ssh-agent with smart card support

[Fabian Henneke]

Hi,

I am working on a Chrome app that acts as an ssh-agent for Secure Shell and provides support for private authentication keys on a smart card via the Smart Card Connector app. I have a functional prototype ready and would invest more time into polishing the app if this is something people would find useful. The app so far has been tested with YubiKeys on Chrome OS, but should work with any OpenPGP smart card and on any OS that can run the Smart Card connector app.

Let me know if you would be interested in such an extension and which features you would like it to have.

Fabian

[Adam Goodman]

Neat!

I've been using keys stored in the YubiKey 4's PIV applet, rather than OpenPGP, via this hack: https://github.com/duosecurity/chromeos-ssh-smartcard-hack - i.e. basically, take an existing chrome.certificateProvider extension (e.g. CACKey) and shove some more code into it.

Where we're talking about YubiKeys specifically, I like the PIV applet better for ssh privkeys than OpenPGP, because it can store up to 24 keys, and can optionally be configured to require "tap-to-sign" (kinda like a hardware implementation of ssh-askpass).

Anyway, while the hack I mentioned above actually works, I've been thinking about trying to compile libykpiv targeting NaCL (and Smart Card Connector's pcsc-lite implementation) and make a less-hacky extension around it, but I've not gotten around to that yet... 

So at a minimum, I'd definitely be interested in hearing how this project goes for you!

 

- Adam

--
You received this message because you are subscribed to the Google Groups "chromium-hterm" group.
To unsubscribe from this group and stop receiving emails from it, send an email to chromium-hterm+unsubscribe@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/583c7f79-a6f9-4fd7-967d-bff476d2778f%40chromium.org.

--

		Adam Goodman  / Principal Security Architect   (734) 330-2673 office   Duo.com

[Mike Frysinger]

sounds neat.  once you've published it, we could document the process in the FAQ.

-mike

On Mon, May 8, 2017 at 7:42 AM, Fabian Henneke <fabian....@gmail.com> wrote:

--

You received this message because you are subscribed to the Google Groups "chromium-hterm" group.

[Fabian Henneke]

I have put more work making the app as easy to use as possible. The source code is now available here: https://github.com/FabianHenneke/smart-ssh. It can be installed directly from the Chrome Web Store: https://chrome.google.com/webstore/detail/secure-shell-openpgp-smar/gdbjpffhcollcplpbjehfhpfcpdoicob. The app will remain "unlisted" there until the next version of the Smart Card Connector app is released with a whitelist including smart-ssh, which will do away with the scary warning message shown on the first run.

I hope that the configuration process is explained well enough in the app. Let me know if there is anything that's still unclear. I'm specifically interested in your opinion on the PIN caching option and the use of notifications.

If there is interest, I could certainly try to add support for the PIV applet to the app, which would also make it usable with ECC keys.

Fabian

[Maciej Żenczykowski]

From a longer perspective point of view...

For something as critical and security sensitive as ssh there's
probably need for some sort of security review on both the code itself
and who/how/when can updates be pushed to the webstore version.

(yes my level of trust for this sort of stuff is very very low, I
often fetch, verify and then upload my own hidden version of chrome
plugins, to not have them change underneath me and magically become
malware, but it's annoying and obviously something I'd prefer to not
have to do...)

It's possible this should be outright merged into secure shell itself?
at some point?

On Sat, Jun 10, 2017 at 3:36 AM, Fabian Henneke

> To unsubscribe from this group and stop receiving emails from it, send an

> email to chromium-hter...@chromium.org.

> To view this discussion on the web visit

> https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jywHoR1yUs7gp6S%3DFKj0vu9Riq_4N0ekxFrmuprYs4m6Q%40mail.gmail.com.

Maciej Żenczykowski, Kernel Networking Developer @ Google

[Fabian Henneke]

I fully agree with Maciej's point here - the only reason for why I fully trust smart-ssh is because I have written it myself. I have been trying to keep the complexity of the code low so that one could potentially review it once (to a certain degree of rigor) and then use a snapshot built from the GitHub source from there on. But this is certainly not ideal - integration into Secure Shell itself would be both more convenient and more secure. 

