Two problems with OpenSSH

Uri Blumenthal uri at mit.edu
Tue Oct 25 12:34:32 AEDT 2016 

My platform: macOS Sierra 10.12.1, Xcode-8.0.0, Macports-2.3.4, Macports-installed OpenSSH_7.3p1.

First problem: OpenSSH seems to ignore PKCS11Provider configuration variable in ~/.ssh/config file (and in the system/global config files as well). It acts as if it hasn’t been set:

$ ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.2j  26 Sep 2016
$ ssh-keygen -D pkcs11 -e
dlopen pkcs11 failed: dlopen(pkcs11, 2): no suitable image found.  Did find:
	/opt/local/lib/pkcs11: not a file
	/Library/OpenSC/lib/pkcs11: not a file
cannot read public key from pkcs11
$ ssh-keygen -D /Library/OpenSC/lib/opensc-pkcs11.so -e

ssh-rsa AAAAB3NzaC1yc2EA . . . . .

$ ssh -I pkcs11 github.com
dlopen pkcs11 failed: dlopen(pkcs11, 2): no suitable image found.  Did find:
	/opt/local/lib/pkcs11: not a file
	/Library/OpenSC/lib/pkcs11: not a file
Permission denied (publickey).
$ ssh -I /Library/OpenSC/lib/opensc-pkcs11.so github.com
Enter PIN for 'PIV Card Holder pin (PIV_II)': 
PTY allocation request failed on channel 0
Hi xxxxxx! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.
$ fgrep PKCS11 ~/.ssh/config
PKCS11Provider /Library/OpenSC/lib/opensc-pkcs11.dylib
$

I’d appreciate some guidance on use of PKCS11Provider config parameter (if I’m doing something wrong with it), or fixing the bug of ignoring it (if my attempts to use it were correct).


Second problem - the build seems to require at runtime not only exactly the same version, but exactly the same build of the OpenSSL. Which means that if I make any update or bug fix to OpenSSL that does not affect the interface at all - I still have to re-install OpenSSH. It would be great if OpenSSH could limit its OpenSSL runtime validation to at least the exact version (say, 1.0.2-stable). It really is both inconvenient and unnecessary to have to rebuild OpenSSH every time.

Thank you!

Since I’m not a subscriber to this list (don’t have to contribute much), so please copy the replies to my email. Thanks again!
--
Uri Blumenthal
uri at mit.edu

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 1534 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20161025/9780428b/attachment.bin>

More information about the openssh-unix-dev mailing list