buptczq / WinCryptSSHAgent

Using a Yubikey for SSH Authentication on Windows Seamlessly
Apache License 2.0
539 stars 66 forks source link

The smart card cannot peform the requested operation or the operation requires a different smart card #65

Open dniasoff opened 2 years ago

dniasoff commented 2 years ago

This is probably similar to https://github.com/buptczq/WinCryptSSHAgent/issues/12

But when I try to login, I typically have to click ok on a few popups containing the above message before WinCryptSSHAgent will present the correct key.

I keep deleting the invalid certs from my user certificate store but they magically reappear???

Screenshot 2021-12-15 115307

dniasoff commented 2 years ago

Incredible software by the way. I have struggled over the years with windows, ssh-agent and wsl and this is the first solution that JUST WORKS!!!!

DKhalil commented 2 years ago

Yeah, I have the same issue here (and the same compliements as @dniasoff )

GottZ commented 2 years ago

do you also get this when executing certutil.exe -scinfo? I do.

Judging from your screenshot you are on windows 11 as well as me.

image

dniasoff commented 2 years ago

Sorry for the delay in responding.

I am trying to reproduce the issue but so far I haven't been able to.

Not using SSH much right now. Beforehand this issue bothered me 10 times a day.

On Fri, 21 Jan 2022 at 19:14, Jan-Stefan Janetzky @.***> wrote:

do you also get this when executing certutil.exe -scinfo?

— Reply to this email directly, view it on GitHub https://github.com/buptczq/WinCryptSSHAgent/issues/65#issuecomment-1018788121, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7BXDKXZEMNOHHDMVD3SG3UXGWAXANCNFSM5KDQQOZA . You are receiving this because you were mentioned.Message ID: @.***>

dniasoff commented 2 years ago

For some reason, the issue hasn't happened the last couple of days

But this is what I see when I run the above command

The Microsoft Smart Card Resource Manager is running. Current reader/card status: Readers: 1 0: Yubico YubiKey OTP+FIDO+CCID 0 --- Reader: Yubico YubiKey OTP+FIDO+CCID 0 --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED --- Status: The card is available for use. --- Card: YubiKey Smart Card --- ATR: 3b fd 13 00 00 81 31 fe 15 80 73 c0 21 c0 57 59 ;.....1...s.!.WY 75 62 69 4b 65 79 40 ubiKey@

======================================================= Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0 Microsoft Base Smart Card Crypto Provider: Missing stored keyset

--------------===========================-------------- ================ Certificate 0 ================ --- Reader: Yubico YubiKey OTP+FIDO+CCID 0 --- Card: YubiKey Smart Card Provider = Microsoft Smart Card Key Storage Provider Key Container = c5cebbe6-d351-5d07-1043-66af425fc105

Serial Number: 69cf2c183e230992349829ee7ecf97106f8403b9 Issuer: @._desktop NotBefore: 07/11/2021 15:00 NotAfter: 20/10/2023 15:00 Subject: @._desktop Signature matches Public Key Root Certificate: Subject matches Issuer Cert Hash(sha1): cea5b5882977a03c3e44a86ff420b1edac59c118

Performing public key matching test... Public key matching test succeeded Key Container = c5cebbe6-d351-5d07-1043-66af425fc105 Provider = Microsoft Smart Card Key Storage Provider ProviderType = 0 Flags = 1 0x1 (1) KeySpec = 0 -- XCN_AT_NONE Private key verifies Microsoft Smart Card Key Storage Provider: KeySpec=0 AES256+RSAES_OAEP(ECC:CNG) test skipped

Performing cert chain verification... CertGetCertificateChain(dwErrorStatus) = 0x20 Chain on smart card is invalid dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000) dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000) ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000) HCCE_LOCAL_MACHINE CERT_CHAIN_POLICY_BASE -------- CERT_CHAIN_CONTEXT -------- ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20 Issuer: @._desktop NotBefore: 07/11/2021 15:00 NotAfter: 20/10/2023 15:00 Subject: @._desktop Serial: 69cf2c183e230992349829ee7ecf97106f8403b9 Cert: cea5b5882977a03c3e44a86ff420b1edac59c118 Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4) Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8) Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100) Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

Exclude leaf cert: Chain: da39a3ee5e6b4b0d3255bfef95601890afd80709 Full chain: Chain: cea5b5882977a03c3e44a86ff420b1edac59c118 Issuer: @._desktop NotBefore: 07/11/2021 15:00 NotAfter: 20/10/2023 15:00 Subject: @._desktop Serial: 69cf2c183e230992349829ee7ecf97106f8403b9 Cert: cea5b5882977a03c3e44a86ff420b1edac59c118 A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)

Verifies against UNTRUSTED root Displayed cert for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================-------------- CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET) CertUtil: Keyset does not exist

Thanks

Daniel

On Tue, 25 Jan 2022 at 14:11, Daniel Niasoff @.***> wrote:

Sorry for the delay in responding.

I am trying to reproduce the issue but so far I haven't been able to.

Not using SSH much right now. Beforehand this issue bothered me 10 times a day.

On Fri, 21 Jan 2022 at 19:14, Jan-Stefan Janetzky < @.***> wrote:

do you also get this when executing certutil.exe -scinfo?