As my main motivation behind developing this app has been that I myself need the feature it provides, I would very gladly assist in adding this and similar features (PIV support) to Secure Shell - I just found the ssh-agent approach to be the fastest to get smart cards to work on my Chromebook and provide a "proof of concept" to others that one can iterate on.

As an intermediate step, I could also take my app off the Web Store and let someone more well-established in the Secure Shell community host it.

You received this message because you are subscribed to a topic in the Google Groups "chromium-hterm" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-hterm/lY6w_S5YvkM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to chromium-hter...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CANP3RGfGpm8sPC1FoP_v9k99v6en7kBdqr5rnuqr9ck%2Bcg6cRw%40mail.gmail.com.

[Mike Frysinger]

i'm not against Secure Shell integrating things when it makes sense.  the reason we have the --ssh-agent option in the first place is so people can explore and develop and test whatever they want w/out having to come back to us to "bless" it.  so in that regard, i think our current model is working perfectly -- Fabian was able to get everything working w/out having to go through us.  especially since i don't have any hardware or experience in this area, so i wouldn't be able to contribute much.

all that said, now that we have a working code base to look at, we can evaluate what makes sense to merge into Secure Shell itself.  the basic ssh-agent idea is something we already want to do: https://crbug.com/712699.  so let me see if i can break down the app a bit.

code in general:

- looks like it builds heavily upon Promises and ES6 features.  np there, i love this style, and nassh is already using it in places.

- namespacing would need adapting a bit for nassh, but doesn't look like a big deal as it's already using standard (function() { ... })() isolation.

3rd party libraries:

- chrome-promise: an interesting library, but doesn't look like it's actually used ?  code left over from earlier versions ?

- openpgp: library for working with PGP.  ignoring the generic util funcs (which i think we mostly have in nassh already), it's used in one place for "openpgp.crypto.pkcs1.emsa.encode" which i don't think we want to try and re-implement.  project looks reasonable/legit though, so shouldn't be a problem to utilize this.

- Google smart card library (GSC): library for working with Google's smart card app; makes sense

smart-ssh code:

- agent.js: handles ssh-agent protocol (which we'd probably want to try to factor out somewhat like we've done with the sftp code), and an actual ssh-agent implementation that takes care of communicating identities.

- app.{html,js}: a helper interface for people for getting fingerprints and telling them how to use it.

- pinCache.js: a local cache for PINs so the user doesn't have to re-enter it every time.  not sure we'd offer this initially.

- pinDialog.{html,js}: the UI for getting PINs from the user.

- smartCard.js: glue layer between agent.js and GSC.

i've been meaning to pick up some yubikeys anyways for my own testing.  if that's the only thing i'd need to validate this stack, that'd be great.

so how about this straw man proposal:

- nassh_agent.js: set up the nassh.Agent object that nassh will instantiate

- nassh_agent_message.js: hold all the basic message parsing defined in the spec, similar to nassh_sftp_packet.js

- nassh_agent_message_types.js: hold all the constants/util funcs in the spec, similar to nassh_sftp_packet_types.js

- nassh_agent_backend_xxx.js: each backend will go in a sep file.

- nassh_agent_backend_imported.js: local keys that have been imported into Secure Shell (https://crbug.com/712699)

- nassh_agent_backend_gsc.js: connecting with GSC

- nassh_agent_backend_passthru.js: for passing through to other apps (i.e. what we have today with --ssh-agent and nassh.Stream.SSHAgentRelay)

- nassh_agent_backend_native.js: for connecting with native agents (https://crbug.com/211948)

- when processing a request, nassh.Agent will take care of walking its backends so it provides a single face to the connection

- we can figure out the UI later, so for now, we can just re-use the --ssh-agent option.  it can be specified more than once, or we can do a comma list, but it'll use keywords to connect the backends.  e.g. something like --ssh-agent=gsc will tell it to use the gsc backend.

so the common logic you have in agent.js would split across nassh_agent.js and nassh_agent_message*.js.  the smartCard.js would move to nassh_agent_backend_gsc.js.

wdyt ?

if you are interested, it would be good to get some stuff out of the way first.  Secure Shell (as a Google project) requires CLAs.  how do you feel about signing that ?  you can find more info here:

  https://cla.developers.google.com/

we should start a section in the README.md file listing authors and significant contributions.  certainly your work would fall under this.

-mike

> email to chromium-hterm+unsubscribe@chromium.org.

> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jywHoR1yUs7gp6S%3DFKj0vu9Riq_4N0ekxFrmuprYs4m6Q%40mail.gmail.com.

Maciej Żenczykowski, Kernel Networking Developer @ Google

--

You received this message because you are subscribed to a topic in the Google Groups "chromium-hterm" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-hterm/lY6w_S5YvkM/unsubscribe.

To unsubscribe from this group and all its topics, send an email to chromium-hterm+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CANP3RGfGpm8sPC1FoP_v9k99v6en7kBdqr5rnuqr9ck%2Bcg6cRw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "chromium-hterm" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jy%2BKm_ZG%3DmbTkOCQs64fVPwdRgfhmpnN6YjZ6bb-dpG9w%40mail.gmail.com.

[Fabian Henneke]

I like your proposal and would be willing to carry it out. I just signed the CLA and created an account on Gerrit. For starters, I would probably focus on the parts other than nassh_agent_backend_imported.js and nassh_agent_backend_native.js, as I don't have much experience with native messaging or the secure storage of sensitive data in RAM. I will try to refactor the code in a way that makes it easy to add PIV & ECC support later.

Regarding libraries: Thanks for spotting that chrome-promise is indeed no longer needed. 

Everything I use openpgp.js for apart from simple array helper functions is a way to calculate SHA-1 hashes. Is this perhaps already done elsewhere in libapps? If not, then there are also more lightweight libraries for this specific purpose.

My point of contact for the GSC library so far has been Maksim Ivanov (emaxx@). He would have to whitelist the release version of the Secure Shell app for GSC access at some point - and ideally also review the code.

The only thing needed for testing this is a Yubikey 4/NEO with an authentication subkey in the OpenPGP applet. At least in theory that should cover all smart cards based on https://www.g10code.com/docs/openpgp-card-2.1.pdf, but if we are serious about testing this, we should at some point also try it out with the original OpenPGP card and/or Nitrokeys (which I don't have access to).

Side remark: I just tried out -A agent forwarding and it works quite well.

Fabian

> email to chromium-hter...@chromium.org.

> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jywHoR1yUs7gp6S%3DFKj0vu9Riq_4N0ekxFrmuprYs4m6Q%40mail.gmail.com.

Maciej Żenczykowski, Kernel Networking Developer @ Google

--

You received this message because you are subscribed to a topic in the Google Groups "chromium-hterm" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-hterm/lY6w_S5YvkM/unsubscribe.

To unsubscribe from this group and all its topics, send an email to chromium-hter...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CANP3RGfGpm8sPC1FoP_v9k99v6en7kBdqr5rnuqr9ck%2Bcg6cRw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "chromium-hterm" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jy%2BKm_ZG%3DmbTkOCQs64fVPwdRgfhmpnN6YjZ6bb-dpG9w%40mail.gmail.com.

--
You received this message because you are subscribed to a topic in the Google Groups "chromium-hterm" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-hterm/lY6w_S5YvkM/unsubscribe.

To unsubscribe from this group and all its topics, send an email to chromium-hter...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CAAbOScn6MXXd%2BOEkk7y0uYghLZkwBopV71wjWvzOE9n0WN9AQQ%40mail.gmail.com.

[Fabian Henneke]

I have been thinking more about the inner workings of the various backends. I have been thinking more about the inner workings of the various backends. Does the following line up with what you have in mind?

*_imported.js: Support only SSH_AGENTC_REQUEST_IDENTITIES (returning the public key for every imported key pair) + SSH_AGENTC_SIGN_REQUEST. At a later point, one could also add support for e.g. SSH_AGENTC_ADD_IDENTITY, which has for example been requested here: https://bugs.chromium.org/p/chromium/issues/detail?id=211948#c16.
This isn't easy to get right as we would have to run the private key operations (RSA/ECC sign) ourselves, which would probably require openpgp.js and a very thorough security review.

*_gsc.js: Support only SSH_AGENTC_REQUEST_IDENTITIES (fetches all public keys from all applets of all attached smart cards) + SSH_AGENTC_SIGN_REQUEST. In particular no explicit SSH_AGENTC_ADD_SMARTCARD_KEY is required, which would anyways only make sense if we were to store the PIN.

*_passthru.js: Agent requests are not parsed, just packaged into JSON messages as is done by nassh.Stream.SSHAgentRelay.

*_native.js: No modifications to the raw requests, only relay them to a native host (as done here https://chrome.google.com/webstore/detail/auth-agent-relay/agdkhmepgogobnegblljaadmbnlgajdh).

If we support multiple backends at the same time, the implementation of *_agent.js gets tricky: Do we treat SSH_AGENTC_REQUEST_IDENTITIES specially and pool the responses from all enabled backends? How do we handle SSH_AGENTC_ADD_IDENTITY and similar requests?

While reading through the nassh code, I came across this peculiar line: https://chromium.googlesource.com/apps/libapps/+/HEAD/nassh/js/nassh_command_instance.js#679
Here, it is Implicitly assumed that the user of an external ssh-agent wants their agent forwarded (and this really happens for me with empty SSH arguments). From my point of view agent forwarding is always a sensitive operation and should require explicit user consent, even though most of the time the agent will be used specifically for this purpose. I would prefer to see this line removed.

Fabian

[Mike Frysinger]

to be clear, i don't expect you to implement everything :).  i was trying to lay out a path that'd accommodate our existing work and existing requests.  if you want to only do the gsc backend, that's OK.

wrt utility functions, you can keep using openpgp as you are.  there's some code in the sftp modules that do wire encoding/decoding, but we'd need to refactor them a bit before they'd be usable here.  if you wanted to bite that off too, i wouldn't say no, but we can figure that out later too.

with the backends, i was thinking we'd define an interface that they'd implement rather than having every backend be responsible for the ssh-agent protocol.  that way the question of enumerating identities and such is a lot easier -- we'd query all the backends, merge the results, and then take care of encoding once.

for things like adding identities, i would consider adding another backend like "ephemeral" where it would hold the stuff in memory, but as soon as the session finishes, it'd be destroyed and thrown away.  maybe in the future we could offer more flexibility/UI here to let the user choose what to do, but we don't need to worry about any of that.  even for now, you could just return an error when an add identity request comes in and not support it at all.

with agent forwarding, i agree that we should change that -A default.  it's been there since the first commit (https://chromium-review.googlesource.com/229073).  it's intended for --config=google setups only, so we should be able to rework the code along those lines.

i bought some yubikey 4 neo's.

-mike

Fabian

> email to chromium-hterm+unsubscribe@chromium.org.

> To view this discussion on the web visit
> https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jywHoR1yUs7gp6S%3DFKj0vu9Riq_4N0ekxFrmuprYs4m6Q%40mail.gmail.com.

Maciej Żenczykowski, Kernel Networking Developer @ Google

--

You received this message because you are subscribed to a topic in the Google Groups "chromium-hterm" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-hterm/lY6w_S5YvkM/unsubscribe.

To unsubscribe from this group and all its topics, send an email to chromium-hterm+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CANP3RGfGpm8sPC1FoP_v9k99v6en7kBdqr5rnuqr9ck%2Bcg6cRw%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "chromium-hterm" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jy%2BKm_ZG%3DmbTkOCQs64fVPwdRgfhmpnN6YjZ6bb-dpG9w%40mail.gmail.com.

