[Bug 2620] New: Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue Oct 4 01:17:37 AEDT 2016


https://bugzilla.mindrot.org/show_bug.cgi?id=2620

            Bug ID: 2620
           Summary: Option AddKeysToAgent doesnt work with keys provided
                    by PKCS11 libraries.
           Product: Portable OpenSSH
           Version: 7.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-agent
          Assignee: unassigned-bugs at mindrot.org
          Reporter: reddot.rocks at gmail.com

I would like to setup my ssh connection encryption using smart card
with PKCS#11 interface provided by shared library. In trivial scenario
I'm able to add this key to agent using ssh-add:

  reddot at docorp:~$ ssh-add -s /usr/lib/libeTPkcs11.so
  Enter passphrase for PKCS#11: 
  Card added: /usr/lib/libeTPkcs11.so

Now I would like to automate this process to be asked to card PIN only
once on first key access, thus I would like to use option
AddKeysToAgent available in the config. However it seems this option
doesn't work with PKCS#11 keys. Could it be fixed.

There's one more annoying issue: if PKCS#11 key has been already loaded
into agent it isn't considered if ssh uses PKCS11Provider option is set
and I've got to enter card PIN again:

  reddot at docorp:~$ ssh-add -l
  2048 SHA256:...........................................
/usr/lib/libeTPkcs11.so (RSA)
  2048 SHA256:...........................................
/usr/lib/libeTPkcs11.so (RSA)

  reddot at docorp:~$ ssh valov.avp.ru
  Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
  ...


  reddot at docorp:~$ ssh valov.avp.ru -I/usr/lib/libeTPkcs11.so
  Enter PIN for 'Roman Valov': 
  ...

  Have to enter my card PIN again despite it's key is available via
agent.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list