SSH PIV authentication problem(s)

Posted by illumis92@reddit | sysadmin | View on Reddit | 23 comments

Hi people of the internet ;-)

I have a very strange issue:
When connecting to a Windows-server and authenticating Smartcard (Yubikey with PIV) everything is running smooth - yes, a short waiting-time at the logon-screen of 3-5 seconds, but that's okay.
If I connect from this Windows-server to a Linux-server and use again the smartcard for authentication, I have everything between 5 seconds and 40 seconds waiting time for the PIN-request. This does not change, whether I use the ssh-agent or 3rd party tools like open-sc or wincrypt or puttycac as the smartcard-provider.
My colleagues an I analyzed wireshark-traces, used procmon to analyze the things going back and forth, took dubug-logs of the yubico-minidriver, but could not find any real "error". Just a huge amount of smartcard-read-access-entries going on in procmon.
The yubico-log shows also shows the accesses but not giving any indication of a "problem" here.

With ssh-add I can "store" the Pin and this speeds things up, but we do not want to cache/store the Pin for security-reasons.

And furthermore, if I do not store/cache the Pin, I cannot jump from the linux-server further to another machine via ssh - this is only possible when I store the key, as only then the forwarding is really forwarding the keys to the linux-jumpserver.

Does anyone know, what can be the cause or did anyone expereince the same thing and found a solution or knows, why there cannot be a solution?

I am really frustrated currently...

Thank you all guys!

[-]

lart2150@reddit

Could it be a timeout trying to access the crl for your cert?

[-]

illumis92@reddit (OP)

There are entries in the EventLog regarding CRL-checks with error, but the timestamp does not match.

[-]

lart2150@reddit

If they are not short lived certs (less than a day) you should fix the CRL check even if it's not the cause of the login timing issiues.

[-]

hodor137@reddit

Sometimes 5 and sometimes 40 second delays definitely makes me think there is something intermittently having a 30 second timeout

[-]

illumis92@reddit (OP)

Yes, that was we think/thought as well - but we cannot find anything. So I just asked here, maybe someone had a similar problem already.

[-]

eclipseofthebutt@reddit

What does your personal ssh config look like (~/.ssh/config)? I regularly use a Yubikey with PIV to access servers so I might have some insight. If you are trying to use the Windows box as a jump box here's a sample of a config I use for a similar purpose:

PKCS11Provider libykcs11.dll
CertificateFile C:\path\to\your\certificate.cer
IdentifyFile C:\path\to\public\key\file.pem
IdentitiesOnly yes

Host jumpbox
  HostName jumpbox.contoso.com
  user YOURUSERNAMEHERE

Host targetbox
  HostName targetbox.contoso.com
  user YOURUSERNAMEHERE
  ProxyJump jumpbox

Turning up the logging verbosity of sshd on the target box may help you diagnose the issue, but be aware that going to any level of debug verbosity starts compromising privacy by putting sensitive information in the log file.

[-]

illumis92@reddit (OP)

I usually just open a RDP-session to the server and then have a wrapper-script doing the stuff (reading the username, building the string connection-string, cleaning the .ssh/config file, if someone messes it up)

Is it important to have a "physical copy" of the certificate and the public key on the filesystem?

[-]

eclipseofthebutt@reddit

It forces ssh to try that certificate or public key and not try well known identies like ~/.ssh/id_rsa

[-]

picklednull@reddit

Do you have multiple smart card readers on your source workstation? i.e. does the credential prompt display multiple options?

[-]

illumis92@reddit (OP)

No, just one. The only one.

TO make sure,i nothign is enterfering, we took a clean Laptop, created a new smartcard-certificate on a fresh yubikey and took a fresh Windows- and Linux-server and tested it all over.

There must be something we are not seeing.

[-]

thetrivialstuff@reddit

For anyone else momentarily confused, PIV = personal identity verification in this context.

[-]

illumis92@reddit (OP)

Sorry for leaving this out - just thought, whoever may help knows, what I am talking about ;-)

[-]

thetrivialstuff@reddit

It's an odd choice of acronym for yubico to have decided to use, because its got a very well established NSFW meaning normally :P

[-]

mkosmo@reddit

Context matters. Most professionals aren't going to think of the other context when we're talking about authentication or identification.

If you can't handle overloaded acronyms, you may not be long for this world.

[-]

Library_IT_guy@reddit

So what you're saying is, my mind is in the gutter. Well, I already knew that, so carry on I guess. I'm going to giggle about "PIV Verification" all day and there's nothing you can do to stop me!

[-]

SVD_NL@reddit

Yubico didn't decide on that, NIST did. It's part of the FIPS 201 standard.

It was published in 2005, so not sure if the NSFW meaning was already common knowledge at that point in time.

[-]

SVD_NL@reddit

Have you tried using ssh -vvv to see what steps the sign-in is hanging on?

Without much more to go on, my first hunch would be that you've got a lot of auth methods enabled, and PIV is somewhere way down the list, so negotiation takes a while.

Have you tried disabling all auth methods except for the ones you're using? GSSAPI in particular. (i think testing with client-side settings should work, but you may need to disable it server-side too)

[-]

illumis92@reddit (OP)

So you mean disable everything except of smartcard-auth?

[-]

rswwalker@reddit

You may also want to run sshd -ddd on server side and look at what the daemon is doing there during connection time. Take a look to see what it’s doing during the delay. It sounds like a network timeout, maybe it can’t reach all KDCs or DNS servers for authentication.

[-]

SVD_NL@reddit

Maybe keep a backup method if applicable, so you don't lock yourself out. I think smartcard auth should be pubkeyauthentication? not sure where smartcard-auth would be used.
Disabling GSSAPI and host-based is usually a good start, and those generally aren't used.
You can also use preferredauthentication to set the order in which they are used.

I did a little searching and i found this particular bit, it's a bit much to go into, but it should also provide a solution to using jumpboxes.

[-]

illumis92@reddit (OP)

Do you mean to disable this Windows-wide (e.g. via registry) or just disable it as a parameter in the .ssh/config - file on the Windows-server?
Do you have a guide what to do to disable this or where this is set?

Thanks for the link, will share this with my Linux-sysadmin-colleagues!

[-]

Razgriz959@reddit

Are you using the default Windows Middleware for interfacing with the PIV auth slot on the Yubikey?

[-]

illumis92@reddit (OP)

As said - tried ssh-agent (on board), open-sc, wincrypt and also yubico-pivtool
All have the same "problem"