--
You received this message because you are subscribed to a topic in the Google Groups "chromium-hterm" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-hterm/lY6w_S5YvkM/unsubscribe.

To unsubscribe from this group and all its topics, send an email to chromium-hterm+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CAAbOScn6MXXd%2BOEkk7y0uYghLZkwBopV71wjWvzOE9n0WN9AQQ%40mail.gmail.com.

--

You received this message because you are subscribed to the Google Groups "chromium-hterm" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jzxmudK%3D3Fi2PGTj3Dkzmq2rG-vUqG8Hb8EnwW3YP0LVQ%40mail.gmail.com.

[john....@linaro.org]

On Saturday, June 10, 2017 at 3:36:34 AM UTC-7, Fabian Henneke wrote:

I have put more work making the app as easy to use as possible. The source code is now available here: https://github.com/FabianHenneke/smart-ssh. It can be installed directly from the Chrome Web Store: https://chrome.google.com/webstore/detail/secure-shell-openpgp-smar/gdbjpffhcollcplpbjehfhpfcpdoicob. The app will remain "unlisted" there until the next version of the Smart Card Connector app is released with a whitelist including smart-ssh, which will do away with the scary warning message shown on the first run.

I hope that the configuration process is explained well enough in the app. Let me know if there is anything that's still unclear. I'm specifically interested in your opinion on the PIN caching option and the use of notifications.

So I was very excited to find this! Though while the app does find and list my yubi key, I seem to be having problems getting the ssh app to talk to the agent. I've added the --ssh-agent= line, but ssh seems to error out with "sign_and_send_pubkey: signing failed: agent refused operation".

Am I missing something to get everything connected together? 

Snippit from the ssh log:

...

debug1: SSH2_MSG_EXT_INFO received

debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>

debug3: receive packet: type 6

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug3: send packet: type 50

debug3: receive packet: type 51

debug1: Authentications that can continue: publickey

debug3: start over, passed a different list publickey

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Offering RSA public key: 

debug3: send_pubkey_test

debug3: send packet: type 50

debug2: we sent a publickey packet, wait for reply

debug3: receive packet: type 60

debug1: Server accepts key: pkalg rsa-sha2-512 blen 279

debug2: input_userauth_pk_ok: fp SHA256:Mvn1tVtWQa8Kip/atK0KAzrh2UYb4OPeDEaaCm6mLWU

debug3: sign_and_send_pubkey: RSA SHA256:Mvn1tVtWQa8Kip/atK0KAzrh2UYb4OPeDEaaCm6mLWU

sign_and_send_pubkey: signing failed: agent refused operation

thanks

-john

[Fabian Henneke]

Thanks for reporting this! The cause of the error seems to be the lack of support for SHA-256/512 hashing in smart-ssh. I have added support for this in both version 0.0.7 of smart-ssh and cl/550116/11. Please give it another try and see if it works as intended. Due to a bug in OpenSSH 7.4 servers running this version will not advertise the new hash functions and can thus not be used to test this new functionality.

Fabian

--

You received this message because you are subscribed to a topic in the Google Groups "chromium-hterm" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-hterm/lY6w_S5YvkM/unsubscribe.

To unsubscribe from this group and all its topics, send an email to chromium-hter...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/28c5abe3-622d-46dd-8dd3-001508a598e8%40chromium.org.

[John Stultz]

On Sat, Jul 22, 2017 at 3:57 AM, Fabian Henneke
<fabian....@gmail.com> wrote:
> Thanks for reporting this! The cause of the error seems to be the lack of
> support for SHA-256/512 hashing in smart-ssh. I have added support for this
> in both version 0.0.7 of smart-ssh and cl/550116/11. Please give it another
> try and see if it works as intended. Due to a bug in OpenSSH 7.4 servers
> running this version will not advertise the new hash functions and can thus
> not be used to test this new functionality.

