search

Foxboron / ssh-tpm-agent

:computer: :key: ssh-agent for TPMs
MIT License
354 stars 20 forks source link

`error in libcrypto` if loaded key is replaced #56

Open dcousens opened 3 months ago

dcousens commented 3 months ago

When testing, I used ssh-tpm-keygen to replace an existing test.tpm that had already been loaded by my running ssh-tpm-agent:

$ ssh-tpm-agent -d
time=2024-07-13T00:54:01.989+10:00 level=INFO msg="Warning: ssh-tpm-agent is meant to run as a background daemon."
time=2024-07-13T00:54:01.989+10:00 level=INFO msg="Running multiple instances is likely to lead to conflicts."
time=2024-07-13T00:54:01.989+10:00 level=INFO msg="Consider using a systemd service."
time=2024-07-13T00:54:01.989+10:00 level=INFO msg="Listening on socket" path=/run/user/1000/ssh-tpm-agent.sock
time=2024-07-13T00:54:01.989+10:00 level=DEBUG msg="called loadkeys"
time=2024-07-13T00:54:01.989+10:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/daniel/.ssh/config
...
time=2024-07-13T00:54:01.990+10:00 level=DEBUG msg="added TPM key" name=/home/daniel/.ssh/test.tpm
...

Then, without restarting ssh-tpm-agent and with ssh-tpm-keygen having replaced test.tpm, by then running ssh ... the following error is shown: 

Load key "/home/daniel/.ssh/test.pub": error in libcrypto

The followup output for this interaction from ssh-tpm-agent -d is relatively minimal, with no indicative error:

time=2024-07-13T01:01:51.682+10:00 level=DEBUG msg="called extensions"
time=2024-07-13T01:01:51.682+10:00 level=DEBUG msg="called list"

Restarting ssh-tpm-agent resolves the problem.

Foxboron commented 3 months ago

Yep, this sounds like a bug :) Thanks!

Foxboron commented 3 months ago

I suspect this fixes you issue, but I haven't tested yet.

https://github.com/Foxboron/ssh-tpm-agent/commit/800e6c9232551995287c2d9ffc5c020d90c85bfb

dcousens commented 3 months ago

Doesn't appear to be resolved

# ssh-tpm-keygen -f test
#   and added test.pub to authorized keys

$ git rev-parse HEAD
54a466a8eec3b48b374e05908dfa11b112392c30

$ ./bin/ssh-tpm-agent -d
time=2024-07-14T10:16:44.485+10:00 level=INFO msg="Warning: ssh-tpm-agent is meant to run as a background daemon."
time=2024-07-14T10:16:44.485+10:00 level=INFO msg="Running multiple instances is likely to lead to conflicts."
time=2024-07-14T10:16:44.485+10:00 level=INFO msg="Consider using a systemd service."
time=2024-07-14T10:16:44.486+10:00 level=INFO msg="Listening on socket" path=/run/user/1000/ssh-tpm-agent.sock
time=2024-07-14T10:16:44.486+10:00 level=DEBUG msg="called loadkeys"
time=2024-07-14T10:16:44.486+10:00 level=DEBUG msg="skipping key: does not have .tpm suffix" name=/home/daniel/.ssh/config
# ...
time=2024-07-14T10:16:44.486+10:00 level=DEBUG msg="added TPM key" name=/home/daniel/.ssh/test.tpm
# ...

# ssh OK
time=2024-07-14T10:16:54.783+10:00 level=DEBUG msg="called extensions"
time=2024-07-14T10:16:54.784+10:00 level=DEBUG msg="called list"
time=2024-07-14T10:16:55.091+10:00 level=DEBUG msg="called signwithflags"

# ssh-tpm-keygen -f test
#   and added test.pub to authorized keys

# ssh ERROR
#   Load key "/home/daniel/.ssh/test.pub": error in libcrypto
time=2024-07-14T10:17:37.177+10:00 level=DEBUG msg="called extensions"
time=2024-07-14T10:17:37.177+10:00 level=DEBUG msg="called list"

Ps. thank you for fixing f8a5360393a33c7b162cb323ad09ced5a9d0738f :yellow_heart:

Foxboron commented 3 months ago

Can't reproduce with the details you have given so far.

dcousens commented 3 months ago

Interesting! I'll try and automate a reproduction when I can