search

kryptco / kr

DEPRECATED A dev tool for SSH auth + Git commit/tag signing using a key stored in Krypton.
https://krypt.co/developers/
Other
1.59k stars 109 forks source link

Since macOS 10.15.4 I'm asked for PIN on every action #301

Closed n1ko-w1ll closed 4 years ago

n1ko-w1ll commented 4 years ago

Hi,

tonight my MacBook was installing macOS 10.15.4 and since I'm asked fo Enter PIN for 'Kryptonite iOS': on every action that invovles my SSH key. As a workaround I had to uncomment the kyrptonite relevant lines in my SSH Config.

Is this something you can fix or is the issue macOS related?

agrinman commented 4 years ago

Where are you asked to enter a pin? I haven't seen this before...

n1ko-w1ll commented 4 years ago

As I wrote, on every action that involves SSH. For me it was git pull in the Terminal app or in my IDE (IntelliJ).

agrinman commented 4 years ago

Can you share the output of ssh -vvv me.krypt.co?

n1ko-w1ll commented 4 years ago

Here we go:

⇒  ssh -vvv me.krypt.co
OpenSSH_8.1p1, LibreSSL 2.7.3
debug1: Reading configuration data /Users/niko/.ssh/config
debug3: kex names ok: [diffie-hellman-group1-sha1]
debug1: /Users/niko/.ssh/config line 36: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 47: Applying options for *
debug1: Executing proxy command: exec /usr/local/bin/krssh me.krypt.co 22
Enter PIN for 'Kryptonite iOS':
debug1: pkcs11_provider_unref: 0x7f8c17104540 refcount 1
debug1: pkcs11_add_provider: provider /usr/local/lib/kr-pkcs11.so returned no keys
debug1: identity file /Users/niko/.ssh/id_krypton type 0
debug1: identity file /Users/niko/.ssh/id_krypton-cert type -1
debug1: identity file /Users/niko/.ssh/id_ed25519 type -1
debug1: identity file /Users/niko/.ssh/id_ed25519-cert type -1
debug1: identity file /Users/niko/.ssh/id_rsa type 0
debug1: identity file /Users/niko/.ssh/id_rsa-cert type -1
debug1: identity file /Users/niko/.ssh/id_ecdsa type -1
debug1: identity file /Users/niko/.ssh/id_ecdsa-cert type -1
debug1: identity file /Users/niko/.ssh/id_dsa type -1
debug1: identity file /Users/niko/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: Remote protocol version 2.0, remote software version Go
debug1: no match: Go
debug2: fd 5 setting O_NONBLOCK
debug2: fd 4 setting O_NONBLOCK
debug1: Authenticating to me.krypt.co:22 as 'niko'
debug3: hostkeys_foreach: reading file "/Users/niko/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/niko/.ssh/known_hosts:21
debug3: load_hostkeys: loaded 1 keys from me.krypt.co
debug3: order_hostkeyalgs: prefer hostkeyalgs: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c
debug2: host key algorithms: rsa-sha2-512-cert-v01@openssh.com,rsa-sha2-256-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: host key algorithms: ssh-rsa
debug2: ciphers ctos: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128
debug2: ciphers stoc: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,arcfour256,arcfour128
debug2: MACs ctos: hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: MACs stoc: hmac-sha2-256,hmac-sha1,hmac-sha1-96
debug2: compression ctos: none
debug2: compression stoc: none
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha2-256 compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ssh-rsa SHA256:ph+SSJkpL7S2bcP6x8kmQNHL3TxFWfIc8+w8cvudCtE
debug3: hostkeys_foreach: reading file "/Users/niko/.ssh/known_hosts"
debug3: record_hostkey: found key type RSA in file /Users/niko/.ssh/known_hosts:21
debug3: load_hostkeys: loaded 1 keys from me.krypt.co
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that a host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
SHA256:ph+SSJkpL7S2bcP6x8kmQNHL3TxFWfIc8+w8cvudCtE.
Please contact your system administrator.
Add correct host key in /Users/niko/.ssh/known_hosts to get rid of this message.
Offending RSA key in /Users/niko/.ssh/known_hosts:21
RSA host key for me.krypt.co has changed and you have requested strict checking.
Host key verification failed.
agrinman commented 4 years ago

Thanks. Can you share your ~/.ssh/config file? (Krypton relevant lines only)

n1ko-w1ll commented 4 years ago

Sure:

# Added by Krypton
Host *
    PKCS11Provider /usr/local/lib/kr-pkcs11.so
    ProxyCommand /usr/local/bin/krssh %h %p
    IdentityFile ~/.ssh/id_krypton
    IdentityFile ~/.ssh/id_ed25519
    IdentityFile ~/.ssh/id_rsa
    IdentityFile ~/.ssh/id_ecdsa
    IdentityFile ~/.ssh/id_dsa
agrinman commented 4 years ago

Yep, try removing that first PKCS11 line and giving it another go

n1ko-w1ll commented 4 years ago

Thanks a lot, it works again 🙇 Was that my mistake or some old configuration option added by Krypton?

agrinman commented 4 years ago

Old config, not sure why the kr update didn’t remove it...

n1ko-w1ll commented 4 years ago

Alright, thanks for your help!