Very cool! With the recent changes it seems like its now working!

I'm really excited to have this functionality! Thanks so much for
making it happen!
-john

[Mike Frysinger]

circling back now that your work is in the current 0.8.37 dev release :)

i added ssh-agent/smart card notes to the random startup tip list, but the referenced page is a bit light.  basically we tell people:

- add --ssh-agent=gsc to Secure Shell's command line

- install the Smart Card Connector app

- get a supported hardware key (like a yubikey)

- success?

do you have any good references for that last mile ?  i.e. what can users do with this agent in terms of tooling, how do they configure their remote ssh account to allow access, how do they configure the sshd to check things, etc.. ?

i've found this:

  https://www.esev.com/blog/post/2015-01-pgp-ssh-key-on-yubikey-neo/

-mike

--
You received this message because you are subscribed to the Google Groups "chromium-hterm" group.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/583c7f79-a6f9-4fd7-967d-bff476d2778f%40chromium.org.

[Brandon Gilmore]

FWIW: I'm planning to test this with an OpenPGP card later today when I have both my Chromebook and smartcard on hand.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-hterm+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CAAbOSckr%2BvNOUqayqR4f%2BYJZFMY713DpBRdz-rZjLeiSGBGVnQ%40mail.gmail.com.

[Fabian Henneke]

The most complex part will always be setting up the OpenPGP applet on the card. For this step, I would generally recommend following the guides for YubiKeys (https://www.yubico.com/support/knowledge-base/categories/articles/use-yubikey-openpgp/ & https://github.com/drduh/YubiKey-Guide, the one linked by Mike) or Nitrokeys (https://raymii.org/s/articles/Nitrokey_Start_Getting_started_guide.html).  Almost all the content of these guides applies independent of the particular brand of smart card, as they are all based on the OpenPGP card specification (https://g10code.com/p-card.html). Some understanding of the concepts behind PGP and GPG's implementation of it (subkeys, capabilities, how keys are linked to smart cards) is required and more so if one wants to use multiple smart cards interchangeably, but beginning users should find the necessary information in each of the guides linked above.

The only other step missing from your list is to add the output of 'ssh-add -L' to the server's ~/.ssh/authorized_keys. Alternatively, on Chrome OS, my old SSH agent app (https://chrome.google.com/webstore/detail/secure-shell-openpgp-smar/gdbjpffhcollcplpbjehfhpfcpdoicob) can be used to extract the public key in the format required by SSH.

I am currently working on an explanatory blog post, which I could also turn into a tutorial + references to other guides. Maybe we just add the markdown file to the libapps repo and show a link to it in appropriate places in Secure Shell? We could probably also add a link here: https://developers.yubico.com/PGP/SSH_authentication/ once the feature reaches the stable release.

On a different note: If anybody encounters a reader/smart card that is shown with an overly verbose name, please send me the full name so that I can add an appropriate shorthand.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-hter...@chromium.org.

[Mike Frysinger]

i think adding a specific markdown file to nassh/docs/ with a high level overview of the steps makes sense.  i wouldn't try to inline all the PGP steps/documentation, just link to all the other sites where people have gone through the effort.

i bought a yubikey for testing, so i can give it a go as a newbie :).

-mike

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-hterm+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CAAbOSckr%2BvNOUqayqR4f%2BYJZFMY713DpBRdz-rZjLeiSGBGVnQ%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "chromium-hterm" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jxW6Ut1_UzP1NUBy0vHN4Hn-qX8UukMpN%2BbS65647z%3D8Q%40mail.gmail.com.

[Brandon Pitman]

Thank you so much for mainlining this functionality into the SSH app itself. Fabian, do you take donations? I'm currently using your ssh-agent & will soon be using the built-in functionality once I'm on 0.8.37; this was the final piece to allow me to use hardware keys for all SSH connections to my machines.

Brandon

[Brandon Pitman]

BTW, I just tested and can confirm the new built-in SSH smartcard functionality in 0.8.37 works with my setup (Yubikey 4 Nano connecting to several hosts running a modern distribution of Linux). Thanks again.

