| Yubico Forum https://forum.yubico.com/ |
|
| [SOLVED] Ubuntu SSH won't offer PIV key when connecting https://forum.yubico.com/viewtopic.php?f=26&t=2092 |
Page 1 of 1 |
| Author: | hiviah [ Mon Nov 16, 2015 2:22 pm ] |
| Post subject: | [SOLVED] Ubuntu SSH won't offer PIV key when connecting |
I've encountered strange bug when using SSH in Ubuntu 14.04: it won't offer the PIV key to the server even though it sees it. From ssh -v -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so host: Code: OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /home/XXXXXXX debug1: /home/XXXXXXX line 138: Applying options for host debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Hostname has changed; re-reading configuration debug1: Reading configuration data /home/XXXXX debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to XXXXXXX [XXXXXXXX] port NNNN. debug1: Connection established. debug1: manufacturerID <OpenSC (www.opensc-project.org)> cryptokiVersion 2.20 libraryDescription <Smart card PKCS#11 API> libraryVersion 0.0 debug1: label <PIV_II (PIV Card Holder pin)> manufacturerID <piv_II> model <PKCS#15 emulate> serial <00000000> flags 0x40d debug1: have 1 keys debug1: pkcs11_provider_unref: 0x7f0c65728510 refcount 2 debug1: identity file /home/XXXXXXX type 1 debug1: identity file /home/XXXXXXX type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2.3 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3 debug1: match: OpenSSH_5.3 pat OpenSSH_5* compat 0x0c000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-md5 none debug1: kex: client->server aes128-ctr hmac-md5 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: RSA 2e:47:2d:9b:da:a6:eb:b3:7c:dd:89:32:7e:9f:14:18 debug1: checking without port identifier debug1: Host 'XXXXXXXX' is known and matches the RSA host key. debug1: Found key in /home/XXXXXX debug1: found matching key w/out port debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/XXXXXX debug1: Server accepts key: pkalg ssh-rsa blen 277 debug1: Authentication succeeded (publickey). The token is clearly recognized, it sees there is one key present, nevertheless server doesn't get it offered. I've tried also adding PKCS#11 library via ssh-add, but to no avail. Other smartcard (Feitian ePass 2003) worked with the same ssh and PKCS#11 library. The PIV token works on other machine with Scientific Linux 6.7. I can't figure out what makes the difference. |
|
| Author: | hiviah [ Wed Nov 18, 2015 2:14 pm ] |
| Post subject: | Re: [QUESTION] Ubuntu SSH won't offer PIV key when connectin |
So this is definitely issue with Ubuntu's SSH. SSH+PIV works on Fedora 23 and Scientific Linux 6.7 and also works on Ubuntu when I compile SSH from source - tried latest OpenSSH 7.1p1 and it works. It seems that it's a regression in OpenSSH 6.6, using vanilla version also does not work. Version 6.9 works again. However it seems that you need to replace ssh-agent with the corresponding version to make PIN caching by ssh-agent work. |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|