Skip to content
This repository has been archived by the owner on May 16, 2020. It is now read-only.

ssh-keygen -D libtpm2-pk11.so returns multiple keys, how to distinguish them? #66

Open
laanwj opened this issue Apr 1, 2018 · 2 comments
Open

ssh-keygen -D libtpm2-pk11.so returns multiple keys, how to distinguish them? #66

laanwj opened this issue Apr 1, 2018 · 2 comments

Comments

@laanwj
Copy link

laanwj commented Apr 1, 2018
edited
Loading

I generated and made persistent a TPM key according to the steps in the wiki.

However, it turns out that this TPM already contains a few different keys these are also listed;

$ tpm2_listpersistent
- { persistent-handle: 0x81000001, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|decrypt }
- { persistent-handle: 0x81000002, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|noda|restricted|sign }
- { persistent-handle: 0x81010001, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|adminwithpolicy|restricted|decrypt }
- { persistent-handle: 0x81010010, key-alg: rsa, hash-alg: sha256, object-attr: fixedtpm|fixedparent|sensitivedataorigin|userwithauth|decrypt|sign }

$ ssh-keygen -D libtpm2-pk11.so
ssh-rsa AAAAB3N...
ssh-rsa AAAAB3N...
ssh-rsa AAAAB3N...
ssh-rsa AAAAB3N...

The keys have no identifiers at the end, so I cannot distinguish them. However only the first of these keys (I assume this is the one I generated for the purpose, 0x81010010) actually works with ssh. The others, if used, give an error at connection time:

C_Sign failed: 5
sign_and_send_pubkey: signing failed: error in libcrypto

Which makes sense, as they have different policies.
@laanwj
Copy link
Author

laanwj commented Apr 2, 2018
edited
Loading

Potential problem from a privacy point of view (esp. if the others contain some platform key): all these keys are offered to the host connected to, when the PKCS#11 library is specified:

debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /home/.../upstream/security/libtpm2-pk11.so
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/.../upstream/security/libtpm2-pk11.so
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey
debug1: Offering RSA public key: /home/.../upstream/security/libtpm2-pk11.so
debug3: send_pubkey_test
debug3: send packet: type 50
debug2: we sent a publickey packet, wait for reply
debug3: receive packet: type 51
...

@praetp
Copy link

praetp commented Aug 26, 2018

I am also having this 'error in libcrypto' when ssh'ing even though my key has the same attributes as yours... Any clues ?

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@laanwj @praetp