| Yubico Forum https://forum.yubico.com/ |
|
| yubico-piv-tool, ECCP256 and ssh https://forum.yubico.com/viewtopic.php?f=26&t=1657 |
Page 1 of 1 |
| Author: | evansguy [ Fri Dec 12, 2014 10:58 am ] |
| Post subject: | yubico-piv-tool, ECCP256 and ssh |
Hello, I've got my yubikey neo working with a RSA public/private key and ssh. However, I can't get it to work with the elliptic curve algorithm ECCP256. The steps that I've done :- Code: yubico-piv-tool -s 9a -a generate /usr/lib/x86_64-linux-gnu/opensc-pkcs11.sote -A ECCP256 -o public-ecc.pem yubico-piv-tool -a verify-pin -P 123456 -a selfsign-certificate -s 9a -S "/CN=Guy Evans ECC key/" -i public-ecc.pem -o ecc-cert.pem yubico-piv-tool -a import-certificate -s 9a -i ecc-cert.pem Which all seem to run ok, however, when I run Code: ssh-keygen -D /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so I get the error C_GetAttributeValue failed: 18. I can use ssh-keygen to convert the public-ecc.pem file directly and copy that to authorized_keys. However, when I attempt to login with ssh -I /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so I get the same error. pkcs15-tool --list-public-keys shows the key. pkcs15-tool --read-public-key comes back with a "not implemented" error (but also does the same for a RSA key). pkcs15-tool --read-certificate correctly outputs the certificate that was imported. Cheers Guy |
|
| Author: | Tom2 [ Fri Dec 12, 2014 4:08 pm ] |
| Post subject: | Re: yubico-piv-tool, ECCP256 and ssh |
Hello, This may not be a complete answer, but the pkcs11 module doesn't support ECC. Could you double check? |
|
| Author: | evansguy [ Fri Dec 12, 2014 7:17 pm ] |
| Post subject: | Re: yubico-piv-tool, ECCP256 and ssh |
How do I do that? |
|
| Author: | evansguy [ Sun Dec 14, 2014 9:43 pm ] |
| Post subject: | Re: yubico-piv-tool, ECCP256 and ssh |
Ok, I've done some more experimenting. It seems that things are ok at the PKCS11 level as the following works :- Code: pkcs11-tool --module /lib64/opensc-pkcs11.so --sign --slot 1 --id 02 -m ECDSA --input-file wombat --output-file wombat-signed The problem looks like it's with openssh. The man page for ssh_config mentions that the PKCS11Provider reads RSA keys (no mention of ECC) and a quick scan of the source code at https://github.com/openssh/openssh-port ... h-pkcs11.c seems to confirm this. Cheers Guy |
|
| Author: | zviratko [ Fri Mar 13, 2015 3:33 pm ] |
| Post subject: | Re: yubico-piv-tool, ECCP256 and ssh |
Hi, have you found out a solution to this? I'd love to use ECC keys, but without PKCS11 support it will not work. I looked around for possibility of adding the support but couldn't find anything (and I'm not a developer). |
|
| Page 1 of 1 | All times are UTC + 1 hour |
| Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/ |
|