diff options
| author | Thomas Wolf <twolf@apache.org> | 2023-07-09 20:06:37 +0200 |
|---|---|---|
| committer | Thomas Wolf <twolf@apache.org> | 2023-07-17 04:52:30 -0400 |
| commit | 23758d7a61081be4e28c9fc2a0256d7774962455 (patch) | |
| tree | 9a661f915f0ad12d77d0e495f73c4b1a3c224ea1 /org.eclipse.jgit.ssh.apache/resources | |
| parent | 760bdd09b1d186d4ca4f21b7f771882513521949 (diff) | |
| download | jgit-23758d7a61081be4e28c9fc2a0256d7774962455.tar.gz jgit-23758d7a61081be4e28c9fc2a0256d7774962455.zip | |
ssh: PKCS#11 support
Support PKCS#11 HSMs (like YubiKey PIV) for SSH authentication.
Use the SunPKCS11 provider as described at [1]. This provider
dynamically loads the library from the PKCS11Provider SSH configuration
and creates a Java KeyStore with that provider. A Java CallbackHandler
is needed to feed PIN prompts from the KeyStore into the JGit
CredentialsProvider framework. Because the JGit CredentialsProvider may
be specific to a SSH session but the PKCS11Provider may be used by
several sessions, the CallbackHandler needs to be configurable per
session.
PIN prompts respect the NumberOfPasswordPrompts SSH configuration. As
long as the library asks only for a PIN, we use the KeyPasswordProvider
to prompt for it. This gives automatic integration in Eclipse with the
Eclipse secure storage, so a user has even the option to store the PIN
there. (Eclipse will then ask for the secure storage master password on
first access, so the usefulness of this is debatable.)
By default the provider uses the first PKCS#11 token (slot list index
zero). This can be overridden by a non-standard PKCS11SlotListIndex
ssh configuration entry. (For OpenSSH interoperability, also set
"IgnoreUnknown PKCS11SlotListIndex" in the SSH config file then.)
Once loaded, the provider and its shared library and the keys
contained remain available until the application exits.
Manually tested using SoftHSM. See file manual_tests.txt. Kudos to
Christopher Lamb for additional manual testing with a real YubiKey,
also on Windows.[2]
[1] https://docs.oracle.com/en/java/javase/11/security/pkcs11-reference-guide1.html
[2] https://www.eclipse.org/forums/index.php/t/1113295/
Change-Id: I544c97e1e24d05e28a9f0e803fd4b9151a76ed11
Signed-off-by: Thomas Wolf <twolf@apache.org>
Diffstat (limited to 'org.eclipse.jgit.ssh.apache/resources')
| -rw-r--r-- | org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties | 16 |
1 files changed, 12 insertions, 4 deletions
diff --git a/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties b/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties index c676221800..7da7181887 100644 --- a/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties +++ b/org.eclipse.jgit.ssh.apache/resources/org/eclipse/jgit/internal/transport/sshd/SshdText.properties @@ -32,17 +32,17 @@ gssapiFailure=GSS-API error for mechanism OID {0} gssapiInitFailure=GSS-API initialization failure for mechanism {0} gssapiUnexpectedMechanism=Server {0} replied with unknown mechanism name ''{1}'' in {2} authentication gssapiUnexpectedMessage=Received unexpected ssh message {1} in {0} authentication -identityFileCannotDecrypt=Given passphrase cannot decrypt identity {0} +identityFileCannotDecrypt=Given passphrase cannot read identity {0} identityFileNoKey=No keys found in identity {0} identityFileMultipleKeys=Multiple key pairs found in identity {0} identityFileNotFound=Skipping identity ''{0}'': file not found identityFileUnsupportedFormat=Unsupported format in identity {0} invalidSignatureAlgorithm=Signature algorithm ''{0}'' is not valid for a key of type ''{1}'' kexServerKeyInvalid=Server key did not validate -keyEncryptedMsg=Key ''{0}'' is encrypted. Enter the passphrase to decrypt it. +keyEncryptedMsg=''{0}'' needs a passphrase to be read. keyEncryptedPrompt=Passphrase -keyEncryptedRetry=Encrypted key ''{0}'' could not be decrypted. Enter the passphrase again. -keyLoadFailed=Could not load key ''{0}'' +keyEncryptedRetry=''{0}'' could not be read. Enter the passphrase again. +keyLoadFailed=Could not load ''{0}'' knownHostsCouldNotUpdate=Could not update known hosts file {0} knownHostsFileLockedUpdate=Could not update known hosts file (locked) {0} knownHostsFileReadFailed=Failed to read known hosts file {0} @@ -69,6 +69,14 @@ knownHostsUserAskCreationMsg=File {0} does not exist. knownHostsUserAskCreationPrompt=Create file {0} ? loginDenied=Cannot log in at {0}:{1} passwordPrompt=Password +pkcs11Error=ERROR: {0} +pkcs11FailedInstantiation=HostConfig for host {0} (hostname {1}): could not instantiate {2} {3} +pkcs11GeneralMessage=Java reported for PKCS#11 token {0}: {1} +pkcs11NoKeys=HostConfig for host {0} (hostname {1}) {2} {3} did not provide any keys +pkcs11NonExisting=HostConfig for host {0} (hostname {1}) {2} {3} does not exist or is not a file +pkcs11NotAbsolute=HostConfig for host {0} (hostname {1}) {2} {3} is not an absolute path +pkcs11Unsupported=HostConfig for host {0} (hostname {1}) {2} {3}: PKCS#11 is not supported +pkcs11Warning=WARNING: {0} proxyCannotAuthenticate=Cannot authenticate to proxy {0} proxyHttpFailure=HTTP Proxy connection to {0} failed with code {1}: {2} proxyHttpInvalidUserName=HTTP proxy connection {0} with invalid user name; must not contain colons: {1} |