— Reply to this email directly, view it on GitHub https://github.com/buptczq/WinCryptSSHAgent/issues/65#issuecomment-1018788121, or unsubscribe https://github.com/notifications/unsubscribe-auth/AA7BXDKXZEMNOHHDMVD3SG3UXGWAXANCNFSM5KDQQOZA . You are receiving this because you were mentioned.Message ID: @.***>

dniasoff commented 2 years ago

This is my output from the above command

C:\Users\daniel>certutil.exe -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Yubico YubiKey OTP+FIDO+CCID 0
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
---   Card: YubiKey Smart Card
---    ATR:
        3b fd 13 00 00 81 31 fe  15 80 73 c0 21 c0 57 59   ;.....1...s.!.WY
        75 62 69 4b 65 79 40                               ubiKey@

=======================================================
Analyzing card in reader: Yubico YubiKey OTP+FIDO+CCID 0
Microsoft Base Smart Card Crypto Provider: Missing stored keyset

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Yubico YubiKey OTP+FIDO+CCID 0
---   Card: YubiKey Smart Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = XXXXXXXXXXXXXXXXXXXXX
Serial Number: XXXXXXXXXXXXXXXXXXXXX
Issuer:  XXXXXXXXXXXXXXXXXXXXX
 NotBefore: 07/11/2021 15:00
 NotAfter: 20/10/2023 15:00
Subject: XXXXXXXXXXXXXXXXXXXXX
Signature matches Public Key
Root Certificate: Subject matches Issuer
Cert Hash(sha1): XXXXXXXXXXXXXXXXXXXXX

Performing  public key matching test...
Public key matching test succeeded
  Key Container = XXXXXXXXXXXXXXXXXXXXX
  Provider = Microsoft Smart Card Key Storage Provider
  ProviderType = 0
  Flags = 1
    0x1 (1)
  KeySpec = 0 -- XCN_AT_NONE
Private key verifies
Microsoft Smart Card Key Storage Provider: KeySpec=0
AES256+RSAES_OAEP(ECC:CNG) test skipped

Performing cert chain verification...
CertGetCertificateChain(dwErrorStatus) = 0x20
Chain on smart card is invalid
dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

CertContext[0][0]: dwInfoStatus=10c dwErrorStatus=20
  Issuer: XXXXXXXXXXXXXXXXXXXXX
  NotBefore: 07/11/2021 15:00
  NotAfter: 20/10/2023 15:00
  Subject: XXXXXXXXXXXXXXXXXXXXX
  Serial: XXXXXXXXXXXXXXXXXXXXX
  Cert: XXXXXXXXXXXXXXXXXXXXX
  Element.dwInfoStatus = CERT_TRUST_HAS_NAME_MATCH_ISSUER (0x4)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_IS_UNTRUSTED_ROOT (0x20)

Exclude leaf cert:
  Chain: XXXXXXXXXXXXXXXXXXXXX
Full chain:
  Chain: XXXXXXXXXXXXXXXXXXXXX
  Issuer: XXXXXXXXXXXXXXXXXXXXX
  NotBefore: 07/11/2021 15:00
  NotAfter: 20/10/2023 15:00
  Subject: XXXXXXXXXXXXXXXXXXXXX
  Serial: XXXXXXXXXXXXXXXXXXXXX
  Cert: XXXXXXXXXXXXXXXXXXXXX
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487 CERT_E_UNTRUSTEDROOT)
------------------------------------
Verifies against UNTRUSTED root
Displayed  cert for reader: Yubico YubiKey OTP+FIDO+CCID 0

--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist

And I am getting the issue alot now. The command pops up a prompt to view certificate like below and that's when I get the error CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET) CertUtil: Keyset does not exist

image

dniasoff commented 2 years ago

Getting it every time I use it and would love a fix pleeeeeease

this is what I see on certinfo image

GottZ commented 2 years ago

yep. annoying. i've moved to using a normal cert with classic passphrase until this issue is resolved. my yubikey works fine on linux using this method.

dniasoff commented 2 years ago

@buptczq Any chance you can address this? it is getting a real pain? Perhaps someway of selecting the card to present to windows instead of allowing it to see all certs/cards? Would really appreciate it and it would improve my efficiency and quality of life dramatically.

Happy to help in any way I can but I don't write in go currently

michaelfm commented 2 years ago

I have the same issue and would also appreciate a creative solution. Would unloading certain keys be an option? WinSCP won‘t connect with more than one certificate available. Unfortunately it checks the incorrect ones first and stops connecting.

dniasoff commented 2 years ago

I have found a workaround for my problem. Certificates are created when you RDP into a machine so that you can use a smartcard over RDP remotely and when you disconnect, the certificate remains in the user's personal store which confuses Wincrypt. Removing that certificate manually prevents the pop-up.

Also windows hello for business supports smart-card enumeration which also confuses WinCrypt. Disabling Windows hello smart card enumeration should resolve this

image

Computer Configuration/Administrative Templates/Windows Components/Windows Hello for Business.

I found that in one case that wasn't enough and I also had to disable the specific cert in Users/Personal store (later on the cert disappeared so it might just take time)