Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

opensc-pkcs11 not working with ssh-agent anymore on macOS 10.12.4 #1007

Closed
bwesterb opened this issue Mar 28, 2017 · 5 comments

Comments

Projects
None yet
4 participants
@bwesterb
Copy link

commented Mar 28, 2017

Expected behaviour

I insert my yubiKey, run

ssh-add -s/opt/local/lib/opensc-pkcs11.so

enter my PIN and now can successfully use my yubiKey for ssh without typing the PIN every time. This works on macOS 10.12.3.

Actual behaviour

I just updated to macOS 10.12.4 and this stopped working with the following generic error message.

$ ssh-add -s/opt/local/lib/opensc-pkcs11.so
Enter passphrase for PKCS#11: 
Could not add card "/opt/local/lib/opensc-pkcs11.so": agent refused operation

However, running ssh directly still works fine.

$ ssh -I/opt/local/lib/opensc-pkcs11.so user@myserver
Enter PIN for 'PIV_II (PIV Card Holder pin)':
user@myserver$

Software

  • I installed opensc via mac ports: opensc @0.16.0_0+readline
  • I use the ssh & ssh-agent that comes with macOS 10.12.4

Logs

Enabling logging (debug = 3) does not add anymore output to the failing ssh-add. (However, it adds lots of data to the ssh call, but that is working as expected.)

@bmah888

This comment has been minimized.

Copy link

commented Mar 28, 2017

I've seen this as well...similar circumstances to you but with ePass2003 tokens. I tried with OpenSC installed via homebrew and with the pkg.

Thanks for posting the workaround of ssh -I.

@bmah888

This comment has been minimized.

Copy link

commented Mar 28, 2017

macOS 10.12.4 includes a new version of OpenSSH...the behavior of ssh-agent has changed such that you need to "whitelist" the location of pkcs11 libraries. See the manual page for ssh-agent and the -P option. It's not clear to me that there's anything for the OpenSC project to do about this.

@bwesterb

This comment has been minimized.

Copy link
Author

commented Mar 28, 2017

Indeed, by default /opt is not in the whitelist. I moved opensc-pkcs11.so under /usr/local/lib which is whitelisted. That fixed it. Thanks!

(I didn't know where the problem lied, sorry for the misreport.)

@Wesseldr

This comment has been minimized.

Copy link

commented Apr 18, 2018

Please note for OsX.
symbolic linking the opensc-pkcs11.so lib from the /Library/OpenSC/lib/opensc-pkcs11.so location will not work. You have to either "move" it or copy it into the /usr/local/lib directory.

@awesterb

This comment has been minimized.

Copy link

commented Dec 4, 2018

I found it also possible to whitelist /opt/local/lib/opensc-pkcs11.so itself by having launchd start ssh-agent with the -P/opt/local/lib/opensc-pkcs11.so option, by changing /System/Library/LaunchAgents/com.openssh.ssh-agent.plist to

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.openssh.ssh-agent</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/bin/ssh-agent</string>
		<string>-l</string>
		<string>-P/opt/local/lib/opensc-pkcs11.so</string>
	</array>
	<key>Sockets</key>
	<dict>
		<key>Listeners</key>
		<dict>
			<key>SecureSocketWithKey</key>
			<string>SSH_AUTH_SOCK</string>
		</dict>
	</dict>
	<key>EnableTransactions</key>
	<true/>
</dict>
</plist>

and then rebooting.

N.B. To change com.openssh.ssh-agent.plist one must (temporarily) disable system integrity protection by running csrutil disable in recovery mode.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.