Comments (13)
z4yx
commented on August 29, 2024
1
- On the machine where Yubikey presents, start ssh-agent with
ssh-agent -d. - Set environment vars as ssh-agent prints.
- Then add a pkcs plugin as per Yubikey user guide:
ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so - Now ssh to a remote machine, and try sudo with pam_rssh.
ssh-agent should give messages like:
debug1: new_socket: type = SOCKET
debug2: fd 3 setting O_NONBLOCK
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 20
debug2: process_add_smartcard_key: entering
debug1: process_add_smartcard_key: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
debug1: pkcs11_start_helper: starting /usr/local/libexec/ssh-pkcs11-helper -vvv
debug1: process_add
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framework> libraryVersion 0.19
debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: label <XXX> manufacturerID <piv_II> model <PKCS#15 emulate> serial <XXX> flags 0x40d
debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: ECDSA SHA256:XXXXXXXXXXXX
debug1: have 1 keys
debug2: pkcs11_fetch_certs: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: ECDSA SHA256:XXXXXXXXXXXX
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55e773eb1e00 ptr 0x55e773f134e0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" refcount 2
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
debug1: process_sign
debug1: check ECDSA /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so CARD AUTH pubkey
debug1: pkcs11_check_obj_bool_attrib: provider "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so" slot 0 object 94452570984256: attrib 514 = 0
debug1: pkcs11_k11_free: parent 0x55e773eb1e00 ptr (nil) idx 1
from pam_rssh.
MaxwellDPS
commented on August 29, 2024
1
Hmm, any ideas where to start? Im running Mac OS with the brew version of openssh. I dont see any other errors, I can have someone else with a Mac test tonight to see if this is unique. Ill update in a bit!
MacOS: 13.4
SSH version
OpenSSH_9.3p1, OpenSSL 1.1.1t 7 Feb 2023
from pam_rssh.
z4yx
commented on August 29, 2024
It seems that ssh-agent reported an error, but doesn't give any detailed info. You may run ssh-agent with -d option, then check if there is any useful information on that error.
from pam_rssh.
MaxwellDPS
commented on August 29, 2024
Hey @z4yx I am having some issues on MacOS getting ssh-agent to load the key when the agent is spawned with -d
On the remote side, running with -d also gives no output.
Do you mind providing an example of how I should spawn the agent?
Thanks!
from pam_rssh.
z4yx
commented on August 29, 2024
Sorry, I didn't realize you are using ssh-agent with FIDO2. The steps I gave is for PIV.
Just ignore the "pkcs plugin" step.
from pam_rssh.
MaxwellDPS
commented on August 29, 2024
Hey @z4yx Thanks! Apologies on the delayed response... Looking at this I think its due to the interactive (touch) requirement set on the key.
Logs
new_socket: type = CONNECTION
fd 4 is O_NONBLOCK
process_message: socket 1 (fd=4) type 27
process_extension: entering
process_ext_session_bind: entering
process_ext_session_bind: recorded ECDSA-CERT SHA256:vTYVqGtIPBZGO/R9uoeRo2N0TNVStFTQQ6jhb6WF82Y (slot 0 of 16)
process_message: socket 1 (fd=4) type 11
process_request_identities: entering
identity_permitted: entering: key ED25519-SK comment "", 1 socket bindings, 0 constraints
identity_permitted: entering: key ECDSA-CERT comment "", 1 socket bindings, 0 constraints
process_request_identities: replying with 2 allowed of 2 available keys
process_message: socket 1 (fd=4) type 13
process_sign_request2: entering
Confirm user presence for key ED25519-SK SHA256:uSJyeEuJ1TxI5uThrmBBhVe245aa05jn9UNR11j6kTk
start_helper: started pid=4018
ssh_msg_send: type 5
ssh_msg_recv entering
start_helper: starting /opt/homebrew/Cellar/openssh/9.3p1/libexec/ssh-sk-helper
process_sign: ready to sign with key ED25519-SK, provider internal: msg len 32, compat 0x0
sshsk_sign: provider "internal", key ED25519-SK, flags 0x25
sk_probe: 1 device(s) detected
sk_probe: selecting sk by touch
check_sk_options: option uv is unknown
ssh_sk_sign: check_sk_options uv
sshsk_sign: sk_sign failed with code -3
ssh-sk-helper: Signing failed: incorrect passphrase supplied to decrypt private key
main: reply len 8
ssh_msg_send: type 5
client_converse: helper returned error -43
reap_helper: pid=4018
process_sign_request2: sshkey_sign: incorrect passphrase supplied to decrypt private key
start_helper: started pid=4019
ssh_msg_send: type 5
ssh_msg_recv entering
start_helper: starting /opt/homebrew/Cellar/openssh/9.3p1/libexec/ssh-sk-helper
process_sign: ready to sign with key ED25519-SK, provider internal: msg len 32, compat 0x0
sshsk_sign: provider "internal", key ED25519-SK, flags 0x25
sk_probe: 1 device(s) detected
sk_probe: selecting sk by touch
check_sk_options: option uv is unknown
ssh_sk_sign: check_sk_options uv
sshsk_sign: sk_sign failed with code -3
ssh-sk-helper: Signing failed: incorrect passphrase supplied to decrypt private key
main: reply len 8
ssh_msg_send: type 5
client_converse: helper returned error -43
reap_helper: pid=4019
process_sign_request2: sshkey_sign: incorrect passphrase supplied to decrypt private key
process_sign_request2: sshkey_sign: incorrect passphrase supplied to decrypt private key
process_sign_request2: good signature
from pam_rssh.
z4yx
commented on August 29, 2024
Have you tested normal ssh login with this resident key? Or ssh with forwarded ssh-agent?
From this log, it seems like Yubikey refused to sign because of PIN or touch. Did you set the PIN of FIDO2?
from pam_rssh.
MaxwellDPS
commented on August 29, 2024
Yep! So ssh auth is good, and pin is set. I added a touch requirement to the resident key, it seems its not waiting for that on sudo. Instead of a pause for the key to flash for touch, it just fails immediately
from pam_rssh.
z4yx
commented on August 29, 2024
After reading the code, I found that the ssh-agent fails to get the pin from user, at this line:
Then it calls sshkey_sign with pin=NULL. Log sshsk_sign: provider "internal", key ED25519-SK, flags 0x25 confirms this. If the pin is not NULL, it should print with-pin at the end.
So I guess there is something wrong in your OS that prevents ssh-agent from showing the passphrase dialog.
from pam_rssh.
z4yx
commented on August 29, 2024
I don't have macOS to reproduce the problem. If you could build ssh-agent yourself, you may add some prints in the read_passphrase and find out which branch returns the empty string or NULL.
https://github.com/openssh/openssh-portable/blob/2709809fd616a0991dc18e3a58dea10fb383c3f0/readpass.c#L123
from pam_rssh.
z4yx
commented on August 29, 2024
@MaxwellDPS I've figured out that the key factor is an environment variable named SSH_ASKPASS. Set it to the path of the ssh-askpass program, which shows a passphrase input dialog. Then ssh-agent can work well with resident keys.
The ssh-askpass can be installed with package managers on Linux distributions. But I don't know how to get that on macOS. Maybe this project can help: https://github.com/theseal/ssh-askpass
from pam_rssh.
z4yx
commented on August 29, 2024
Here is the log of a successful authentication
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug3: identity_permitted: entering: key ED25519-SK comment "", 0 socket bindings, 0 constraints
debug3: identity_permitted: entering: key ED25519-SK comment "", 0 socket bindings, 0 constraints
debug2: process_request_identities: replying with 2 allowed of 2 available keys
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
Confirm user presence for key ED25519-SK SHA256:2gKjOHfcuEzllcLfv+v2Fu8YgoAj9ym3aGBmYmjD0CE
debug3: start_helper: started pid=33040
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper
debug1: process_sign: ready to sign with key ED25519-SK, provider internal: msg len 32, compat 0x0
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x25
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: check_sk_options: option uv is unknown
debug1: ssh_sk_sign: check_sk_options uv
debug1: sshsk_sign: sk_sign failed with code -3
debug1: ssh-sk-helper: Signing failed: incorrect passphrase supplied to decrypt private key
debug1: main: reply len 8
debug3: ssh_msg_send: type 5
debug1: client_converse: helper returned error -43
debug3: reap_helper: pid=33040
debug1: process_sign_request2: sshkey_sign: incorrect passphrase supplied to decrypt private key
debug3: start_helper: started pid=33049
debug3: ssh_msg_send: type 5
debug3: ssh_msg_recv entering
debug1: start_helper: starting /usr/local/libexec/ssh-sk-helper
debug1: process_sign: ready to sign with key ED25519-SK, provider internal: msg len 32, compat 0x0
debug1: sshsk_sign: provider "internal", key ED25519-SK, flags 0x25 with-pin
debug1: sk_probe: 1 device(s) detected
debug1: sk_probe: selecting sk by touch
debug1: main: reply len 111
debug3: ssh_msg_send: type 5
debug3: reap_helper: pid=33049
debug1: process_sign_request2: good signature
from pam_rssh.
MaxwellDPS
commented on August 29, 2024
@z4yx Thank you for all the work you put in to get this resolved! Was able to get that working with ssh-ask pass! Seems the plist is broken for 13.4 but I'll get that sorted!
from pam_rssh.
Related Issues (14)
- Can't use pam_rssh to auth as root without a centralized authorized_keys file
- Fails to build HOT 4
- Compiling errors HOT 1
- two minor changes HOT 4
- Ready for distribution / production ? HOT 5
- Are there plans to support AuthorizedKeysCommand? HOT 2
- Statically linked openssl HOT 1
- Perform PAM item expansion on arguments HOT 3
- Needed to add `/lib/security/libpam_rssh.so` HOT 3
- Expose the pubkey used for authentication HOT 1
- Default `auth_key_file` is insecure HOT 2
- Error building pam_rssh HOT 1
- Package for debian/Ubuntu
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from pam_rssh.