MacOS: cannot use /usr/local/lib/opensc-pkcs11.so (provider not whitelisted)

[jc-m]

Expected behaviour

ssh-add -s /usr/local/lib/opensc-pkcs11.so
would return
Card added: /usr/local/lib/opensc-pkcs11.so
What should happen?
this would add certificate from a PIV card

Actual behaviour

command returns
Could not add card "/usr/local/lib/opensc-pkcs11.so": agent refused operation
What happens instead?
because of an upgrade to OSX Sierra

	<dict>
		<key>date</key>
		<date>2017-03-28T17:55:21Z</date>
		<key>displayName</key>
		<string>macOS Sierra Update</string>
		<key>displayVersion</key>
		<string>10.12.4</string>
		<key>packageIdentifiers</key>
		<array>
			<string>com.apple.pkg.update.os.10.12.4.16E195</string>
			<string>com.apple.pkg.FirmwareUpdate</string>
			<string>com.apple.update.fullbundleupdate.16E195</string>
			<string>com.apple.pkg.EmbeddedOSFirmware</string>
		</array>
		<key>processName</key>
		<string>softwareupdated</string>
	</dict>
	<dict>
		<key>date</key>
		<date>2017-03-28T17:55:21Z</date>
		<key>displayName</key>
		<string>Command Line Tools (macOS Sierra version 10.12) for Xcode</string>
		<key>displayVersion</key>
		<string>8.3</string>
		<key>packageIdentifiers</key>
		<array>
			<string>com.apple.pkg.CLTools_Executables</string>
			<string>com.apple.pkg.DevSDK_OSX1012</string>
			<string>com.apple.pkg.CLTools_SDK_OSX1012</string>
		</array>

it seems that the opensc pkcs11 module is not recognized as whitelisted:

/usr/bin/ssh-agent -d
SSH_AUTH_SOCK=/var/folders/6c/qjsjzv_11y9966w9pp0p364h0000gp/T//ssh-WllIzcD6QWqA/agent.2768; export SSH_AUTH_SOCK;
echo Agent pid 2768;
debug2: fd 3 setting O_NONBLOCK
debug3: fd 4 is O_NONBLOCK
debug1: type 20
refusing PKCS#11 add of "/Library/OpenSC/lib/opensc-pkcs11.so": provider not whitelisted

Since "/usr/local/lib/opensc-pkcs11.so" is a link to "/Library/OpenSC/lib/opensc-pkcs11.so" it seems that now the link is followed and the provider rejected.

A workaround is to:

sudo rm /usr/local/lib/opensc-pkcs11.so
sudo cp /Library/OpenSC/lib/opensc-pkcs11.so /usr/local/lib/opensc-pkcs11.so

and always use /usr/local/lib/opensc-pkcs11.so in ssh-add

[Jakuje]

This is not a bug in OpenSC, but a new configuration option of ssh-agent as you can find out in the release notes preventing a misuse of the agent by evil admin on the server, where you forward the agent.

If you know, where your PKCS#11 libraries will be, you should start your ssh-agent with the whitelist adjusted:

ssh-agent -P "/Library/OpenSC/lib/*"

This can be adjusted during build time and somebody who builds OSX packages for you should take care of setting paths reasonable for this system. The default whitelist /usr/lib*/*,/usr/local/lib*/* works fine on other Linux/Unix/BSD systems.

Edit: The same issue as #1007

[jc-m]

actually - the bug in openSC is the creation a link in /usr/local/bin
and what you propose actually doesn't work for some reason on OSX:

ssh-agent -P "/Library/OpenSC/lib/*"
ssh-agent: illegal option -- P
usage: ssh-agent [-c | -s] [-Dd] [-a bind_address] [-E fingerprint_hash]
                 [-P pkcs11_whitelist] [-t life] [command [arg ...]]
       ssh-agent [-c | -s] -k

So right now, it's broken. Maybe it's not openSC's fault, but I believe since openSC can easily fix it by changing the link, I don't see a good reason why not to do it, specially since by defaullt, ssh-agent trust what's in /usr/local/bin and /usr/bin.

[Jakuje]

Then you most probably have installed two different version of OpenSSH. This is available since OpenSSH 7.4, /usr/bin/ssh-agent is probably from this new one (try running with this path instead of my suggestion in previous post) and some other older one is placed somewhere else. What is type ssh-agent?

Anyway, I was probably reading too fast in the morning (the workaround sounds reasonable and can be fixed in OpenSC). The ssh-agent is resolving the symlink by design so the target path (realpath) really matters (otherwise the whitelist would not make sense and you can link quite much anything from anywhere).

[jc-m]

Just for anyone looking here in the future : MacOs has broken this - i checked on multiple macs running sierra, and the result is the same.
ssh version is OpenSSH_7.4p1, LibreSSL 2.5.0

[mouse07410]

I doubt that MacOS broke this. It looks more like OpenSSH broke this.

[jc-m]

I would agree that i don't know who broke what - but the ssh-agent from OpenSSH_7.4p1, LibreSSL 2.5.0 doesn't understand -P even though it's in the help (on mac sierra)

[mouse07410]

Maybe it's not openSC's fault, but I believe since openSC can easily fix it by changing the link

Why not manually copying the library to where you want it?

ssh-agent from OpenSSH_7.4p1, LibreSSL 2.5.0 doesn't understand -P even though it's in the help (on mac sierra)

I concur with that.

[jc-m]

yeah - i can copy the library where i want it. But then, why would i take the pain to open an issue here ? Maybe you don't think that it's important that openSC works out of the box...

[mouse07410]

For me it does work out of the box. I kept Macports OpenSSH (v7.3p1)

[jc-m]

feel free to close the issue then.

[frankmorgner]

If someone makes a pull request, we can change from linking to copying the module in the install script on macOS.

[testn]

I have a similar issue with OpenSSH_7.4p1.