[Bug 2682] New: ssh-agent is unable to remove smartcard after introducing whitelist
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Wed Feb 22 03:16:03 AEDT 2017
https://bugzilla.mindrot.org/show_bug.cgi?id=2682
Bug ID: 2682
Summary: ssh-agent is unable to remove smartcard after
introducing whitelist
Product: Portable OpenSSH
Version: 7.4p1
Hardware: Other
OS: Linux
Status: NEW
Keywords: patch
Severity: enhancement
Priority: P5
Component: Smartcard
Assignee: unassigned-bugs at mindrot.org
Reporter: jjelen at redhat.com
Created attachment 2946
--> https://bugzilla.mindrot.org/attachment.cgi?id=2946&action=edit
proposed patch
Since the whitelisting of the PKCS#11 modules in ssh-agent, adding a
PKCS#11 module, that is symlink to another file (as common in
Fedora/RHEL) we are unable to remove the module with the same path:
/usr/lib64/pkcs11/opensc-pkcs11.so -> ../opensc-pkcs11.so
The ssh-agent says:
$ ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Card added: /usr/lib64/pkcs11/opensc-pkcs11.so
$ ssh-add -e /usr/lib64/opensc-pkcs11.so
Could not remove card "/usr/lib64/opensc-pkcs11.so": agent refused
operation
>From the ssh-agent log we can see:
process_remove_smartcard_key: pkcs11_del_provider failed
the problem is the call to the realpath(3), which resolves the symlinks
and passes to the pkcs11-code already target of that symlink.
I understand that it is needed for the whitelist to be effective, but
it is getting confusing that one input is sanitized, the second not and
they are compared with each other (in pkcs11_provider_lookup()).
We should probably add the realpath call to the remove routine too to
make it more user-friendly. Proposed patch is also adding some more
debug information.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list