Removing PKCS#11 card from SSH Agent with ssh-add

jweisblat at yahoo-inc.com jweisblat at yahoo-inc.com
Fri Jul 1 10:56:35 AEST 2016


Hello,
Several of my coworkers and I, as well as others, have been confused by the behavior of ssh-add -D. From the man page:
     -D      Deletes all identities from the agent.

The current behavior of ssh-add -D is to send SSH2_AGENTC_REMOVE_ALL_IDENTITIES and SSH_AGENTC_REMOVE_ALL_RSA_IDENTITIES to the agent, removing all the keys from the agent, including any keys added via PKCS#11 libraries. However, the PKCS#11 library is still loaded in the agent, and it won't be unloaded (and thus fails to be reloaded, with an unhelpful error) unless SSH_AGENTC_REMOVE_SMARTCARD_KEY is sent, and that takes a parameter of the specific PKCS#11 library involved.
Is this behavior the intended behavior of ssh-add -D? If it is, we'd be happy to introduce a patch to improve the error message to suggest trying to remove it first.
If not, I can imagine several solutions, which we'd be happy to implement, depending on which the community thinks is best:
 - change the behavior of the agent to remove the smartcard in addition to the corresponding identity when SSH2_AGENTC_REMOVE_ALL_IDENTITIES is run. This is somewhat inideal in the case of that identity being used with protocol version 1. - add a new agent command SSH_AGENTC_REMOVE_ALL_SMARTCARD_KEYS in addition to SSH_AGENTC_REMOVE_SMARTCARD_KEY that removes all smartcard keys, modify the agent to accept it and modify ssh-add to send it in addition to the other 2 commands on ssh -D.
Here is a demonstration of current behavior:
[~]$ ssh-add -lThe agent has no identities.[~]$ ssh-add -s /usr/local/lib/libykcs11.dylibEnter passphrase for PKCS#11:Card added: /usr/local/lib/libykcs11.dylib[~]$ ssh-add -l2048 SHA256:cJUGM7tTnFD9a0BpI936ERA3Ay+/MFu3huzB+APPoZs /usr/local/lib/libykcs11.dylib (RSA)[~]$ ssh-add -DAll identities removed.[~]$ ssh-add -lThe agent has no identities.[~]$ ssh-add -s /usr/local/lib/libykcs11.dylib # Add the card back into the agent, it wasn't unloaded by Enter passphrase for PKCS#11:Could not add card "/usr/local/lib/libykcs11.dylib": agent refused operation[~]$ ssh-add -lThe agent has no identities.[~]$ ssh-add -e /usr/local/lib/libykcs11.dylibCard removed: /usr/local/lib/libykcs11.dylib[~]$ ssh-add -lThe agent has no identities.[~]$ ssh-add -s /usr/local/lib/libykcs11.dylibEnter passphrase for PKCS#11:Card added: /usr/local/lib/libykcs11.dylib[~]$ ssh-add -l2048 SHA256:cJUGM7tTnFD9a0BpI936ERA3Ay+/MFu3huzB+APPoZs /usr/local/lib/libykcs11.dylib (RSA)[~]$


Sincerely,
Jakob WeisblatParanoid LabsYahoo! Inc


More information about the openssh-unix-dev mailing list