Bug#807380: Regression for 'PKCS11Provider libsimple-tpm-pk11.so' - ignoring uninitialised token in slot 0
Control: reassign -1 simple-tpm-pk11
On Tue, Dec 08, 2015 at 09:34:07AM +0100, Didier 'OdyX' Raboud wrote:
> I'm using the following SSH config to use my X220's TPM through
> simple-tpm-pk11:
>
> > Host test
> > PKCS11Provider libsimple-tpm-pk11.so
>
> Working authentication:
> > OpenSSH_6.9p1 Debian-3, OpenSSL 1.0.2e 3 Dec 2015
> > …
> > debug1: manufacturerID <simple-tpm-pk11 manufacturer> cryptokiVersion 0.1 libraryDescription <simple-tpm-pk11 library> libraryVersion 0.1
> > debug1: label <Simple-TPM-PK11 token> manufacturerID <manuf id> model <model> serial <serial> flags 0x0
> > debug1: have 1 keys
> > …
>
> Failing authentication:
> > OpenSSH_7.1p1 Debian-1, OpenSSL 1.0.2e 3 Dec 2015
> > …
> > debug1: manufacturerID <simple-tpm-pk11 manufacturer> cryptokiVersion 0.1 libraryDescription <simple-tpm-pk11 library> libraryVersion 0.1
> > debug2: pkcs11_add_provider: ignoring uninitialised token in slot 0
> > no keys
> > …
>
> I haven't found a configuration stanza in ssh_config(5) that could solve that,
> I'm therefore bound to assume it's a regression in how openssh-client and
> libsimple-tpm-pk11.so interact.
This is because of the fix in
https://bugzilla.mindrot.org/show_bug.cgi?id=2427 - OpenSSH now checks
whether the token is initialised, but simple-tpm-pk11 doesn't set that
flag. This is essentially the same as
https://github.com/ThomasHabets/simple-tpm-pk11/issues/13. I think that
cherry-picking this commit would do it, or simply upgrading to
simple-tpm-pk11 0.04:
https://github.com/ThomasHabets/simple-tpm-pk11/commit/bd8202d0f270e02e89b7df84c7373fbe1ace3e9e
Cheers,
--
Colin Watson [cjwatson@debian.org]
Reply to: