I tried to use openssh with Axalto e-gate USB smart token. In an i386 system it works seamlesly, the only thing you must set is "smartcard" use flag. On amd64 it don't work. I got the following messages when openct debug level is 9: # ssh -I 0 X.X.X.X asn1.c:1015:asn1_decode_entry: decoding of ASN.1 object 'tokenflags' failed: Buffer too small asn1.c:1015:asn1_decode_entry: decoding of ASN.1 object 'TokenInfo' failed: Buffer too small pkcs15.c:74:parse_tokeninfo: ASN.1 parsing of EF(TokenInfo) failed: Buffer too small asn1.c:1015:asn1_decode_entry: decoding of ASN.1 object 'usage' failed: Buffer too small asn1.c:1015:asn1_decode_entry: decoding of ASN.1 object 'classAttributes' failed: Buffer too small asn1.c:1015:asn1_decode_entry: decoding of ASN.1 object 'privateRSAKey' failed: Buffer too small pkcs15-prkey.c:144:sc_pkcs15_decode_prkdf_entry: ASN.1 decoding failed: Buffer too small pkcs15.c:1214:sc_pkcs15_parse_df: Error decoding DF entry: Buffer too small pkcs15.c:724:__sc_pkcs15_search_objects: DF parsing failed: Buffer too small Permission denied (publickey,keyboard-interactive). The relevant part of /var/log/message is attached. OpenCT version: 0.5.0 OpenSSH version: 3.9_p1-r1 Reproducible: Always Steps to Reproduce: 1. set the smartcard use flag 2. emerge openssh (maybe openct too) 3. try to connect to an SSH server which wants x509 authentication Actual Results: see the detailed description Expected Results: Get a prompt in the target machine # emerge info Portage 2.0.51.19 (default-linux/amd64/2005.0, gcc-3.4.3-20050110, glibc-2.3.4.20050125-r0, 2.6.11-gentoo-r2 x86_64) ================================================================= System uname: 2.6.11-gentoo-r2 x86_64 AMD Athlon(tm) 64 Processor 3500+ Gentoo Base System version 1.6.9 Python: dev-lang/python-2.3.5 [2.3.5 (#1, Feb 25 2005, 15:22:41)] ccache version 2.4 [enabled] dev-lang/python: 2.3.5 sys-devel/autoconf: 2.59-r6, 2.13 sys-devel/automake: 1.5, 1.7.9-r1, 1.6.3, 1.4_p6, 1.8.5-r3, 1.9.5 sys-devel/binutils: 2.15.92.0.2-r5 sys-devel/libtool: 1.5.10-r5 virtual/os-headers: 2.6.10 ACCEPT_KEYWORDS="amd64 ~amd64" AUTOCLEAN="yes" CFLAGS="-O2 -march=athlon64 -fomit-frame-pointer -pipe" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/lib/X11/xkb /usr/lib/mozilla/defaults/pref /usr/share/config /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-O2 -march=athlon64 -fomit-frame-pointer -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks fixpackages sandbox severe strict userpriv usersandbox" GENTOO_MIRRORS="http://gd.tuwien.ac.at/opsys/linux/gentoo/ http://gentoo.inode.at/ http://mirror.switch.ch/mirror/gentoo/ http://mirrors.sec.informatik.tu-darmstadt.de/gentoo/ http://ftp.uni-erlangen.de/pub/mirrors/gentoo" LANG="hu_HU.UTF-8" LC_ALL="hu_HU.UTF-8" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="amd64 GAPING_SECURITY_HOLE S3TC X X509 Xaw3d aac acpi acpi4linux alsa apache2 artworkextra bash-completion bdf beepmp bitmap-fonts bmp bzlib calendar cap caps cddb cdinstall cdparanoia cdr chroot crypt css ctype curl dba dbx devmap dga dio divx4linux dmx droproot dts dvd dvdr dvdread edl eds encode erandom esd ethereal evo exif extensions fam ffmpeg fftw flac font-server fortran ftp gb gd gif gimp gimpprint gmail gnome gnomedb gphoto2 gpm graphviz gs gstreamer gtk gtkhtml howl idea image imagekits imagemagick imlib imlib2 intl ipv6 jabber java jce jp2 jpeg libgda live lzo lzw lzw-tiff mad matroska mbox md5sum mime mimencode mjpeg mng mozsvg mozxmlterm mp3 mpi mplayer mythtv ncurses network nls nntp no_wxgtk1 nocd nptl nvidia offensive ofx oggvorbis openal opengl pam pcre pda pdf perl png posix ppds python readline sdl silc smartcard smime sndfile sockets sox ssl svg sysvipc szip tcpd tga theora threads tiff transcode truetype truetype-fonts type1 type1-fonts usb userlocales uudeview v4l v4l2 vhosts videos vim vim-pager vim-with-x wmf xanim xface xim xml2 xosd xpm xrandr xv xvid xvmc yv12 zlib zvbi linguas_hu" Unset: ASFLAGS, CBUILD, CTARGET, LDFLAGS, PORTDIR_OVERLAY
Created attachment 53031 [details] messages.bz2: the messages file
Andreas: care to take a peek ?
