CentOS - Jul 2016 - CentOS 6.7->6.8, ssh-add issue, followup, more info

Folks,

   I am perplexed. I updated my workstation at work Wed before I left,
from 6.7 to 6.8. Then, yesterday, I went to use ssh-add -s
libcoolkeypk11.so, which I've done many times before to add the certs
from my PIV card... and 100% of the time if fails, letting me
SSH_AGENT_FAILURE, cannot add card.

   Now, using a script called sccr, which uses my public and private key
to generate a one-time password (we use the to sudo to root), works
with no problem. I used my card to go into the data center this
morning, which also reads my card, and had no problem. I've tried eval
$(ssh-agent) to start a new instance. Nothing works.

   Also, pklogin-finder finds the cards, asks for my PIN< and it works.

   Clues for the poor?

         mark

m.roth at 5-cent.us wrote:
> Folks,
>
>    I am perplexed. I updated my workstation at work Wed before I left,
> from 6.7 to 6.8. Then, yesterday, I went to use ssh-add -s
> libcoolkeypk11.so, which I've done many times before to add the certs
> from my PIV card... and 100% of the time if fails, letting me
> SSH_AGENT_FAILURE, cannot add card.
>
>    Now, using a script called sccr, which uses my public and private key
> to generate a one-time password (we use the to sudo to root), works
> with no problem. I used my card to go into the data center this
> morning, which also reads my card, and had no problem. I've tried eval
> $(ssh-agent) to start a new instance. Nothing works.
>
>    Also, pklogin-finder finds the cards, asks for my PIN< and it works.
>
>    Clues for the poor?
>
I just tried ssh -I libcoolkeypk11.so <servername> and in messages, it
reports "ssh-pkcs11-helper: errror:no slots" before failing to let me
log
on.

     mark

> -----Original Message-----
> From: m.roth at 5-cent.us [mailto:m.roth at 5-cent.us]
> Sent: Friday, July 22, 2016 4:15 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] CentOS 6.7->6.8, ssh-add issue, followup, more
info
> 
> m.roth at 5-cent.us wrote:
> > Folks,
> >
> >    I am perplexed. I updated my workstation at work Wed before I left,
> > from 6.7 to 6.8. Then, yesterday, I went to use ssh-add -s
> > libcoolkeypk11.so, which I've done many times before to add the
certs
> > from my PIV card... and 100% of the time if fails, letting me
> > SSH_AGENT_FAILURE, cannot add card.
> >
> >    Now, using a script called sccr, which uses my public and private
key
> > to generate a one-time password (we use the to sudo to root), works
> > with no problem. I used my card to go into the data center this
> > morning, which also reads my card, and had no problem. I've tried
eval
> > $(ssh-agent) to start a new instance. Nothing works.
> >
> >    Also, pklogin-finder finds the cards, asks for my PIN< and it
works.
> >
> >    Clues for the poor?
> >
> I just tried ssh -I libcoolkeypk11.so <servername> and in messages,
it
> reports "ssh-pkcs11-helper: errror:no slots" before failing to
let me log
> on.
> 
>      mark
> 
Assuming
1) that /etc/pki/nssdb/ has been populated with all the appropriate and current
gov certificate authorities (CA).
certutil -L -d /etc/pki/nssdb/ #list the CAs
2) that you are using the RH/CentOS stock openssh*rpm files.
3) that you have not also gotten a newer card in the same time period, which
happens to use a CA that is not in /etc/pki/nssdb/

Have you tried a third different set of ssh commands to use the cac:
ln -s /etc/pki/nssdb/*  ~/.ssh/ #make the certificate authorities available to
ssh*
ssh-add -D #clear out any existing sigs
ssh-add -n #use nss to access the cac

Also on some boxes coolkey gets disassociated from nss, and I have found the
simple
yum reinstall coolkey
fixes it, may need to logout/reboot as it affects a bunch O'stuff (and been
a while since I had the problem).


Even when this disclaimer is not here:
I am not a contracting officer. I do not have authority to make or modify the
terms of any contract.