Feature #16909: Smartcard support for SSH client

Feature #16909

Smartcard support for SSH client

Added by florian.uekermann 2019-07-24 13:56:52 . Updated 2019-08-09 09:33:32 .

Status:

New

Priority:

Normal

Assignee:

Category:

Target version:

Start date:

Due date:

% Done:

Feature Branch:

Type of work:

Code

Blueprint:

Starter:

Affected tool:

Additional Software Packages

Deliverable for:

Description

Two small changes would enable smart card users to use their smartcard for ssh auth.

1. Installing the opensc package.
This would allow using ssh -I /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so xy@ and similar commands.

2. Add PKCS11Provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so to /etc/ssh/ssh_config
This allows using ssh xy@ or git clone/pull/push

As an alternative to step 2, users can add the line to their ~/.ssh/config. But that obviously requires awareness and persistence to be convenient.

Subtasks

History

#1 Updated by intrigeri 2019-08-04 08:02:01

Hi @florian.uekermann!

> Two small changes would enable smart card users to use their smartcard for ssh auth.

Just curious: what exact smartcard hardware do you have in mind?

> 1. Installing the opensc package.

These days, we tend not to include software in Tails when it’ll only be useful for a tiny subset of our users. Instead, we recommend using:

I believe opensc fits very well in this category.

> 2. Add PKCS11Provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so to /etc/ssh/ssh_config
> As an alternative to step 2, users can add the line to their ~/.ssh/config. But that obviously requires awareness and persistence to be convenient.

Right. Given we’re talking about advanced users here, I’m not too worried.

#2 Updated by florian.uekermann 2019-08-04 13:31:05

Hi @intrigeri

> Just curious: what exact smartcard hardware do you have in mind?
This should work with the most common smartcards. I have tested this using an OpenPGP card, but Yubikey, Gnuk and others will work as well.

> These days, we tend not to include software in Tails when it’ll only be useful for a tiny subset of our users.
Understandable. I think smartcards are particularly interesting to the users of Tails. This includes some less advanced users, since smartcards are the only way I am aware of that reliably protect the key in some scenarios (remote code-execution, rubber-hose, key logger…).
See ~~Feature #5931~~ for an effort to make the same smartcards work with gpg, this would extend that support to ssh and other software that uses opensc for pkcs11.

#3 Updated by intrigeri 2019-08-06 12:57:01

Subject changed from smartcard support to Smartcard support for SSH client
Type of work changed from Sysadmin to Code

#4 Updated by intrigeri 2019-08-06 13:15:24

Hi!

>> Just curious: what exact smartcard hardware do you have in mind?
> This should work with the most common smartcards. I have tested this using an OpenPGP card, but Yubikey, Gnuk and others will work as well.

Thank you.

> I think smartcards are particularly interesting to the users of Tails. This includes some less advanced users, since smartcards are the only way I am aware of that reliably protect the key in some scenarios (remote code-execution, rubber-hose, key logger…).

Hardware tokens (aka. smartcards) indeed improve protection of the secret key material in such scenarios. One aspect that is too often overlooked, however, is that in the very same scenarios, most hardware tokens do not protect against usage of the key. In some attack scenarios, the adversary really wants the secret key material; but in other attack scenarios, being able to use the key is sufficient. I’m of course not saying that hardware tokens are useless. I just want us to be clear wrt. what problems they address and what problems they do not address, before we decide something here.

@florian.uekermann, implementation-wide, we use GNOME Keyring as our SSH agent:

Does it play nicely with the config you’ve recommended?
https://blog.josefsson.org/2019/06/21/openpgp-smartcard-under-gnome-on-debian-10-buster/ suggests that it does not play nicely with hardware tokens for SSH (that blog post recommends disabling GNOME Keyring’s SSH agent support and using GnuPG’s SSH agent functionality instead). But perhaps that’s only a problem when one wants to use an OpenPGP subkey for SSH authentication, or something?

#5 Updated by florian.uekermann 2019-08-06 14:14:34

@intrigeri
The blog post you mention describes a different setup, where the gpg-agent is configured to assume the role of an ssh agent.
I have used that approach in the past, but it is cumbersome to configure, fragile and did indeed require blacklisting the gnome keyring. I think these issues are not exclusive to smartcards, but a general problem with gnome keyring and the gpg-agent as ssh-agent.
Using opensc does not involve gpg.

I use this setup on several machines and distributions, and have not had any problems. I will confirm that the gnome agent is actually used on tails, when I am back home. That would be nice for convenience, to avoid repeatedly entering the PIN.

For completeness: A side effect of adding the PKCS11Provider option to the ssh config. If no smartcard is connected, ssh logs one more line to stderr when it attempts pub key auth and is looking for keypairs:

pkcs11_initialize_provider: provider /usr/lib64/pkcs11/opensc-pkcs11.so returned no slots

The message is harmless and does not interfere with using file based key pairs or other authentication methods.

#6 Updated by florian.uekermann 2019-08-07 15:21:13

I checked. The behavior of ssh & ssh-add with and without the changes above is the same. The agent works fine for key files in both cases. Unfortunately ssh-add will fail when adding a smartcard key, but I couldn’t produce a regression.

Note: To my surprise, the ssh key decryption password prompt for key files is shown in the terminal (I expected a gui popup) in all cases.

#7 Updated by intrigeri 2019-08-09 09:33:32

> I checked. The behavior of ssh & ssh-add with and without the changes above is the same. The agent works fine for key files in both cases.

Nice!

> Unfortunately ssh-add will fail when adding a smartcard key

https://wikitech.wikimedia.org/wiki/Yubikey-SSH suggests that you’ve seen something like this:

SSH_AGENT_FAILURE
Could not add card: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

That article points suggests it’s expected as GNOME Keyring’s SSH agent did not support smartcards: https://bugzilla.gnome.org/show_bug.cgi?id=535373 and https://github.com/GNOME/gnome-keyring/blob/06422ea18cebfd6d4d554d01445eafb3d140d6b8/daemon/ssh-agent/gkd-ssh-agent-ops.c#L1415.

https://bugzilla.gnome.org/show_bug.cgi?id=775981 suggests that might be fixed in GNOME Keyring 3.28, so @florian.uekermann: please retry in Tails 4.0~beta1 :)

> Note: To my surprise, the ssh key decryption password prompt for key files is shown in the terminal (I expected a gui popup) in all cases.

I suspect that if ssh-add worked correctly, it would use the configured SSH agent (GNOME Keyring) to get the PIN, and the prompt would be graphical. But since ssh-add fails due to the aforementioned limitation in GNOME Keyring, PKCS11Provider can’t use the agent and asks the PIN itself.