Home / server / Questions / 1166723
Accepted
Latte Xu
Asked: 2024-10-17 21:49:49 +0800 CST

PKCS#11 Forwarding: Clarifying Client and Server Confusion

  • 772

I am trying to follow this tutorial https://p11-glue.github.io/p11-glue/p11-kit/manual/remoting.html , but there are many points making me confused.

  • Which side is pkcs11 server?

It said "Setting up the PKCS#11 forwarding server on a local client". So I understand that my local machine plays a role as p11 server, where directly connects with smart-card (in the later set up I use softhsm as a smart card). They mention the P11_KIT_SERVER_ADDRESS, but the command is executed on the "local client," which is confusing.

  • Which side is the pkcs11 client?

In session "Preparing the remote system for PKCS#11 socket forwarding". "Forwarding the PKCS#11 socket", they locate the user runtime directory, but one of them is done by "ssh". So I thought the runtime directory was on the remote system. (They also use term remote server or remote host)

As bellowed I describe the step by step I have done in 2 containers, A - as my local machine, and B-as a remote host. I use softhsm for a stimulated smart card. On local machine A:

$ p11tool --list-tokens
Token 0:
    URL: pkcs11:model=p11-kit-trust;manufacturer=PKCS%2311%20Kit;serial=1;token=System%20Trust
    Label: System Trust
    Type: Trust module
    Flags: uPIN uninitialized
    Manufacturer: PKCS#11 Kit
    Model: p11-kit-trust
    Serial: 1
    Module: p11-kit-trust.so


Token 1:
    URL: pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=d1472478b9829554;token=mimi
    Label: mimi
    Type: Generic token
    Flags: RNG, Requires login
    Manufacturer: SoftHSM project
    Model: SoftHSM v2
    Serial: d1472478b9829554
    Module: /usr/local/lib/softhsm/libsofthsm2.so

So, there are 2 tokens available on machine A. I also need to create runtime dir on local host. Otherwise it shows error when I do p11-kit server --provider ...

export XDG_RUNTIME_DIR=/tmp/$(id -u)-today
mkdir -p $XDG_RUNTIME_DIR
chmod 700 $XDG_RUNTIME_DIR
p11-kit server --provider /usr/local/lib/softhsm/libsofthsm2.so "pkcs11:model=SoftHSM%20v2;manufacturer=SoftHSM%20project;serial=01165599c52ea1fe;token=mimi"
P11_KIT_SERVER_ADDRESS=unix:path=/tmp/0-today/p11-kit/pkcs11-73; export P11_KIT_SERVER_ADDRESS;
P11_KIT_SERVER_PID=74; export P11_KIT_SERVER_PID;

On remote host - B (172.18.0.3):

root@1de661b77dbd:~# export XDG_RUNTIME_DIR=/tmp/$(id -u)-nginx
root@1de661b77dbd:~# mkdir -p $XDG_RUNTIME_DIR && chmod 700 $XDG_RUNTIME_DIR
root@1de661b77dbd:~# systemd-path user-runtime
/tmp/0-nginx
root@1de661b77dbd:~#  systemctl enable p11-kit-client.service
Failed to enable unit, unit p11-kit-client.service does not exist.
root@1de661b77dbd:~# systemctl list-unit-files | grep p11
p11-kit-client.service                 enabled  enabled
root@1de661b77dbd:~# mkdir /tmp/0-nginx/p11-kit

I tried to ssh from A to machine B with ssh -R /tmp/0-nginx/p11-kit/pkcs11:${P11_KIT_SERVER_ADDRESS#*=} [email protected] but get the warning so I needed to create /tmp/0-nginx/p11-kit on B, then warning is over. On/From Machine A

root@b1d0c05c4ec6:~# ssh -R /tmp/0-nginx/p11-kit/pkcs11:${P11_KIT_SERVER_ADDRESS#*=}  [email protected]
and then
root@1de661b77dbd:~# ls -l /tmp/0-nginx/p11-kit/pkcs11
srw------- 1 root root 0 Oct 17 10:56 /tmp/0-nginx/p11-kit/pkcs11
p11tool --provider /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-client.so --list-tokens
p11tool --provider /usr/local/lib/pkcs11/p11-kit-client.so --list-tokens

=> No token shows up with p11-kit-client.so on remote machine.

Did I make a mistake in any of the steps? Why are no tokens showing up on the remote machine when using p11-kit-client.so?

ssh

1 Answers

  1. Best Answer

    Which side is pkcs11 server?

    Similar to X11 or ssh-agent, the host that contains the resources (actual tokens in this case) is the server, and the host that wants to use the resources is the client that connects to the server. So if you're doing it with SSH and trying to forward local tokens to the remote system, then the local host is the SSH client and the p11-kit server, while the remote host would be the SSH server and the p11-kit client (as ssh-agent client if you were using -A).

    I tried to ssh from A to machine B with...

    Your output shows that you did not set P11_KIT_SERVER_ADDRESS on machine B after connecting (nor XDG_RUNTIME_DIR, though that's only a secondary mechanism). The server's sshd has a socket but doesn't know anything about it being a p11-kit socket, while p11-kit on the server has no idea that it needs to look there.

    Your earlier output says that you have export XDG_RUNTIME_DIR=/tmp/$(id -u)-nginx, but apparently that was done on a completely different SSH session. Environment variables are not automatically user-wide, they are per-process and don't persist if you re-connect the SSH session.

    The p11-kit server socket doesn't necessarily have to be in $XDG_RUNTIME_DIR; but that is the default path used by the p11-kit-server.service systemd unit for desktop users. (Note that this is a user-level service, managed by a separate "systemd --user" instance.) On the client side, a custom path can be specified using the --name option; and on the server side, that's the purpose of P11_KIT_SERVER_ADDRESS (which overrides the built-in default of unix:path=$XDG_RUNTIME_DIR/p11-kit/pkcs11).

    • 1