[Bug 2890] ssh-agent should not fail after removing and inserting smart card
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Mar 18 14:12:01 AEDT 2020
https://bugzilla.mindrot.org/show_bug.cgi?id=2890
Jacob Hoffman-Andrews <mindrot at hoffman-andrews.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |mindrot at hoffman-andrews.com
--- Comment #5 from Jacob Hoffman-Andrews <mindrot at hoffman-andrews.com> ---
Created attachment 3369
--> https://bugzilla.mindrot.org/attachment.cgi?id=3369&action=edit
updated patch, March 2020
I've applied the patch locally and brought it up to date so it builds
with the latest master.
I'm interested in fixing the workflow for a token + builtin reader
(e.g. a Yubikey in PIV mode), as discussed at
https://lists.mindrot.org/pipermail/openssh-unix-dev/2020-February/038317.html.
I can confirm that this patch doesn't solve my use case. When I remove
and then reinsert my Yubikey, and run `ssh example.com`, I get:
ssh-agent: fd 4 setting O_NONBLOCK
ssh-agent: process_message: socket 1 (fd=4) type 11
ssh-agent: process_message: socket 1 (fd=4) type 13
ssh-pkcs11-helper: process_sign
ssh-pkcs11-helper: check 0x559707702c70
/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so PIV AUTH pubkey
ssh-pkcs11-helper: RSA_get_app_data failed for rsa 0x559707776630
ssh-pkcs11-helper: pkcs11_check_obj_bool_attrib: provider
0x55970771b5f0 slot 0 object 94107153503168: attrib 514 = 0
ssh-pkcs11-helper: C_Sign failed: 5
ssh-pkcs11-helper: pkcs11_k11_free: parent 0x5597077700c0 ptr (nil) idx
1
ssh-agent: process_sign_request2: sshkey_sign: error in libcrypto
sign_and_send_pubkey: signing failed: agent refused operation
I would be curious to hear if the updated patch works for the separate
token + reader use case.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list