Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Filtering certificates from multiple tokens #410

Open
petrus-lt opened this issue Jan 19, 2022 · 2 comments
Open

Filtering certificates from multiple tokens #410

petrus-lt opened this issue Jan 19, 2022 · 2 comments

Comments

@petrus-lt
Copy link

I have two hardware tokens (Thales/Safenet eToken 5110cc) that both contain certificates for various uses. They obviously use the same driver, libeToken.so (version 10.7.77). I have no issues using one of them either directly (with -I/PKCS11Provider) with ssh or ssh-agent.

However, I have to keep both tokens connected and I need to add only one specific certificate to ssh-agent. For test purposes both tokens use the same pin code, as with every try if the pin code is different, the one for which it is incorrect will increment the tentative counter on the token thus ending locking it. If the two pin codes are different the selection will be based on available certificates with that pin, so that kinda works until one of the two tokens is locked.

From what I've read, p11-kit seems to be the piece of software that was missing to glue various middlewares to 'consumer' software like ssh.

So, here are my two certificates:

    $ p11tool --list-all-certs
    pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo
    pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=ABCDEF1234567890;token=bar

From what I've read, this syntax should be correct:

$ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so 'pkcs11:model=ID%20Prime%20MD;manufacturer=Gemalto;serial=1234567890ABCDEF;token=foo'

Or even

$ ssh-add -s /usr/lib/x86_64-linux-gnu/p11-kit-proxy.so pkcs11:serial=1234567890ABCDEF

(I'm using ssh-add through p11-kit-proxy.so for now as I've not been able to directly use the pkcs11 uri - not sure if that matters).

But the pkcs11 uri does not seem to be used and all certificates end up being added to ssh-agent:

    $ ssh-add -L
    ssh-rsa AAAAB3<snip> foo
    ssh-rsa AAAAC5<snip> bar

Is this because of the use of p11-kit-proxy that doesn't seem to have filtering capabilities (#113)? or something else I've missed? If there is another method than using p11-kit-proxy, I'm interested too, as said using the pkcs11 uri directly fails (cannot open shared object file, no such file or directory).
@winner658
Copy link
Contributor

I don't quite understand your purpose. Do you want to add the certificate to ssh-agent through pkcs uri?

@petrus-lt
Copy link
Author

I don't quite understand your purpose. Do you want to add the certificate to ssh-agent through pkcs uri?

Yes. Or any way that can allow me to filter which certificate I want to add.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@petrus-lt @winner658