I already now an amd64 problem with the pam module, it looks like the same issue. Sorry, I don't have time right now to look into the issue, but will link this bug in the upstream bug system (new!). Andreas
most likely an opensc issue. which version of opensc are you using? also could you edit opensc.conf and set debug to 6, set the opensc-debug log file, and attach it here? thanks!
Created attachment 53402 [details] opensc-debug.log
opensc: 0.9.4 openct: 0.5.0 openssh: 3.9_p1-r1
oops, on debian pure64 ssh with opensc and openct works fine. So this could be a gentoo issue. please update to openct 0.6.2 (to make sure it's not a bug already fixed), and the post all details on the compiler, configure options, etc.
andreas: is openct-0.6.x and opensc-0.9.x ready for general consumption yet ? in other words do you mind if i move these versions into unstable ?
yes, everything is stable now, but there are still a few issues with opensc. openct 0.6.4rc1 with solaris fixes only maybe this evening, opensc 0.9.6rc1 planed for this week.
Upgrade to openct 0.6.2 (and openssh 4.0_p1) dosen't help. The simptoms are same, I got exactly the following on my terminal: # ssh -I 0 X.X.X.X (X.X.X.X is the server IP address of course) asn1.c:1015:asn1_decode_entry: decoding of ASN.1 object 'tokenflags' failed: Buffer too small asn1.c:1015:asn1_decode_entry: decoding of ASN.1 object 'TokenInfo' failed: Buffer too small pkcs15.c:74:parse_tokeninfo: ASN.1 parsing of EF(TokenInfo) failed: Buffer too small asn1.c:1015:asn1_decode_entry: decoding of ASN.1 object 'usage' failed: Buffer too small asn1.c:1015:asn1_decode_entry: decoding of ASN.1 object 'classAttributes' failed: Buffer too small asn1.c:1015:asn1_decode_entry: decoding of ASN.1 object 'privateRSAKey' failed: Buffer too small pkcs15-prkey.c:144:sc_pkcs15_decode_prkdf_entry: ASN.1 decoding failed: Buffer too small pkcs15.c:1214:sc_pkcs15_parse_df: Error decoding DF entry: Buffer too small pkcs15.c:724:__sc_pkcs15_search_objects: DF parsing failed: Buffer too small Permission denied (publickey,keyboard-interactive). The error messages (except the last line) are red. I changed only one thing in the default settings: raise the debug level in openct and opensc. # gcc --version gcc (GCC) 3.4.3-20050110 (Gentoo Linux 3.4.3.20050110, ssp-3.4.3.20050110-0, pie-8.7.7) USE flags and CFLAGS are in the emerge info I already sent.
and just for sanity's sake, emerge opensc / openct with CFLAGS="-pipe" doesnt 'fix' this ?
The CFLAGS='-pipe' doesn't help. The result is the same.
in the spirit of being lazy, how about openssh-4.2_p1 and openct-0.6.6 ?
also please compile with gcc 3.*, so we are sure it is not a gcc 4/opensc bug (we seem to have one).
Well, some user response needed. Try w/ uptodate version of involved apps.
