Newer version of OpenSSH expose the PKCS#11 key labels / subjects as
comments. This mean we can no longer rely on the provider path to
recognize smartcard originated keys. Without recognizing those our
smartcard recovery logic is broken. Unfortunately there is no direct way
to do this with the OpenSSH ssh-agent.
With this patch we will track the smartcard keys loaded by us
(fingerprint as key) to know when we need to kick the recovery logic in.
This has been tested with SoftHSM 2.6.1 and OpenSC 0.19 + Nitrokey HSM with OpenSSH 8.9p1.
aakso
commented
2 years ago
Newer version of OpenSSH expose the PKCS#11 key labels / subjects as comments. This mean we can no longer rely on the provider path to recognize smartcard originated keys. Without recognizing those our smartcard recovery logic is broken. Unfortunately there is no direct way to do this with the OpenSSH ssh-agent.
With this patch we will track the smartcard keys loaded by us (fingerprint as key) to know when we need to kick the recovery logic in.
This has been tested with SoftHSM 2.6.1 and OpenSC 0.19 + Nitrokey HSM with OpenSSH 8.9p1.
OpenSSH ssh-agent pkcs11 change related to this: https://github.com/openssh/openssh-portable/commit/89a8d4525e8edd9958ed3df60cf683551142eae0