ssh-add -s opensc-pkcs11.so spawns endless amounts of ssh-pkcs11-helpers #354
Comments
|
Why it continues to start ssh-pkcs11-helper process is an SSH problem or Mac problem. You must have the agent running before running the ssh-add command. The ssh-agent can be started with the -d option, that might help isolate the problem, The ssh-add command issues the promp t"Enter passphrase for PKCS#11" before doing anything with pkcs11. So problems could be ssh-add can not find the ssh-agent or can not load the pkcs11 module. SSH_AGENT_FAILURE is a very general message, and both ssh-pkcs11-helper.c and ssh-agent.c can set it. Apple may have made other changes to the agent.... |
|
You're right, it seems like an Apple OpenSSH problem: $ ssh-agent -d Even thought the ssh-add -s bla.so failed with a fake pkcs11 module, lot's of ssh-pkcs11-helpers are spawned... $ ssh-add -s bla.so $ ps -ef | grep ssh-pkcs11-helper I'll close this issue. |
|
Turns out to be an Apple OpenSSH problem |
|
Yes the multiple ssh-pkcs11-helpers are a problem but may only show up of the pkcs11 can not be loaded for any number of reasons. Can you try to kill any ssh-agents that are running. I see in the trace that there was a ssh-agent -l started during login. Then try This will set the SSH_AUTH_SOCK and maybe the SSH_AGENT_PID in your environment and start a new agent. Then try: Hopefully the ssh-agent running with debug will show more. Also look if Apple has any other pkcs11 libs. If so try them as well. If it will load some other pkcs11 module but not opensc-pkcs11 that could be a opensc issue. |
|
The output is just the same, even thought I tried to load the OpenSC pkcs11 module $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so While the above, ssh-agent -d only echoes: |
|
I'm also having this problem, is there any solution? |
|
Likewise. I can reproduce the issue easily. Any known workaround? I couldn't find any other libs on my system with names like "*pkcs11.so" |
|
Facing exactly the same issue. Any solution or workaround? |
|
I'm told to upgrade my Mac to OS X 10.11 or 10.12. Will be doing that
soon...
…On Wed, Apr 19, 2017 at 1:43 AM, Motishjain ***@***.***> wrote:
Facing exactly the same issue. Any solution or workaround?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#354 (comment)>, or mute
the thread
<https://github.com/notifications/unsubscribe-auth/AAnkXSN4dtaR-MV3ZP3Mns8HnLs93hemks5rxclFgaJpZM4DTr-e>
.
|
Tested on Mac OS X Mavericks & Yosemite
Trying to add my Yubico NEO smart card PIV_II key to the ssh-agent with ssh-add -s, will spawn endless of ssh-pkcs11-helper processes, which isn't good for the machine's health.
Steps to reproduce:
$ export PKCS11_PROVIDER=/Library/OpenSC/lib/opensc-pkcs11.so
$ export PIVTOOL=~/Downloads/yubico-piv-tool-0/bin/yubikey-piv-tool
$ $PIVTOOL -P 123456 -v -s 9c -a generate > pubkey.pem
$ $PIVTOOL -P 123456 -v -s 9c -S "/CN=Yubikey SSH/" -a verify -a selfsign-certificate < pubkey.pem > cert.pem
$ $PIVTOOL -P 123456 -v -s 9c -a import-certificate < cert.pem
Now your NEO is provisioned with a SSH key pair on your PIV applet.
You can verify that it works by exporting your public key:
$ ssh-keygen -D $PKCS11_PROVIDER > id_rsa.pub
and copy it to a server, and then connecting over ssh again using:
$ ssh -I $PKCS11_PROVIDER my.server.hostname
Enter PIN for 'PIV_II (PIV Card Holder pin)': ******
Which works fine.
But then I try to add the key to the ssh-agent, It fails:
$ ssh-add -s $PKCS11_PROVIDER
Enter passphrase for PKCS#11:
SSH_AGENT_FAILURE
Could not add card: /Library/OpenSC/lib/opensc-pkcs11.so
And the system endlessly spawns ssh-pkcs11-helper processes...
System Console only gives this error (viewing "All Messages")
17/01/15 10:30:02,491 ssh-pkcs11-helper[1237]: error: fork: Resource temporarily unavailable
According to this recent blog post, ssh-add -s seems to work using OpenSC & ePass2003 (on Mavericks)
http://sigg-iten.ch/learningbits/2014/11/13/first-steps-with-the-feitian-epass2003-smart-token-in-os-x/
UPDATE: Author of the blog said that it was brew's OpenSSH he used, Apple's OpenSSH also spawns endless ssh-pkcs11-helper's.
I'm not sure where it goes wrong, because the terminal becomes unusable for debugging because of resource exhaustion (only logout or reboot makes the system usable again), but I'd figured I start by posting it here...
The text was updated successfully, but these errors were encountered: