openssh bugs - Oct 2016 - [Bug 2620] New: Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.

https://bugzilla.mindrot.org/show_bug.cgi?id=2620

            Bug ID: 2620
           Summary: Option AddKeysToAgent doesnt work with keys provided
                    by PKCS11 libraries.
           Product: Portable OpenSSH
           Version: 7.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-agent
          Assignee: unassigned-bugs at mindrot.org
          Reporter: reddot.rocks at gmail.com

I would like to setup my ssh connection encryption using smart card
with PKCS#11 interface provided by shared library. In trivial scenario
I'm able to add this key to agent using ssh-add:

  reddot at docorp:~$ ssh-add -s /usr/lib/libeTPkcs11.so
  Enter passphrase for PKCS#11: 
  Card added: /usr/lib/libeTPkcs11.so

Now I would like to automate this process to be asked to card PIN only
once on first key access, thus I would like to use option
AddKeysToAgent available in the config. However it seems this option
doesn't work with PKCS#11 keys. Could it be fixed.

There's one more annoying issue: if PKCS#11 key has been already loaded
into agent it isn't considered if ssh uses PKCS11Provider option is set
and I've got to enter card PIN again:

  reddot at docorp:~$ ssh-add -l
  2048 SHA256:...........................................
/usr/lib/libeTPkcs11.so (RSA)
  2048 SHA256:...........................................
/usr/lib/libeTPkcs11.so (RSA)

  reddot at docorp:~$ ssh valov.avp.ru
  Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
  ...


  reddot at docorp:~$ ssh valov.avp.ru -I/usr/lib/libeTPkcs11.so
  Enter PIN for 'Roman Valov': 
  ...

  Have to enter my card PIN again despite it's key is available via
agent.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2620

Roman Valov <reddot.rocks at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |reddot.rocks at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2620

Jakub Jelen <jjelen at redhat.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jjelen at redhat.com

--- Comment #1 from Jakub Jelen <jjelen at redhat.com> ---
The second issue is probably resolved at this moment (or at least I can
not reproduce it with current OpenSSH and OpenSC) and the bug #2635
talks about different behavior. Can you try with current OpenSSH, if it
is still an issue for you? Can you provide the debug logs from OpenSSH?

The first thing would be nice to have. Passing the pkcs11-provider from
ssh process to ssh-agent should not be too complicated to write. But
there might be some more logic required to figure out the card removal
from the agent, once the card is removed from reader and the login
state becomes invalid.

I will try to have a look into that in coming weeks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2620

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
           Keywords|                            |pkcs11

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2620

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
I don't think we want to make AddKeysToAgent automate adding PKCS#11
tokens - there are too many side effects compared to the intended
use-case of adding regular keys.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2620

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |WONTFIX

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2620

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.