[Bug 2682] New: ssh-agent is unable to remove smartcard after introducing whitelist

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Feb 22 03:16:03 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2682

            Bug ID: 2682
           Summary: ssh-agent is unable to remove smartcard after
                    introducing whitelist
           Product: Portable OpenSSH
           Version: 7.4p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Keywords: patch
          Severity: enhancement
          Priority: P5
         Component: Smartcard
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jjelen at redhat.com

Created attachment 2946
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2946&action=edit
proposed patch

Since the whitelisting of the PKCS#11 modules in ssh-agent, adding a
PKCS#11 module, that is symlink to another file (as common in
Fedora/RHEL) we are unable to remove the module with the same path:

    /usr/lib64/pkcs11/opensc-pkcs11.so -> ../opensc-pkcs11.so

The ssh-agent says:

    $ ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so
    Enter passphrase for PKCS#11: 
    Card added: /usr/lib64/pkcs11/opensc-pkcs11.so
    $ ssh-add -e /usr/lib64/opensc-pkcs11.so
    Could not remove card "/usr/lib64/opensc-pkcs11.so": agent refused
operation

>From the ssh-agent log we can see:

    process_remove_smartcard_key: pkcs11_del_provider failed

the problem is the call to the realpath(3), which resolves the symlinks
and passes to the pkcs11-code already target of that symlink.

I understand that it is needed for the whitelist to be effective, but
it is getting confusing that one input is sanitized, the second not and
they are compared with each other (in pkcs11_provider_lookup()).

We should probably add the realpath call to the remove routine too to
make it more user-friendly. Proposed patch is also adding some more
debug information.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list