Provide documentation and usage example for PKCS11 logins

[omniproc]

As far as I glimsed into the PKCS11 PR, PKCS11 should be supported by now. However I'm unable to actually use it. Currently I'm using PuttyCAC with a Smartcard, so the actual CAPI setup seems to work.

The help of ssh sais to use -I pkcs11 where pkcs11 (probably?) is the path to the pkcs11 dll. I'm not sure if a compliant dll comes with the Windows installation or if addition tools like OpenSC need to be installed. In any case: I so far was unable to use the feature.

Could you please document how to use the PKCS11 interface on Windows and provide an working example how to use it with the CAPI and/or a smartcard?

[manojampalam]

Can you see if this thread helps? https://github.com/PowerShell/Win32-OpenSSH/issues/307

[NoMoreFood]

You can only use PKCS11 libraries. There is no direct CAPI integration.

[omniproc]

@NoMoreFood I'm not sure I understand the implications of that. So, for example with an Yubikey4 and supported SSH keys installed on it (PIV), how would I use that on Windows without using the CAPI interface?

Just download openSC and point to the pkcs11.dll (-I option of ssh command)? Because that's what I did and it doesn't work. I don't know much about the CAPI / PKCS11 architecture on Windows, just like most ppl. that have not written code for it I'd imagine. That's why I think a example / documentation would be great help for many.

[NoMoreFood]

You're on the right track with openSC pkcs11.dll and the -I option. Just make sure you're using the most recent version of this SSH distribution because the the PKCS library support wasn't added until just recently.

[omniproc]

@NoMoreFood Tried what you said and you're right. If using the GitHub release it seems to work. However: in my specific case it still fails. I guess that's because I'm using ecdsa-sha2-nistp384 instead of RSA keys. E.g.:

# Latest GitHub release
> .\ssh.exe -V
OpenSSH_for_Windows_8.0p1, LibreSSL 2.6.5

> .\ssh.exe example.com -l user -I "C:\Program Files\OpenSC Project\OpenSC\pkcs11\opensc-pkcs11.dll"
Enter PIN for 'XXX':
skipping unsupported key type
failed to fetch key
unknown certificate key type
failed to fetch key

Not sure why this happens exactly since PuttyCAC works perfectly. Seems more like an issue on the OpenSC part.

However: especially because of the many different errors ppl. might see it would make sense to have a "working example" and prerequisites documented.

[NoMoreFood]

@m451 You are correct. It looks like ECC / PKCS11 support was only recently added in the upstream OpenSSH code and, at the very least, config.h will need to be modified to include it in the Windows build (e.g., defining HAVE_EC_KEY_METHOD_NEW). Maybe somebody can look into that.

I added ECC support to CAPI/PKCS to PuTTY CAC quite a while ago. That's an entirely different codebase and it did take me a bit to figure out how to interact properly with the ECDSA PKCS routines. Glad it's working well for you.

[omniproc]

Just verified with version OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2 and it still doesn't work. The key get's requested, I'm asked for my PIN but at the stage where normaly YubiKey would ask to be touched (touch policy) nothing happens resulting in PKCS11 not loading the cert and me getting a permission denied (publickey) returned by the server :-/

However I consider this still a rather uncommon setup. With FIDO / WebAuthn in the pipe I guess that will win in favor of PKCS11.

[keliansb]

Were you able to solve your problem finally @omniproc? Because I have the same problem with ECC keys

[omniproc]

@CaptAintHere

No, I didn't test since then. I switched to the highest supported RSA key, which works. As of the latest release of OpenSSH FIDO is supported which you should consider switiching to.

[daemonhorn]

In case it helps, I wrote up some instructions (mostly for future me) for both Yubikey PIV+PKCS11 and Yubikey/Hello FIDO ssh auth here: https://gist.github.com/daemonhorn/a6af1b76457b2c10b8058d0a2c919bc3