ssh-add -s opensc-pkcs11.so spawns endless amounts of ssh-pkcs11-helpers

[pettai]

Tested on Mac OS X Mavericks & Yosemite

Trying to add my Yubico NEO smart card PIV_II key to the ssh-agent with ssh-add -s, will spawn endless of ssh-pkcs11-helper processes, which isn't good for the machine's health.

Steps to reproduce:

1. Install OpenSC, https://github.com/OpenSC/OpenSC/wiki
2. Install Yubikey NEO Manager, http://opensource.yubico.com/yubikey-neo-manager/
3. Install Yubikey PIV tool, https://developers.yubico.com/yubico-piv-tool/
4. Generate a new keypair (private key + self signed certificate) via yubikey-piv-tool:
   $ export PKCS11_PROVIDER=/Library/OpenSC/lib/opensc-pkcs11.so
   $ export PIVTOOL=~/Downloads/yubico-piv-tool-0/bin/yubikey-piv-tool
   $ $PIVTOOL -P 123456 -v -s 9c -a generate > pubkey.pem
   $ $PIVTOOL -P 123456 -v -s 9c -S "/CN=Yubikey SSH/" -a verify -a selfsign-certificate < pubkey.pem > cert.pem
   $ $PIVTOOL -P 123456 -v -s 9c -a import-certificate < cert.pem

Now your NEO is provisioned with a SSH key pair on your PIV applet.
You can verify that it works by exporting your public key:
$ ssh-keygen -D $PKCS11_PROVIDER > id_rsa.pub
and copy it to a server, and then connecting over ssh again using:
$ ssh -I $PKCS11_PROVIDER my.server.hostname
Enter PIN for 'PIV_II (PIV Card Holder pin)': ******
Which works fine.

But then I try to add the key to the ssh-agent, It fails:
$ ssh-add -s $PKCS11_PROVIDER
Enter passphrase for PKCS#11:
SSH_AGENT_FAILURE
Could not add card: /Library/OpenSC/lib/opensc-pkcs11.so

And the system endlessly spawns ssh-pkcs11-helper processes...
System Console only gives this error (viewing "All Messages")
17/01/15 10:30:02,491 ssh-pkcs11-helper[1237]: error: fork: Resource temporarily unavailable

According to this recent blog post, ssh-add -s seems to work using OpenSC & ePass2003 (on Mavericks)
http://sigg-iten.ch/learningbits/2014/11/13/first-steps-with-the-feitian-epass2003-smart-token-in-os-x/
UPDATE: Author of the blog said that it was brew's OpenSSH he used, Apple's OpenSSH also spawns endless ssh-pkcs11-helper's.

I'm not sure where it goes wrong, because the terminal becomes unusable for debugging because of resource exhaustion (only logout or reboot makes the system usable again), but I'd figured I start by posting it here...

[dengert]

Why it continues to start ssh-pkcs11-helper process is an SSH problem or Mac problem.
I do not have a Mac.

You must have the agent running before running the ssh-add command.
Is the agent running and are SSH_AGENT_PID and SSH_AUTH_SOCK set in environment?

The ssh-agent can be started with the -d option, that might help isolate the problem,

The ssh-add command issues the promp t"Enter passphrase for PKCS#11" before doing anything with pkcs11.

So problems could be ssh-add can not find the ssh-agent or can not load the pkcs11 module.
Try with a non existing module like:
ssh-add -s /Library/OpenSC/lib/opensc-pkcs11XXXXX.so

SSH_AGENT_FAILURE is a very general message, and both ssh-pkcs11-helper.c and ssh-agent.c can set it.

Apple may have made other changes to the agent....

[pettai]

You're right, it seems like an Apple OpenSSH problem:

$ ssh-agent -d
SSH_AUTH_SOCK=/var/folders/r_/09vwp51s78d8_jxfcl8pl6dw0000gn/T//ssh-bwRR1aB4banS/agent.2499; export SSH_AUTH_SOCK;
echo Agent pid 2499;
debug1: read PEM private key done: type RSA
debug1: type 20
debug1: XXX shrink: 3 < 4

Even thought the ssh-add -s bla.so failed with a fake pkcs11 module, lot's of ssh-pkcs11-helpers are spawned...

$ ssh-add -s bla.so
Enter passphrase for PKCS#11:
SSH_AGENT_FAILURE
Could not add card: bla.so

$ ps -ef | grep ssh-pkcs11-helper
-bash: fork: Resource temporarily unavailable
...

I'll close this issue.

[pettai]

Turns out to be an Apple OpenSSH problem

[dengert]

Yes the multiple ssh-pkcs11-helpers are a problem but may only show up of the pkcs11 can not be loaded for any number of reasons.

Can you try to kill any ssh-agents that are running. I see in the trace that there was a ssh-agent -l started during login. Then try
eval ssh-agent -d

This will set the SSH_AUTH_SOCK and maybe the SSH_AGENT_PID in your environment and start a new agent. Then try:
ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so

Hopefully the ssh-agent running with debug will show more.

Also look if Apple has any other pkcs11 libs. If so try them as well. If it will load some other pkcs11 module but not opensc-pkcs11 that could be a opensc issue.

[pettai]

The output is just the same, even thought I tried to load the OpenSC pkcs11 module

$ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
Enter passphrase for PKCS#11:
SSH_AGENT_FAILURE
Could not add card: /Library/OpenSC/lib/opensc-pkcs11.so

While the above, ssh-agent -d only echoes:
debug1: type 20
debug1: XXX shrink: 3 < 4

[bcg62]

I'm also having this problem, is there any solution?

[jfriedly]

Likewise. I can reproduce the issue easily. Any known workaround? I couldn't find any other libs on my system with names like "*pkcs11.so"

[Motishjain]

Facing exactly the same issue. Any solution or workaround?

[jfriedly]

I'm told to upgrade my Mac to OS X 10.11 or 10.12. Will be doing that soon...

…

On Wed, Apr 19, 2017 at 1:43 AM, Motishjain ***@***.***> wrote: Facing exactly the same issue. Any solution or workaround? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#354 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAnkXSN4dtaR-MV3ZP3Mns8HnLs93hemks5rxclFgaJpZM4DTr-e> .