Starting a salted session fails when using an RSA key in FIPS mode
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
tpm2-tss (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Jammy |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
When configuring SSH to use a TPM protected key for authentication using tpm2-pkcs11 following the steps documented in https:/
WARNING:
ERROR:esys:
ERROR: Esys_StartAuthS
ERROR: Could not start Auth Session with the TPM.
ERROR: Error unsealing wrapping key
C_Login failed: 5
login failed
pkcs11_get_key failed
sign_and_
Parameter 2 in this case is the encrypted salt supplied to the TPM2_StartAuthS
This encryption happens in iesys_cryptossl
In focal, iesys_cryptossl
[Impact]
It's not possible to use tpm2-pkcs11 on a system that is running in FIPS mode with the version of tpm2-tss in focal.
This is fixed by partially backporting https:/
[Test plan]
[racb: pending amendment - see comment 3 below]
[amc: Test plan updated with the additional information that addresses 2 of the 3 points in comment #3. The third point is addressed in comment #5]
Follow the instructions detailed in https:/
Or follow the reproduction steps below in both FIPS mode and non-FIPS mode (see https:/
```
# Add the key
```
sudo usermod -a -G tss $USER
tpm2_ptool init
tpm2_ptool addtoken --pid=1 --label=ssh --userpin=
tpm2_ptool addkey --label=ssh --userpin=
```
# List the public SSH keys
```
ssh-keygen -D /usr/local/
```
Those warnings/errors are displayed, but can be ignored from what I can understand (see https:/
```
WARNING:
ERROR:fapi:
ERROR: Listing FAPI token objects failed.
```
# Add the SSH key authorized_keys
Add this key to root's authorized keys:
```
ssh-keygen -D /usr/local/
```
# SSH as root
Pin is `MySecretPassword`:
```
ssh -I /usr/local/
```
Observe the error.
```
[Regression potential]
This is minimal - iesys_cryptossl
Changed in tpm2-tss (Ubuntu): | |
status: | New → Fix Released |
Changed in tpm2-tss (Ubuntu Focal): | |
status: | New → Triaged |
Changed in tpm2-tss (Ubuntu Jammy): | |
status: | New → Fix Released |
description: | updated |
Hi Chris,
Thanks for opening the bug. Do you have a step-by-step reproducer of this, please? So that I can reproduce this here on a container as well? This is also something that should go in the "Test Plan" section of the bug. :)