bugzilla-daemon at bugzilla.mindrot.org
2016-Oct-03 14:17 UTC
[Bug 2620] New: Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
https://bugzilla.mindrot.org/show_bug.cgi?id=2620 Bug ID: 2620 Summary: Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries. Product: Portable OpenSSH Version: 7.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-agent Assignee: unassigned-bugs at mindrot.org Reporter: reddot.rocks at gmail.com I would like to setup my ssh connection encryption using smart card with PKCS#11 interface provided by shared library. In trivial scenario I'm able to add this key to agent using ssh-add: reddot at docorp:~$ ssh-add -s /usr/lib/libeTPkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib/libeTPkcs11.so Now I would like to automate this process to be asked to card PIN only once on first key access, thus I would like to use option AddKeysToAgent available in the config. However it seems this option doesn't work with PKCS#11 keys. Could it be fixed. There's one more annoying issue: if PKCS#11 key has been already loaded into agent it isn't considered if ssh uses PKCS11Provider option is set and I've got to enter card PIN again: reddot at docorp:~$ ssh-add -l 2048 SHA256:........................................... /usr/lib/libeTPkcs11.so (RSA) 2048 SHA256:........................................... /usr/lib/libeTPkcs11.so (RSA) reddot at docorp:~$ ssh valov.avp.ru Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64) ... reddot at docorp:~$ ssh valov.avp.ru -I/usr/lib/libeTPkcs11.so Enter PIN for 'Roman Valov': ... Have to enter my card PIN again despite it's key is available via agent. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2016-Oct-03 14:17 UTC
[Bug 2620] Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
https://bugzilla.mindrot.org/show_bug.cgi?id=2620 Roman Valov <reddot.rocks at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |reddot.rocks at gmail.com -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Feb-22 14:35 UTC
[Bug 2620] Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
https://bugzilla.mindrot.org/show_bug.cgi?id=2620 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jjelen at redhat.com --- Comment #1 from Jakub Jelen <jjelen at redhat.com> --- The second issue is probably resolved at this moment (or at least I can not reproduce it with current OpenSSH and OpenSC) and the bug #2635 talks about different behavior. Can you try with current OpenSSH, if it is still an issue for you? Can you provide the debug logs from OpenSSH? The first thing would be nice to have. Passing the pkcs11-provider from ssh process to ssh-agent should not be too complicated to write. But there might be some more logic required to figure out the card removal from the agent, once the card is removed from reader and the login state becomes invalid. I will try to have a look into that in coming weeks. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-22 01:38 UTC
[Bug 2620] Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
https://bugzilla.mindrot.org/show_bug.cgi?id=2620 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Keywords| |pkcs11 -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jan-22 02:05 UTC
[Bug 2620] Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
https://bugzilla.mindrot.org/show_bug.cgi?id=2620 --- Comment #2 from Damien Miller <djm at mindrot.org> --- I don't think we want to make AddKeysToAgent automate adding PKCS#11 tokens - there are too many side effects compared to the intended use-case of adding regular keys. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jul-19 04:51 UTC
[Bug 2620] Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
https://bugzilla.mindrot.org/show_bug.cgi?id=2620 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:09 UTC
[Bug 2620] Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
https://bugzilla.mindrot.org/show_bug.cgi?id=2620 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Reasonably Related Threads
- SSH Sequence diagrams
- [Bug 2670] New: Add ssh_config option that sets the lifetime of the key if added via AddKeysToAgent
- [Bug 2564] New: ssh_config AddKeysToAgent doesn't set key name/path
- AddKeysToAgent break local forwarding (and possibly more)
- safenet eToken 5100 pkcs11 bug(?)