search for: process_add_smartcard_key

...-pkcs11.so": agent refused operation In a separate terminal: $ ./ssh-agent -d SSH_AUTH_SOCK=/tmp/ssh-RORElJeiiHBc/agent.21116; export SSH_AUTH_SOCK; echo Agent pid 21116; debug2: fd 3 setting O_NONBLOCK debug2: fd 4 setting O_NONBLOCK debug1: process_message: socket 1 (fd=4) type 20 debug1: process_add_smartcard_key: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so debug1: pkcs11_start_helper: starting /usr/local/libexec/ssh-pkcs11-helper -vvv debug1: process_add debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC s...

...fig/git/config failed: agent refused operation ``` though the `-f` option seems to be ignored and the `ssh-agent` looks for an RSA-CERT when only RSA keys are loaded: ``` debug1: new_socket: type = CONNECTION debug2: fd 4 setting O_NONBLOCK debug1: process_message: socket 1 (fd=4) type 20 debug2: process_add_smartcard_key: entering debug1: process_add_smartcard_key: add /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0 debug1: process_add debug1: provider /usr/lib/x86_64-linux-gnu/libp11-kit.so.0.3.0: manufacturerID <PKCS#11 Kit> cryptokiVersion 2.40 libraryDescription <PKCS#11 Kit Proxy Module> libraryVersi...

I've architected this in a way that looks future proof at least to the openssl provider transition. What will happen in openssl 3.0.0 is that providers become active and will accept keys via URI. The current file mechanisms will still be available but internally it will become a file URI. To support the provider interface, openssl will have to accept keys by URI instead of file and may

...+ + success = 1; if ((id = lookup_identity(k, version)) == NULL) { id = xcalloc(1, sizeof(Identity)); - id->key = k; + id->idkey = refkey_new(k); TAILQ_INSERT_TAIL(&tab->idlist, id, next); /* Increment the number of identities. */ tab->nentries++; @@ -774,7 +853,7 @@ process_add_smartcard_key(SocketEntry *e tab = idtab_lookup(version); if (lookup_identity(k, version) == NULL) { id = xcalloc(1, sizeof(Identity)); - id->key = k; + id->idkey = refkey_new(k); id->provider = xstrdup(provider); id->comment = xstrdup(provider); /* XXX */ id->death = dea...

Engine keys are private key files which are only understood by openssl external engines. ?The problem is they can't be loaded with the usual openssl methods, they have to be loaded via ENGINE_load_private_key(). ?Because they're files, they fit well into openssh pub/private file structure, so they're not very appropriately handled by the pkcs11 interface because it assumes the private

https://bugzilla.mindrot.org/show_bug.cgi?id=2472 Bug ID: 2472 Summary: Add support to load additional certificates Product: Portable OpenSSH Version: 7.1p1 Hardware: All OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh-agent Assignee: unassigned-bugs at

...gine); + free(file); + /* open code send_status because need to return actual error */ + if (sshbuf_put_u32(e->output, 1) != 0 || + sshbuf_put_u8(e->output, r) != 0) + fatal("%s: buffer error", __func__); +} +#endif /* USE_OPENSSL_ENGINE */ + #ifdef ENABLE_PKCS11 static void process_add_smartcard_key(SocketEntry *e) @@ -860,6 +937,12 @@ process_message(u_int socknum) process_remove_smartcard_key(e); break; #endif /* ENABLE_PKCS11 */ +#ifdef USE_OPENSSL_ENGINE + case SSH_AGENTC_ADD_ENGINE_KEY: + case SSH_AGENTC_ADD_ENGINE_KEY_CONSTRAINED: + process_add_engine_key(e); + break; +#endif /*...