Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
ssh-add -s opensc-pkcs11.so spawns endless amounts of ssh-pkcs11-helpers #354
Tested on Mac OS X Mavericks & Yosemite
Trying to add my Yubico NEO smart card PIV_II key to the ssh-agent with ssh-add -s, will spawn endless of ssh-pkcs11-helper processes, which isn't good for the machine's health.
Steps to reproduce:
Now your NEO is provisioned with a SSH key pair on your PIV applet.
But then I try to add the key to the ssh-agent, It fails:
And the system endlessly spawns ssh-pkcs11-helper processes...
According to this recent blog post, ssh-add -s seems to work using OpenSC & ePass2003 (on Mavericks)
I'm not sure where it goes wrong, because the terminal becomes unusable for debugging because of resource exhaustion (only logout or reboot makes the system usable again), but I'd figured I start by posting it here...
Why it continues to start ssh-pkcs11-helper process is an SSH problem or Mac problem.
You must have the agent running before running the ssh-add command.
The ssh-agent can be started with the -d option, that might help isolate the problem,
The ssh-add command issues the promp t"Enter passphrase for PKCS#11" before doing anything with pkcs11.
So problems could be ssh-add can not find the ssh-agent or can not load the pkcs11 module.
SSH_AGENT_FAILURE is a very general message, and both ssh-pkcs11-helper.c and ssh-agent.c can set it.
Apple may have made other changes to the agent....
You're right, it seems like an Apple OpenSSH problem:
$ ssh-agent -d
Even thought the ssh-add -s bla.so failed with a fake pkcs11 module, lot's of ssh-pkcs11-helpers are spawned...
$ ssh-add -s bla.so
$ ps -ef | grep ssh-pkcs11-helper
I'll close this issue.
Yes the multiple ssh-pkcs11-helpers are a problem but may only show up of the pkcs11 can not be loaded for any number of reasons.
Can you try to kill any ssh-agents that are running. I see in the trace that there was a ssh-agent -l started during login. Then try
This will set the SSH_AUTH_SOCK and maybe the SSH_AGENT_PID in your environment and start a new agent. Then try:
Hopefully the ssh-agent running with debug will show more.
Also look if Apple has any other pkcs11 libs. If so try them as well. If it will load some other pkcs11 module but not opensc-pkcs11 that could be a opensc issue.
The output is just the same, even thought I tried to load the OpenSC pkcs11 module
$ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so
While the above, ssh-agent -d only echoes:
referenced this issue
Aug 3, 2015
I'm told to upgrade my Mac to OS X 10.11 or 10.12. Will be doing that soon...…
On Wed, Apr 19, 2017 at 1:43 AM, Motishjain ***@***.***> wrote: Facing exactly the same issue. Any solution or workaround? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#354 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAnkXSN4dtaR-MV3ZP3Mns8HnLs93hemks5rxclFgaJpZM4DTr-e> .