Re: eToken Pro openSSH

Pinpad related code is under heavy modification currently by me...
expect related patches to opensc and probly to openssh this week. I
don't know about ctapi related readers but work that relates to
CCID/TeleTrust class 2 spec is under heavy modification both in ccid
ifdhandler and opensc too. At the moment, in my subjective opinion
related to the area is 'broken'


m.


On Tue, 08 Mar 2005 11:00:49 +0100, Boris von Alten Blaskowitz
<borisvab@xxxxxx> wrote:
> Hi,
> 
> I figuret out what the problem with openssh was. SSH never ask for the
> PIN because it expect the PIN distributed by the ssh-agent. I tried to
> modified my OS system (SuSE 9.2) to start the x-session thru ssh-agent
> as written in the SuSE-Admin-Guide so it distribute the PIN but it
> doesn´t work to startx thru ssh-agent. Know  I am modified the source
> code from openssh to ask for the PIN, and it works. This way is fine, if
> you use the eToken Pro, but I am not user what happen if you have a
> Reader with a Pin Pad. So please,  maybe someone kann complete this
> topic ...
> 
> If some is interested in the code modification, just send me an email ...
> 
> Boris
> 
> 
> Stef Hoeben wrote:
> > Hi,
> >
> > The "'tbsCertificate' not found" could mean that there is an empty
> > certificate file on the card (or one with zeros).
> > The sc_read_pubkey() function indicates something else, but this
> > function isn't in the current CVS HEAD (which version do you use)?
> >
> > Could you perhaps try "pkcs15-tool -c -k", and then "pkcs15-tool -r
> > <certID>"
> > for both certs on the card.
> > And perhaps "pkcs11-tool -t -l" to check the entire card?
> >
> > Abou the "required access right not granted", did enter your PIN after
> > the "ssh -I 0:46 user@server "?
> >
> > Best regards,
> > Stef
> >
> > Boris von Alten Blaskowitz wrote:
> >
> >> Hi,
> >> My system:
> >> I have a new problem with openSSH and eToken Pro.
> >> My Card has 2 Private Keys and 2 Certs.
> >> Key1(ID45) and Cert1 was generated with openssl-engine. Key1(ID46) and
> >> Cert2 was generated with openssl and moved to the token with pkcs15-init.
> >> The command
> >> ssh -I 0:45 user@serrver
> >> cause: asn1.c:1071:asn1_decode: mandatory ASN.1 object
> >> 'tbsCertificate' not found asn1.c:1083:asn1_decode: returning with:
> >> Required ASN.1 object not found pkcs15-cert.c:88:parse_x509_cert:
> >> ASN.1 parsing of  certificate failed: Required ASN.1 object not found
> >> Certificate read faild: invalid ASN.1 object sc_read_pubkey failed:
> >> Invalid ASN.1 object
> >> What is this object?
> >>
> >>
> >> Command: ssh -I 0:46 user@server
> >> cause: card-etoken.c:175:etoken_check_sw: required access right not
> >> granted card-etoken.c:631:do_compute_signature: returning with:
> >> Security status not satisfied card-etoken.c:175:etoken_check_sw:
> >> required access right not granted
> >> card-etoken.c:631:do_compute_signature: returning with: Security
> >> status not satisfied card-etoken.c:175:etoken_check_sw: required
> >> access right not granted card-etoken.c:631:do_compute_signature:
> >> returning with: Security status not satisfied
> >> sec.c:53:sc_compute_signature: returning with: Security status not
> >> satisfied pkcs15-sec.c:285:sc_pkcs15_compute_signature:
> >> sc_compute_signature() failed: Security status not satisfied
> >> sc_pkcs15_compute_signature() failed: Security status not satisfied
> >> ssh_rsa_sign: RSA_sign failed: error:00000000:lib(0):func(0):reason(0)
> >> Is there one who have a clue what this mean?
> >> Thanks so far
> >> Boris
> >>
> >>
> >
> >
> 
> _______________________________________________
> OpenSC-devel mailing list
> OpenSC-devel@xxxxxxxxxx
> http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
> 


-- 
Martin Paljak - consultant
martin.paljak@xxxxxxxxx - Gmail
http://martin.paljak.pri.ee/ - web
+372.5156495 - phone