I am attempting to ssh onto a CentOS 7.5 machine (192.168.1.5) via smart card technology.
Now I can SSH using the master slot's x509 certificate with the matching private key to accomplish this, but this means that I must put the certificate's public key onto every machine that I wish to SSH onto. That is tedious if you ask me.
Therefore I want to use a different public/private, specifically RSA keys, so that I can, at some time in the future, sign them with an RSA Certificate allowing for OpenSSH to trust the RSA Certificate and prevent the need to trust every single smart card's x509 Certificate. But for now I just want to SSH with this RSA key pair from the smart card.
Therefore I began following the typical steps to generate keys and load them onto a smart card.
ssh-keygen -f gofish
ssh-keygen -f gofish.pub -e -m pem
ykman piv import-key 9c gofish
ykman piv generate-certificate 9c gofish.pem -s 'gofish543'
ssh-keygen -D [opensc-pkcs11.so] -e
- Placed the output of the above command onto my target CentOS machine.
ssh [email protected] -I [opensc-pkcs11.so]
With everything appearing to be working, I moved on over to Windows 10 to SSH with PuTTY. This is when everything falls apart. Using PuTTY-CAC for smart card SSH authentication it successfully loads my smart card's information into pageant, but when I go to ssh it fails with the error...
PuTTY terminal presents the following...
Using username "gofish543".
Authenticating with public key "CAPI:5e084cb687f0c54adf8ddd733720db48407d3195" from agent
Server refused public-key signature despite accepting key!
[email protected]'s password:
With the sshd error log showing the following...
debug1: matching key found: file /home/gofish543/.ssh/authorized_keys, line 1 RSA SHA256:Eor3aPxtNW6zrxLbq+1tB/urwql1CQB6EM8tFIx31+I^M
debug1: restore_uid: 0/0^M
debug3: mm_answer_keyallowed: key 0x55d310674760 is allowed^M
debug3: mm_request_send entering: type 23^M
debug3: mm_key_verify entering [preauth]^M
debug3: mm_request_send entering: type 24 [preauth]^M
debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth]^M
debug3: mm_request_receive_expect entering: type 25 [preauth]^M
debug3: mm_request_receive entering [preauth]^M
debug3: mm_request_receive entering^M
debug3: monitor_read: checking request 24^M
key_verify: invalid argument^M
debug3: mm_answer_keyverify: key 0x55d310674710 signature unverified^M
debug3: mm_request_send entering: type 25^M
Failed publickey for gofish543 from 192.168.1.3 port 50051 ssh2: RSA SHA256:Eor3aPxtNW6zrxLbq+1tB/urwql1CQB6EM8tFIx31+I^M
The Public, Private key authentication falls apart at the line key_verify: invalid argument
. Searching for this problem yields zero applicable results. What can I do to fix this problem?
As a side note, if I disclosed anything in the error logs that I should not have, like a private key or private key information, know that all these machines are on an internal network hosted on a laptop isolated from the internet. And these keys are going to be deleted in a week or two.