OpenSSH PKCS#11 interface does not support ECC.

Bug #1665695 reported by Evgeny Khorkin on 2017-02-17
20
This bug affects 4 people
Affects Status Importance Assigned to Milestone
portable OpenSSH
Unknown
Unknown
openssh (Ubuntu)
Wishlist
Unassigned

Bug Description

OpenSSH client doesn't support Eliptics Curve keys on PKCS11 smartcard

ssh-keygen -v -D /usr/lib/libeTPkcs11.so
debug1: manufacturerID <SafeNet, Inc.> cryptokiVersion 2.20 libraryDescription <SafeNet eToken PKCS#11> libraryVersion 9.1
debug1: label <Evgeny Khorkin> manufacturerID <SafeNet, Inc.> model <eToken> serial <> flags 0x60d
C_GetAttributeValue failed: 18
debug1: X509_get_pubkey failed or no rsa
debug1: X509_get_pubkey failed or no rsa
debug1: X509_get_pubkey failed or no rsa
no keys
cannot read public key from pkcs11

pkcs11-tool --module /usr/lib/libeTPkcs11.so -O
...
Public Key Object; EC EC_POINT 256 bits
  EC_POINT: 04410474c5423bd0aa44b7825b3e79cd839e06736b18466b131d0884dbf8d946fbdc7f3297e73b998acf56550c303dc972a4dec51b9a3b746d3fe9fb4a44bd84b080fc
  EC_PARAMS: 06082a8648ce3d030107
  label: TestECCpair
  Usage: encrypt, verify, wrap

There is upstream bug: https://bugzilla.mindrot.org/show_bug.cgi?id=2474
Suggested patch: https://bugzilla.mindrot.org/attachment.cgi?id=2728

release: Ubuntu 16.04.2 LTS
openssh version: 7.2p2-4ubuntu2.1

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status: New → Confirmed
Andy Sayler (andy.sayler) wrote :

Still present in Ubuntu 18.04.1. Updated upstream patch for 7.6p1 at https://bugzilla.mindrot.org/attachment.cgi?id=3107.

Andreas Hasenack (ahasenack) wrote :

I doubt the patch will be added to a linux distribution before it's applied upstream, since it's of a very security sensitive nature.

I linked the upstream bug report to this launchpad ticket, though, so we should get notice when it's closed there.

Changed in openssh (Ubuntu):
importance: Undecided → Wishlist
status: Confirmed → Triaged
Andy Sayler (andy.sayler) wrote :

Unfortunately, this bug has been open upstream for years, with no real indication of if or when it will ever be merged.

I applied the upstream patch to the current SSH releases for both Xenial and Bionic and pushed the updates to a PPA at https://launchpad.net/~andy.sayler/+archive/ubuntu/openssh-pkcs11-ecdsa. Hopefully the PPA will tide people over for now. This is similar to both homebrew and Fedora where the unmerged patch has been applied to the current builds and made available to users.

Hadmut Danisch (hadmut) wrote :

As mentioned in the upstream bug, they plan to add support in openssh 8.0.

But I guess 18.04 won't get the upgrade from openssh 7.x to 8.0.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:8.0p1-2

---------------
openssh (1:8.0p1-2) experimental; urgency=medium

  * Fix interop tests for recent regress changes.

 -- Colin Watson <email address hidden> Fri, 14 Jun 2019 14:32:12 +0100

Changed in openssh (Ubuntu):
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.