[Bug 2620] New: Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue Oct 4 01:17:37 AEDT 2016
https://bugzilla.mindrot.org/show_bug.cgi?id=2620
Bug ID: 2620
Summary: Option AddKeysToAgent doesnt work with keys provided
by PKCS11 libraries.
Product: Portable OpenSSH
Version: 7.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-agent
Assignee: unassigned-bugs at mindrot.org
Reporter: reddot.rocks at gmail.com
I would like to setup my ssh connection encryption using smart card
with PKCS#11 interface provided by shared library. In trivial scenario
I'm able to add this key to agent using ssh-add:
reddot at docorp:~$ ssh-add -s /usr/lib/libeTPkcs11.so
Enter passphrase for PKCS#11:
Card added: /usr/lib/libeTPkcs11.so
Now I would like to automate this process to be asked to card PIN only
once on first key access, thus I would like to use option
AddKeysToAgent available in the config. However it seems this option
doesn't work with PKCS#11 keys. Could it be fixed.
There's one more annoying issue: if PKCS#11 key has been already loaded
into agent it isn't considered if ssh uses PKCS11Provider option is set
and I've got to enter card PIN again:
reddot at docorp:~$ ssh-add -l
2048 SHA256:...........................................
/usr/lib/libeTPkcs11.so (RSA)
2048 SHA256:...........................................
/usr/lib/libeTPkcs11.so (RSA)
reddot at docorp:~$ ssh valov.avp.ru
Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
...
reddot at docorp:~$ ssh valov.avp.ru -I/usr/lib/libeTPkcs11.so
Enter PIN for 'Roman Valov':
...
Have to enter my card PIN again despite it's key is available via
agent.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list