[Bug 2635] New: Unable to use SSH Agent and user level PKCS11Provider configuration directive

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Fri Oct 28 06:07:50 AEDT 2016 

https://bugzilla.mindrot.org/show_bug.cgi?id=2635

            Bug ID: 2635
           Summary: Unable to use SSH Agent and user level PKCS11Provider
                    configuration directive
           Product: Portable OpenSSH
           Version: 7.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jamin.collins at gmail.com

I have found that I am unable to connect to an ssh host if I have both
my user's ssh config set to use a PCKS11 library and my yubikey based
keys loaded into my ssh agent.

I have tried both the opensc and yubico pcks11 libraries for accessing
the card.  The results differ slightly, but both ultimately fail to
authenticate if my user's ssh config is set to use the PCKS11 library
and the keys have been added to my ssh agent.

** using libykcs11.so from yubico-piv-tool 1.4.2

$ ssh-add -s /usr/lib/libykcs11.so
Enter passphrase for PKCS#11: 
Card added: /usr/lib/libykcs11.so

$ ssh-add -L | awk {'print $1,$3}'
ssh-rsa /usr/lib/libykcs11.so
ssh-rsa /usr/lib/libykcs11.so
ssh-rsa /usr/lib/libykcs11.so
ssh-rsa /usr/lib/libykcs11.so

$ ssh -vv $REMOTEHOST
OpenSSH_7.3p1, OpenSSL 1.0.2j  26 Sep 2016
...
debug1: Connecting to $REMOTEHOST [$REMOTEIP] port 22.
debug1: Connection established.

At this point the connection attempt simply hangs.  Hoever if I remove
the libykcs11.so library (and keys) from the ssh agent with the
following:

$ ssh-add -e /usr/lib/libykcs11.so
Card removed: /usr/lib/libykcs11.so
$ ssh-add -l
The agent has no identities.

The connection attempt proceeds and I get prompted for my pin:

Enter PIN for 'YubiKey PIV': 

** using opensc-pkcs11.so from opensc 0.16.0

$ ssh-add -s /lib/pkcs11/opensc-pkcs11.so
Enter passphrase for PKCS#11: 
Card added: /lib/pkcs11/opensc-pkcs11.so

$ ssh-add -L | awk {'print $1,$3}'
ssh-rsa /lib/pkcs11/opensc-pkcs11.so
ssh-rsa /lib/pkcs11/opensc-pkcs11.so
ssh-rsa /lib/pkcs11/opensc-pkcs11.so
ssh-rsa /lib/pkcs11/opensc-pkcs11.so

$ ssh -vv $REMOTEHOST 
OpenSSH_7.3p1, OpenSSL 1.0.2j  26 Sep 2016
...
debug1: Offering RSA public key: /usr/lib/libykcs11.so
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp SHA256:...
sign_and_send_pubkey: signing failed: agent refused operation
...
debug1: Next authentication method: password
$USER@$REMOTEHOST's password:

If I remove the library (and keys) and try the connection again:

$ ssh-add -e /lib/pkcs11/opensc-pkcs11.so
Card removed: /lib/pkcs11/opensc-pkcs11.so
$ ssh-add -l
The agent has no identities.

$ ssh -vv $REMOTEHOST 
OpenSSH_7.3p1, OpenSSL 1.0.2j  26 Sep 2016
...
debug1: Offering RSA public key: /usr/lib/libykcs11.so
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp SHA256:...
Enter PIN for 'PIV_II (PIV Card Holder pin)': 

If I remove the PKCS11Provider directive from my user's ssh config, the
keys loaded in the agent are used and everything works fine.  However,
if I then attempt to connect to the host without first loading the keys
into the agent, I am not prompted for my yubikey pin.  Ideally, I
should be able to have both the user level PKCS11Provider directive and
my keys loaded in the ssh agent.  However, it appears that the user
level directive is being attempted before trying to use the keys from
the agent.


I have found that I am unable to connect to an ssh host if I have both
my user's ssh config set to use a PCKS11 library and my yubikey based
keys loaded into my ssh agent.

I have tried both the opensc and yubico pcks11 libraries for accessing
the card.  The results differ slightly, but both ultimately fail to
authenticate if my user's ssh config is set to use the PCKS11 library
and the keys have been added to my ssh agent.

** using libykcs11.so from yubico-piv-tool 1.4.2

$ ssh-add -s /usr/lib/libykcs11.so
Enter passphrase for PKCS#11: 
Card added: /usr/lib/libykcs11.so

$ ssh-add -L | awk {'print $1,$3}'
ssh-rsa /usr/lib/libykcs11.so
ssh-rsa /usr/lib/libykcs11.so
ssh-rsa /usr/lib/libykcs11.so
ssh-rsa /usr/lib/libykcs11.so

$ ssh -vv $REMOTEHOST
OpenSSH_7.3p1, OpenSSL 1.0.2j  26 Sep 2016
...
debug1: Connecting to $REMOTEHOST [$REMOTEIP] port 22.
debug1: Connection established.

At this point the connection attempt simply hangs.  Hoever if I remove
the libykcs11.so library (and keys) from the ssh agent with the
following:

$ ssh-add -e /usr/lib/libykcs11.so
Card removed: /usr/lib/libykcs11.so
$ ssh-add -l
The agent has no identities.

The connection attempt proceeds and I get prompted for my pin:

Enter PIN for 'YubiKey PIV': 

** using opensc-pkcs11.so from opensc 0.16.0

$ ssh-add -s /lib/pkcs11/opensc-pkcs11.so
Enter passphrase for PKCS#11: 
Card added: /lib/pkcs11/opensc-pkcs11.so

$ ssh-add -L | awk {'print $1,$3}'
ssh-rsa /lib/pkcs11/opensc-pkcs11.so
ssh-rsa /lib/pkcs11/opensc-pkcs11.so
ssh-rsa /lib/pkcs11/opensc-pkcs11.so
ssh-rsa /lib/pkcs11/opensc-pkcs11.so

$ ssh -vv $REMOTEHOST 
OpenSSH_7.3p1, OpenSSL 1.0.2j  26 Sep 2016
...
debug1: Offering RSA public key: /usr/lib/libykcs11.so
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp SHA256:...
sign_and_send_pubkey: signing failed: agent refused operation
...
debug1: Next authentication method: password
$USER@$REMOTEHOST's password:

If I remove the library (and keys) and try the connection again:

$ ssh-add -e /lib/pkcs11/opensc-pkcs11.so
Card removed: /lib/pkcs11/opensc-pkcs11.so
$ ssh-add -l
The agent has no identities.

$ ssh -vv $REMOTEHOST 
OpenSSH_7.3p1, OpenSSL 1.0.2j  26 Sep 2016
...
debug1: Offering RSA public key: /usr/lib/libykcs11.so
debug2: we sent a publickey packet, wait for reply
debug1: Server accepts key: pkalg ssh-rsa blen 279
debug2: input_userauth_pk_ok: fp SHA256:...
Enter PIN for 'PIV_II (PIV Card Holder pin)': 

If I remove the PKCS11Provider directive from my user's ssh config, the
keys loaded in the agent are used and everything works fine.  However,
if I then attempt to connect to the host without first loading the keys
into the agent, I am not prompted for my yubikey pin.  Ideally, I
should be able to have both the user level PKCS11Provider directive and
my keys loaded in the ssh agent.  However, it appears that the user
level directive is being attempted before trying to use the keys from
the agent.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list