[Fabian Henneke]

On Sat, Sep 16, 2017 at 9:46 PM Brandon Pitman <brandon...@gmail.com> wrote:

BTW, I just tested and can confirm the new built-in SSH smartcard functionality in 0.8.37 works with my setup (Yubikey 4 Nano connecting to several hosts running a modern distribution of Linux). Thanks again.

 

Thanks for the confirmation! Now I'm hoping for some reports using non-Yubico products, which I haven't been able to test yet. 

On Saturday, September 16, 2017 at 12:32:20 PM UTC-7, Brandon Pitman wrote:

Thank you so much for mainlining this functionality into the SSH app itself. Fabian, do you take donations? I'm currently using your ssh-agent & will soon be using the built-in functionality once I'm on 0.8.37; this was the final piece to allow me to use hardware keys for all SSH connections to my machines.

Brandon

Thinking about how convenient being able to ditch software keys on all platforms would be is what got me to start working on the SSH agent in the first place - hardware keys really do make life on multiple machines easier in the long run. 

Regarding donations: I don't have any experience with them, but both PayPal and Google Wallet are set up for the address I'm using here. Thanks! :-)

[Brandon Gilmore]

I was unfortunately unable to get my OpenGPG smart card working with Secure Shell and GSC. I'll include a log capture below.

I've used the card successfully with native OpenSSH on a Macbook, but it does require PIN entry when loading the smartcard provider library into ssh-agent.

The card was set up largely following the guide at https://github.com/lfit/ssh-gpg-smartcard-config which could be the source of trouble.

​

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-hterm+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jwD%3DJCyLA8ApNKb59x1%3DJ-6db6-F6x8iByzG5u8p1FgHg%40mail.gmail.com.

[Fabian Henneke]

@Brandon Gilmore: Which version of the OpenPGP Smart Card are you using? If it is V1.0 then I can't guarantee that Secure Shell will work with it, but my goal is to support everything starting from V2.0. 

It looks like Secure Shell manages to connect to the card and obtain some data from the OpenPGP applet, but the received data has an unexpected format. It is quite hard to determine the cause of this mismatch without having access to the hardware, but I have thought about ordering an OpenPGP card before and will just do so now.

In the meantime, if you find the time to give it another shot, the following procedure would produce very helpful debugging output: When the error message appears, click the nassh_agent_backend_gsc.js:1199 link and set a breakpoint on it. Reload the Secure Shell connection dialog, initiate the connection and when the breakpoint is hit, execute 

JSON.stringify(appRelatedData)

from the console and send me the output. Note: The output contains all the information listed on page 16 in https://g10code.com/docs/openpgp-card-2.0.pdf under the heading "Application Related Data (Tag)" (e.g. public key fingerprints and creation times), so depending on your use case you may want to keep this data private. In this case you can send me an email directly which I will delete after I have finished debugging the issue. 

Thank you for the report in any case. Since the OpenPGP card is the reference implementation for the standard, getting it to work is definitely an important step towards universal smart card support.

On Mon, Sep 18, 2017 at 6:45 PM Brandon Gilmore <va...@google.com> wrote:

I was unfortunately unable to get my OpenGPG smart card working with Secure Shell and GSC. I'll include a log capture below.

I've used the card successfully with native OpenSSH on a Macbook, but it does require PIN entry when loading the smartcard provider library into ssh-agent.

The card was set up largely following the guide at https://github.com/lfit/ssh-gpg-smartcard-config which could be the source of trouble.

​

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-hter...@chromium.org.

[Brandon Gilmore]

This is an OpenPGP v2.1 card in a Gemalto USB Shell. Both are about three months old.

