Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssh-askpass missing with PKCS11 use #1921

Open
bpfoley45 opened this issue Mar 24, 2022 · 2 comments
Open

ssh-askpass missing with PKCS11 use #1921

bpfoley45 opened this issue Mar 24, 2022 · 2 comments

Comments

@bpfoley45
Copy link

"OpenSSH for Windows" version
8.9.1.0

Client OperatingSystem
Windows 10 Enterprise

What is failing
When leveraging certificate based authentication, I am unable to get a prompt when accessing the card. I believe this lies in the fact that there is no ssh-askpass as there is in linux. In pathnames.h line 124 I see reference to ssh-askpass with a linux pathing, but not matching line for win32.

The certificate authentication works, and agent forwarding is functional but I would like to get a prompt when accessing the card for security purposes. If I use OpenSSH with Pageant and wsl-ssh-pageant (https://github.com/benpye/wsl-ssh-pageant) I can configure it to prompt (yes/no) on card access.

Expected output
Prompt for Smart Card use, either a yes/no prompt or PIN input.

step 1
ssh-add -c -s 'C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll'
Enter passphrase for PKCS#11: ********

step2
ssh- A host.fqdn -l someuser

step 3
some sort of dialogue box with focus prompting for card use (yes/no) or PIN prompt as ssh-askpass works on Linux

Actual output
no dialogue box, forwarding of cert works. I see the private key in the slot being accessed on my yubikey by it blinking

@ddrown
Copy link

ddrown commented Jul 4, 2022

This is related to #1961, the agent does not support SSH2_AGENTC_ADD_ID_CONSTRAINED yet.

@yan4321
Copy link

yan4321 commented Jul 11, 2022

@bpfoley45 , Since you're using cert-based auth, where the cert is backed by a private key that is stored in a smartcard, a workaround (until ssh-askpass support is introduced), could be to use a smartcard that has support for touch keys such as a Yubikey (reference). With touch keys, your smartcard will enforce a physical touch before allowing any challenge-response against the key.
From a security standpoint, this is stronger than using a prompt on the client machine since the touch will be enforced by the smartcard's own hardware.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants