Welcome to the VanDyke Software Forums

Join the discussion today!


Go Back   VanDyke Software Forums > General

Reply
 
Thread Tools Display Modes
  #1  
Old 07-15-2018, 08:41 PM
echo_ echo_ is offline
Registered User
 
Join Date: Jul 2018
Posts: 8
Multiple CAPI Device Support

I have a yubikey setup using CAPI for ssh access to our servers. Works well. Our servers are setup with multiple keys tied to multiple yubikey devices. When I unplug one and plugin another, SecureCRT says it can't be used. Is there a way to have a SecureCRT client support more than one CAPI device? Thanks!
Reply With Quote
  #2  
Old 07-16-2018, 07:53 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 3,780
Hi echo_,

What version of SecureCRT/Windows are you using?

Please attach a screenshot of the error message you are receiving.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #3  
Old 07-16-2018, 08:49 AM
echo_ echo_ is offline
Registered User
 
Join Date: Jul 2018
Posts: 8
SecureCRT
Version 8.3.3 (x64 build 1646) - Official Release - May 3, 2018

Windows 10
Version 10.0.17134 Build 17134

I connect with one yubikey inserted, enter my PIN, press the button and am logged in fine.

I then close SecureCRT, remove the yubikey and insert a different yubikey (which is configured on the same server) and get this:




When I click 'cancel' I get this:


Both keys work to allow us to ssh to the same server using a different client, so we know the keys work on that server.

Thanks!
Reply With Quote
  #4  
Old 07-16-2018, 09:06 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 3,780
Hi echo_,

Do you get the "Windows Security" error before you have even launched SecureCRT?

At what point in the process is SecureCRT re-launched?
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #5  
Old 07-16-2018, 09:08 AM
echo_ echo_ is offline
Registered User
 
Join Date: Jul 2018
Posts: 8
If I actually go in and select the correct cert, it does work. It seems the "try all certificates" part is not working. Could that be because the certs on all the different cards have the same name? That's how we provision them.



Is there a way to clear out that list?

Thanks!
Reply With Quote
  #6  
Old 07-16-2018, 09:10 AM
echo_ echo_ is offline
Registered User
 
Join Date: Jul 2018
Posts: 8
I don't get the windows security error until I try to connect to one of our sessions in SecureCRT.

So I can boot up fresh with a yubikey already inserted, launch SecureCRT, and then when I try to connect to the ssh session is when I see that error. I think it may be related to the "try all certificates" setting. I posted that in another reply. Thanks!
Reply With Quote
  #7  
Old 07-16-2018, 09:29 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 3,780
Hi echo_,

So are you saying the details in the error dialog are referencing the certificate on the removed device? (If not sure, can you use the Properties button to check the details?)

I think you may be onto something regarding the name conflict.

Quote:
Is there a way to clear out that list?
The list shown in the Select Certificate dialog is a reflection of the certificates available in CAPI.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #8  
Old 07-16-2018, 08:27 PM
echo_ echo_ is offline
Registered User
 
Join Date: Jul 2018
Posts: 8
Ok, wanted to follow up and let you know it appears to be because of the duplicate names. So "try all certificates" doesn't really try all certificates so watch out if you have duplicate CN's. We went back and re-provisioned a handful of yubikeys and gave all the certs unique names and everything works as desired. Thank you!
Reply With Quote
  #9  
Old 07-16-2018, 09:40 PM
echo_ echo_ is offline
Registered User
 
Join Date: Jul 2018
Posts: 8
Sorry I spoke too soon. Even though all the key names are unique now, I still have to manually select the one to use or I get the windows error.
Reply With Quote
  #10  
Old 07-17-2018, 07:28 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 3,780
Hi echo_,

Please respond to my inquiry from yesterday:

Quote:
So are you saying the details in the error dialog are referencing the certificate on the removed device? (If not sure, can you use the Properties button to check the details?)
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #11  
Old 07-17-2018, 07:40 AM
echo_ echo_ is offline
Registered User
 
Join Date: Jul 2018
Posts: 8
Sorry I'm not sure what you're asking. The windows dialog that says "select a smart card device" is showing the NIST/Yubikey smart card - all 3 that we are testing with say that but I assume it's showing the one that is currently plugged in.
Reply With Quote
  #12  
Old 07-17-2018, 09:30 AM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 3,780
Hi echo_,

If you disable Add keys to agent in the SSH2 category of Global Options are the results the same?

You may also need to clear the keys currently in agent (manually remove them using "Tools > Manage Agent Keys", press [Remove] button for each one listed there).
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #13  
Old 07-17-2018, 11:52 AM
echo_ echo_ is offline
Registered User
 
Join Date: Jul 2018
Posts: 8
There was no change in behavior when deselecting that option and then restarting the program. Also when managing agent keys, the list was empty unless I was already logged in to a host, then that single key was in there. Thanks.
Reply With Quote
  #14  
Old 07-17-2018, 01:08 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 3,780
Hi echo_,

Thanks for the update.

I have submitted this behavior for investigation by the development team. Should progress be made toward a resolution, or further information be requested, I will post in this thread.

If you prefer direct e-mail notification, contact support@vandyke.com and include "Bug Report - Forum Thread #13173" in the subject line.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
  #15  
Old 07-17-2018, 03:07 PM
bgagnon bgagnon is offline
VanDyke Technical Support
 
Join Date: Oct 2008
Posts: 3,780
Hi echo_,

This is what the developers had to say:
Quote:
When the Yubikey smart card is plugged in, the certificates are automatically loaded into the user's personal certificate store in CAPI. This is where SecureCRT gets the potential list of certificates to try. When the smart card is unplugged, those certificates are kept in the user's personal store. Next, the second Yubikey is plugged in and a different set of certificates are loaded to the store. Now, when SecureCRT attempts to connect (when configured with "Try all certificates"), we will try first certificate available. If that certificate is one that happened to be from the first smart card, then it will fail when attempting to load the private key off the card.
Makes sense, right?

Some workarounds they suggested:
  • Manually clear the certificates loaded by the card from the user's personal store after the card is removed.

  • Create different sessions that specify the specific certificate to use.

  • Use a pkcs#11 provider DLL (OpenSC) to access the certificates on the card.
I know you asked how to do the first one above previously, but you'll need to work within the CAPI interface, not SecureCRT, to do it. I am sure if you run searches on "how to clear certs from CAPI" you will find some Microsoft resources.
__________________
Thanks,
--Brenda

VanDyke Software
Technical Support
support@vandyke.com
(505) 332-5730
Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -6. The time now is 02:32 PM.