It might be worth taking this off-thread at some point, but there's nothing particularly sensitive on the card since I bought it specifically for other some other testing. Here's the Application Related Data:

{
    "isConstructed": false,
    "tag": 79,
    "tagClass": 1,
    "tagClassDescription": "application",
    "tagDescription": "Application Identifier",
    "tagNumber": 15,
    "value": {
        "0": 210,
        "1": 118,
        "10": 0,
        "11": 0,
        "12": 73,
        "13": 179,
        "14": 0,
        "15": 0,
        "2": 0,
        "3": 1,
        "4": 36,
        "5": 1,
        "6": 2,
        "7": 1,
        "8": 0,
        "9": 5
    },
    "valueLength": 16
}

Feel free to email me directly if you want me to debug further or re-initialize the card in some specific way.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-hterm+unsubscribe@chromium.org.

[Fabian Henneke]

With Brandon's help I have identified two problems that cause Secure Shell to be incompatible with the OpenPGP smart card. While the first is quite easy to fix (I have already provided Brandon with an updated version), the second issue lies deeper and goes back to an unwarranted assumption I made on card capabilities. Coming up with the "right" fix will take a bit of time (and testing).

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-hter...@chromium.org.

[Mike Frysinger]

feel free to throw a bug in crbug.com/new so it doesn't get lost

-mike

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-hterm+unsubscribe@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jwD%3DJCyLA8ApNKb59x1%3DJ-6db6-F6x8iByzG5u8p1FgHg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "chromium-hterm" group.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jxhwXEB%3D5qzmMmLYT02kQdLwPNXPdbGDbD%2Bi_Yvf6bTiQ%40mail.gmail.com.

[Fabian Henneke]

Thanks to varz@ I have been able to test Secure Shell with an OpenPGP card and a Nitrokey Pro. With the changes made in cl/684014 and cl/684015, these "smart cards" seem to be fully supported now (on HEAD, as the changes are not yet part of the dev version).

A guide on setting up hardware tokens/smart cards with Secure Shell has been added to the docs: https://chromium.googlesource.com/apps/libapps/+/master/nassh/doc/hardware-keys.md.

To unsubscribe from this group and stop receiving emails from it, send an email to chromium-hter...@chromium.org.

To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/CALM30jwD%3DJCyLA8ApNKb59x1%3DJ-6db6-F6x8iByzG5u8p1FgHg%40mail.gmail.com.

--
You received this message because you are subscribed to the Google Groups "chromium-hterm" group.

[dpo...@gmail.com]

This works great for me with a yubikey 4, thank you so much!

Just to make sure I'm not missing anything, this doesn't do gpg agent forwarding at all, correct?

[Fabian Henneke]

On Tue, Nov 7, 2017 at 3:36 PM <dpo...@gmail.com> wrote:

This works great for me with a yubikey 4, thank you so much!

Just to make sure I'm not missing anything, this doesn't do gpg agent forwarding at all, correct?

The key on the smart card/yubikey will be available for authentication on the server if you add -A to the SSH arguments, just as with regular SSH. It is currently not possible to add any non-smart card SSH identities to the forwarded agent though.

You received this message because you are subscribed to a topic in the Google Groups "chromium-hterm" group.
To unsubscribe from this topic, visit https://groups.google.com/a/chromium.org/d/topic/chromium-hterm/lY6w_S5YvkM/unsubscribe.
To unsubscribe from this group and all its topics, send an email to chromium-hter...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/chromium-hterm/161b98d4-e6d3-4ae8-9450-44cee202e83d%40chromium.org.

[Nicholas Sielicki]

No, it doesn't do gpg-agent forwarding.

I've been meaning to make a post on this list about the topic of gpg-agent forwarding. I've been working, slowly, at trying to get work gpg-agent into this application as well. It's good to hear that there are others who might find this useful, I'll try to work a bit more publicly and faster on it.

[Diego Pontoriero]

Awesome! It would be super useful for me--using my yubikey for my ssh key on my yubikey is a side effect of having all my gpg subkeys on it :)

Not knowing javascript or CrOS internals I'm not sure I'd be able to help on the implementation side of things, but please let me know if I can help test.

[zac...@gmail.com]

Thanks for putting this together, works great!