresses the PIN prompt when adding PKCS#11 keys. However, this isn't likely to be enough to make TEE keys work, since the ssh-pkcs11.c code still requires a PIN for all devices that don't set the CKF_PROTECTED_AUTHENTICATION_PATH flag.

I think the correct solution is for the TEE PKCS#11 provider to set this flag, the specification seems to indicate that it is the correct way to implement keys that don't require PIN authentication.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
2 participants