-
Notifications
You must be signed in to change notification settings - Fork 729
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MacOS: cannot use /usr/local/lib/opensc-pkcs11.so (provider not whitelisted) #1008
Comments
This is not a bug in OpenSC, but a new configuration option of If you know, where your PKCS#11 libraries will be, you should start your
This can be adjusted during build time and somebody who builds OSX packages for you should take care of setting paths reasonable for this system. The default whitelist Edit: The same issue as #1007 |
actually - the bug in openSC is the creation a link in /usr/local/bin
So right now, it's broken. Maybe it's not openSC's fault, but I believe since openSC can easily fix it by changing the link, I don't see a good reason why not to do it, specially since by defaullt, ssh-agent trust what's in /usr/local/bin and /usr/bin. |
Then you most probably have installed two different version of OpenSSH. This is available since OpenSSH 7.4, Anyway, I was probably reading too fast in the morning (the workaround sounds reasonable and can be fixed in OpenSC). The |
Just for anyone looking here in the future : MacOs has broken this - i checked on multiple macs running sierra, and the result is the same. |
I doubt that MacOS broke this. It looks more like OpenSSH broke this. |
I would agree that i don't know who broke what - but the ssh-agent from OpenSSH_7.4p1, LibreSSL 2.5.0 doesn't understand -P even though it's in the help (on mac sierra) |
Why not manually copying the library to where you want it?
I concur with that. |
yeah - i can copy the library where i want it. But then, why would i take the pain to open an issue here ? Maybe you don't think that it's important that openSC works out of the box... |
For me it does work out of the box. I kept Macports OpenSSH (v7.3p1) |
feel free to close the issue then. |
If someone makes a pull request, we can change from linking to copying the module in the install script on macOS. |
I have a similar issue with OpenSSH_7.4p1. |
copy (instead of link) our pkcs11 libraries to the default location, which is whitelisted for ssh usage fixes OpenSC#1008
copy (instead of link) our pkcs11 libraries to the default location, which is whitelisted for ssh usage fixes #1008
Sharing this script https://github.com/ab/mac-wart-removal/blob/master/copy-opensc-to-lib.sh |
Expected behaviour
ssh-add -s /usr/local/lib/opensc-pkcs11.so
would return
Card added: /usr/local/lib/opensc-pkcs11.so
What should happen?
this would add certificate from a PIV card
Actual behaviour
command returns
Could not add card "/usr/local/lib/opensc-pkcs11.so": agent refused operation
What happens instead?
because of an upgrade to OSX Sierra
it seems that the opensc pkcs11 module is not recognized as whitelisted:
Since "/usr/local/lib/opensc-pkcs11.so" is a link to "/Library/OpenSC/lib/opensc-pkcs11.so" it seems that now the link is followed and the provider rejected.
A workaround is to:
and always use /usr/local/lib/opensc-pkcs11.so in ssh-add
The text was updated successfully, but these errors were encountered: