bugzilla-daemon at bugzilla.mindrot.org
2017-Feb-21 16:16 UTC
[Bug 2682] New: ssh-agent is unable to remove smartcard after introducing whitelist
https://bugzilla.mindrot.org/show_bug.cgi?id=2682 Bug ID: 2682 Summary: ssh-agent is unable to remove smartcard after introducing whitelist Product: Portable OpenSSH Version: 7.4p1 Hardware: Other OS: Linux Status: NEW Keywords: patch Severity: enhancement Priority: P5 Component: Smartcard Assignee: unassigned-bugs at mindrot.org Reporter: jjelen at redhat.com Created attachment 2946 --> https://bugzilla.mindrot.org/attachment.cgi?id=2946&action=edit proposed patch Since the whitelisting of the PKCS#11 modules in ssh-agent, adding a PKCS#11 module, that is symlink to another file (as common in Fedora/RHEL) we are unable to remove the module with the same path: /usr/lib64/pkcs11/opensc-pkcs11.so -> ../opensc-pkcs11.so The ssh-agent says: $ ssh-add -s /usr/lib64/pkcs11/opensc-pkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib64/pkcs11/opensc-pkcs11.so $ ssh-add -e /usr/lib64/opensc-pkcs11.so Could not remove card "/usr/lib64/opensc-pkcs11.so": agent refused operation>From the ssh-agent log we can see:process_remove_smartcard_key: pkcs11_del_provider failed the problem is the call to the realpath(3), which resolves the symlinks and passes to the pkcs11-code already target of that symlink. I understand that it is needed for the whitelist to be effective, but it is getting confusing that one input is sanitized, the second not and they are compared with each other (in pkcs11_provider_lookup()). We should probably add the realpath call to the remove routine too to make it more user-friendly. Proposed patch is also adding some more debug information. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-15 01:55 UTC
[Bug 2682] ssh-agent is unable to remove smartcard after introducing whitelist
https://bugzilla.mindrot.org/show_bug.cgi?id=2682 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org, | |dtucker at zip.com.au Attachment #2946| |ok?(dtucker at zip.com.au) Flags| | --- Comment #1 from Damien Miller <djm at mindrot.org> --- Comment on attachment 2946 --> https://bugzilla.mindrot.org/attachment.cgi?id=2946 proposed patch looks ok to me -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-15 01:55 UTC
[Bug 2682] ssh-agent is unable to remove smartcard after introducing whitelist
https://bugzilla.mindrot.org/show_bug.cgi?id=2682 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2647 Status|NEW |ASSIGNED Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2647 [Bug 2647] Tracking bug for OpenSSH 7.5 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-15 01:58 UTC
[Bug 2682] ssh-agent is unable to remove smartcard after introducing whitelist
https://bugzilla.mindrot.org/show_bug.cgi?id=2682 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #2946|ok?(dtucker at zip.com.au) |ok+ Flags| | -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Mar-15 02:25 UTC
[Bug 2682] ssh-agent is unable to remove smartcard after introducing whitelist
https://bugzilla.mindrot.org/show_bug.cgi?id=2682 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #2 from Damien Miller <djm at mindrot.org> --- Applied - this will be in OpenSSH 7.5, due next week. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:02 UTC
[Bug 2682] ssh-agent is unable to remove smartcard after introducing whitelist
https://bugzilla.mindrot.org/show_bug.cgi?id=2682 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Seemingly Similar Threads
- Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
- Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.
- Smartcard logon issue with pam_winbind and Kerberos auth
- [Bug 1751] New: ssh-add -s /usr/lib/opensc-pkcs11.so does not work
- Announce: PKCS#11 support version 0.18 in OpenSSH 4.5p1