New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssh-add -s opensc-pkcs11.so spawns endless amounts of ssh-pkcs11-helpers #354

Closed
pettai opened this Issue Jan 17, 2015 · 9 comments

Comments

Projects
None yet
5 participants
@pettai

pettai commented Jan 17, 2015

Tested on Mac OS X Mavericks & Yosemite

Trying to add my Yubico NEO smart card PIV_II key to the ssh-agent with ssh-add -s, will spawn endless of ssh-pkcs11-helper processes, which isn't good for the machine's health.

Steps to reproduce:

  1. Install OpenSC, https://github.com/OpenSC/OpenSC/wiki
  2. Install Yubikey NEO Manager, http://opensource.yubico.com/yubikey-neo-manager/
  3. Install Yubikey PIV tool, https://developers.yubico.com/yubico-piv-tool/
  4. Generate a new keypair (private key + self signed certificate) via yubikey-piv-tool:
    $ export PKCS11_PROVIDER=/Library/OpenSC/lib/opensc-pkcs11.so
    $ export PIVTOOL=~/Downloads/yubico-piv-tool-0/bin/yubikey-piv-tool
    $ $PIVTOOL -P 123456 -v -s 9c -a generate > pubkey.pem
    $ $PIVTOOL -P 123456 -v -s 9c -S "/CN=Yubikey SSH/" -a verify -a selfsign-certificate < pubkey.pem > cert.pem
    $ $PIVTOOL -P 123456 -v -s 9c -a import-certificate < cert.pem

Now your NEO is provisioned with a SSH key pair on your PIV applet.
You can verify that it works by exporting your public key:
$ ssh-keygen -D $PKCS11_PROVIDER > id_rsa.pub
and copy it to a server, and then connecting over ssh again using:
$ ssh -I $PKCS11_PROVIDER my.server.hostname
Enter PIN for 'PIV_II (PIV Card Holder pin)': ******
Which works fine.

But then I try to add the key to the ssh-agent, It fails:
$ ssh-add -s $PKCS11_PROVIDER
Enter passphrase for PKCS#11:
SSH_AGENT_FAILURE
Could not add card: /Library/OpenSC/lib/opensc-pkcs11.so

And the system endlessly spawns ssh-pkcs11-helper processes...
System Console only gives this error (viewing "All Messages")
17/01/15 10:30:02,491 ssh-pkcs11-helper[1237]: error: fork: Resource temporarily unavailable

According to this recent blog post, ssh-add -s seems to work using OpenSC & ePass2003 (on Mavericks)
http://sigg-iten.ch/learningbits/2014/11/13/first-steps-with-the-feitian-epass2003-smart-token-in-os-x/
UPDATE: Author of the blog said that it was brew's OpenSSH he used, Apple's OpenSSH also spawns endless ssh-pkcs11-helper's.

I'm not sure where it goes wrong, because the terminal becomes unusable for debugging because of resource exhaustion (only logout or reboot makes the system usable again), but I'd figured I start by posting it here...

@dengert

This comment has been minimized.

Member

dengert commented Jan 17, 2015

Why it continues to start ssh-pkcs11-helper process is an SSH problem or Mac problem.
I do not have a Mac.

You must have the agent running before running the ssh-add command.
Is the agent running and are SSH_AGENT_PID and SSH_AUTH_SOCK set in environment?

The ssh-agent can be started with the -d option, that might help isolate the problem,

The ssh-add command issues the promp t"Enter passphrase for PKCS#11" before doing anything with pkcs11.

So problems could be ssh-add can not find the ssh-agent or can not load the pkcs11 module.
Try with a non existing module like:
ssh-add -s /Library/OpenSC/lib/opensc-pkcs11XXXXX.so

SSH_AGENT_FAILURE is a very general message, and both ssh-pkcs11-helper.c and ssh-agent.c can set it.

Apple may have made other changes to the agent....

@pettai

This comment has been minimized.

pettai commented Jan 17, 2015

You're right, it seems like an Apple OpenSSH problem:

$ ssh-agent -d
SSH_AUTH_SOCK=/var/folders/r_/09vwp51s78d8_jxfcl8pl6dw0000gn/T//ssh-bwRR1aB4banS/agent.2499; export SSH_AUTH_SOCK;
echo Agent pid 2499;
debug1: read PEM private key done: type RSA
debug1: type 20
debug1: XXX shrink: 3 < 4

Even thought the ssh-add -s bla.so failed with a fake pkcs11 module, lot's of ssh-pkcs11-helpers are spawned...

$ ssh-add -s bla.so
Enter passphrase for PKCS#11:
SSH_AGENT_FAILURE
Could not add card: bla.so

$ ps -ef | grep ssh-pkcs11-helper
-bash: fork: Resource temporarily unavailable
...

I'll close this issue.

@pettai

This comment has been minimized.

pettai commented Jan 17, 2015

Turns out to be an Apple OpenSSH problem

@pettai pettai closed this Jan 17, 2015

@dengert

This comment has been minimized.

Member

dengert commented Jan 17, 2015

Yes the multiple ssh-pkcs11-helpers are a problem but may only show up of the pkcs11 can not be loaded for any number of reasons.

Can you try to kill any ssh-agents that are running. I see in the trace that there was a ssh-agent -l started during login. Then try
eval ssh-agent -d

This will set the SSH_AUTH_SOCK and maybe the SSH_AGENT_PID in your environment and start a new agent. Then try:
ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so

Hopefully the ssh-agent running with debug will show more.

Also look if Apple has any other pkcs11 libs. If so try them as well. If it will load some other pkcs11 module but not opensc-pkcs11 that could be a opensc issue.

@pettai

This comment has been minimized.

pettai commented Jan 18, 2015

The output is just the same, even thought I tried to load the OpenSC pkcs11 module

$ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
Enter passphrase for PKCS#11:
SSH_AGENT_FAILURE
Could not add card: /Library/OpenSC/lib/opensc-pkcs11.so

While the above, ssh-agent -d only echoes:
debug1: type 20
debug1: XXX shrink: 3 < 4

@bcg62

This comment has been minimized.

bcg62 commented Nov 11, 2016

I'm also having this problem, is there any solution?

@jfriedly

This comment has been minimized.

jfriedly commented Jan 19, 2017

Likewise. I can reproduce the issue easily. Any known workaround? I couldn't find any other libs on my system with names like "*pkcs11.so"

@Motishjain

This comment has been minimized.

Motishjain commented Apr 19, 2017

Facing exactly the same issue. Any solution or workaround?

@jfriedly

This comment has been minimized.

jfriedly commented Apr 20, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment