Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MacOS: cannot use /usr/local/lib/opensc-pkcs11.so (provider not whitelisted) #1008

Closed
jc-m opened this Issue Mar 29, 2017 · 14 comments

Comments

Projects
None yet
6 participants
@jc-m
Copy link

jc-m commented Mar 29, 2017

Expected behaviour

ssh-add -s /usr/local/lib/opensc-pkcs11.so
would return
Card added: /usr/local/lib/opensc-pkcs11.so
What should happen?
this would add certificate from a PIV card

Actual behaviour

command returns
Could not add card "/usr/local/lib/opensc-pkcs11.so": agent refused operation
What happens instead?
because of an upgrade to OSX Sierra

	<dict>
		<key>date</key>
		<date>2017-03-28T17:55:21Z</date>
		<key>displayName</key>
		<string>macOS Sierra Update</string>
		<key>displayVersion</key>
		<string>10.12.4</string>
		<key>packageIdentifiers</key>
		<array>
			<string>com.apple.pkg.update.os.10.12.4.16E195</string>
			<string>com.apple.pkg.FirmwareUpdate</string>
			<string>com.apple.update.fullbundleupdate.16E195</string>
			<string>com.apple.pkg.EmbeddedOSFirmware</string>
		</array>
		<key>processName</key>
		<string>softwareupdated</string>
	</dict>
	<dict>
		<key>date</key>
		<date>2017-03-28T17:55:21Z</date>
		<key>displayName</key>
		<string>Command Line Tools (macOS Sierra version 10.12) for Xcode</string>
		<key>displayVersion</key>
		<string>8.3</string>
		<key>packageIdentifiers</key>
		<array>
			<string>com.apple.pkg.CLTools_Executables</string>
			<string>com.apple.pkg.DevSDK_OSX1012</string>
			<string>com.apple.pkg.CLTools_SDK_OSX1012</string>
		</array>

it seems that the opensc pkcs11 module is not recognized as whitelisted:

/usr/bin/ssh-agent -d
SSH_AUTH_SOCK=/var/folders/6c/qjsjzv_11y9966w9pp0p364h0000gp/T//ssh-WllIzcD6QWqA/agent.2768; export SSH_AUTH_SOCK;
echo Agent pid 2768;
debug2: fd 3 setting O_NONBLOCK
debug3: fd 4 is O_NONBLOCK
debug1: type 20
refusing PKCS#11 add of "/Library/OpenSC/lib/opensc-pkcs11.so": provider not whitelisted

Since "/usr/local/lib/opensc-pkcs11.so" is a link to "/Library/OpenSC/lib/opensc-pkcs11.so" it seems that now the link is followed and the provider rejected.

A workaround is to:

sudo rm /usr/local/lib/opensc-pkcs11.so
sudo cp /Library/OpenSC/lib/opensc-pkcs11.so /usr/local/lib/opensc-pkcs11.so

and always use /usr/local/lib/opensc-pkcs11.so in ssh-add

@Jakuje

This comment has been minimized.

Copy link
Contributor

Jakuje commented Mar 30, 2017

This is not a bug in OpenSC, but a new configuration option of ssh-agent as you can find out in the release notes preventing a misuse of the agent by evil admin on the server, where you forward the agent.

If you know, where your PKCS#11 libraries will be, you should start your ssh-agent with the whitelist adjusted:

ssh-agent -P "/Library/OpenSC/lib/*"

This can be adjusted during build time and somebody who builds OSX packages for you should take care of setting paths reasonable for this system. The default whitelist /usr/lib*/*,/usr/local/lib*/* works fine on other Linux/Unix/BSD systems.

Edit: The same issue as #1007

@jc-m

This comment has been minimized.

Copy link
Author

jc-m commented Mar 30, 2017

actually - the bug in openSC is the creation a link in /usr/local/bin
and what you propose actually doesn't work for some reason on OSX:

ssh-agent -P "/Library/OpenSC/lib/*"
ssh-agent: illegal option -- P
usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]
                 [-P pkcs11_whitelist] [-t life] [command [arg ...]]
       ssh-agent [-c | -s] -k

So right now, it's broken. Maybe it's not openSC's fault, but I believe since openSC can easily fix it by changing the link, I don't see a good reason why not to do it, specially since by defaullt, ssh-agent trust what's in /usr/local/bin and /usr/bin.

@Jakuje

This comment has been minimized.

Copy link
Contributor

Jakuje commented Mar 30, 2017

Then you most probably have installed two different version of OpenSSH. This is available since OpenSSH 7.4, /usr/bin/ssh-agent is probably from this new one (try running with this path instead of my suggestion in previous post) and some other older one is placed somewhere else. What is type ssh-agent?

Anyway, I was probably reading too fast in the morning (the workaround sounds reasonable and can be fixed in OpenSC). The ssh-agent is resolving the symlink by design so the target path (realpath) really matters (otherwise the whitelist would not make sense and you can link quite much anything from anywhere).

@jc-m

This comment has been minimized.

Copy link
Author

jc-m commented Mar 30, 2017

Just for anyone looking here in the future : MacOs has broken this - i checked on multiple macs running sierra, and the result is the same.
ssh version is OpenSSH_7.4p1, LibreSSL 2.5.0

@mouse07410

This comment has been minimized.

Copy link
Contributor

mouse07410 commented Mar 31, 2017

I doubt that MacOS broke this. It looks more like OpenSSH broke this.

@jc-m

This comment has been minimized.

Copy link
Author

jc-m commented Mar 31, 2017

I would agree that i don't know who broke what - but the ssh-agent from OpenSSH_7.4p1, LibreSSL 2.5.0 doesn't understand -P even though it's in the help (on mac sierra)

@mouse07410

This comment has been minimized.

Copy link
Contributor

mouse07410 commented Mar 31, 2017

Maybe it's not openSC's fault, but I believe since openSC can easily fix it by changing the link

Why not manually copying the library to where you want it?

ssh-agent from OpenSSH_7.4p1, LibreSSL 2.5.0 doesn't understand -P even though it's in the help (on mac sierra)

I concur with that.

@jc-m

This comment has been minimized.

Copy link
Author

jc-m commented Mar 31, 2017

yeah - i can copy the library where i want it. But then, why would i take the pain to open an issue here ? Maybe you don't think that it's important that openSC works out of the box...

@mouse07410

This comment has been minimized.

Copy link
Contributor

mouse07410 commented Mar 31, 2017

For me it does work out of the box. I kept Macports OpenSSH (v7.3p1)

@jc-m

This comment has been minimized.

Copy link
Author

jc-m commented Mar 31, 2017

feel free to close the issue then.

@frankmorgner

This comment has been minimized.

Copy link
Member

frankmorgner commented Apr 3, 2017

If someone makes a pull request, we can change from linking to copying the module in the install script on macOS.

@testn

This comment has been minimized.

Copy link

testn commented Apr 25, 2017

I have a similar issue with OpenSSH_7.4p1.

frankmorgner added a commit to frankmorgner/OpenSC that referenced this issue May 3, 2017

Fixed ssh's pkcs11 usage on macOS
copy (instead of link) our pkcs11 libraries to the default location, which is whitelisted for ssh usage

fixes OpenSC#1008
@frankmorgner

This comment has been minimized.

Copy link
Member

frankmorgner commented May 3, 2017

@testn @jc-m please try #1041 (I'm not a user of pkcs11 via ssh).

frankmorgner added a commit that referenced this issue May 13, 2017

Fixed ssh's pkcs11 usage on macOS
copy (instead of link) our pkcs11 libraries to the default location, which is whitelisted for ssh usage

fixes #1008
@mzia

This comment has been minimized.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.