PKCS#11 hardware module not work for ssh-add #2410
Description
Prerequisites
- Write a descriptive title.
- Make sure you are able to repro it on the latest version
- Search the existing issues.
Steps to reproduce
TLDR,
The PKCS#11 of Windows OpenSSH mostly works,
but it lacks ssh-agent -P option,
so I cannot pass PKCS#11 library to ssh-add -s
My ssh private key is stored in a YubiKey hardware module,
and I want to use the private key to do ssh login,
and forward the keys to use them in remote machines, using ssh-agent
I can verify that my Yubikey works,
by successfully do the things above on Linux
Step to reproduce on Windows
- Download
yubico-piv-toolfrom https://developers.yubico.com/yubico-piv-tool/Releases/. Useyubico-piv-tool-2.7.2-win64.msi - Install the MSI
- The installed program is located at
C:\Program Files\Yubico\Yubico PIV Tool - Copy all DLLs inside
C:\Program Files\Yubico\Yubico PIV Tool\binintoC:\Windows\System32\OpenSSH - Plug in my USB Yubikey into the computer
- Use command
ssh-keygen -D libykcs11.dll, it works as intended, that it prints out the public key stored in the Yubikey hardware module - Use command
ssh -I libykcs11.dll username@hostname, it works as intended, that I ssh login without password, using the Yubikey to authenticate ssh-add -s libykcs11.dllorssh-add -s C:\Windows\System32\OpenSSH\libykcs11.dll, in order to add the hardware module into ssh-agent, DOES NOT WORK. The error message isCould not add card "libykcs11.dll": agent refused operation
From the experience of using ssh agent forwarding on Linux, there is an allowlist for module used by ssh-add -s, where can be specified by ssh-agent -P
The man page of ssh-agent on Linux says:
-P allowed_providers
Specify a pattern-list of acceptable paths for PKCS#11 provider and
FIDO authenticator middleware shared libraries that may be used with the -S or -s options to ssh-add(1).
Libraries that do not match the pattern list will be refused.
See PATTERNS in ssh_config(5) for a description of pattern-list syntax.
The default list is "/usr/lib/*,/usr/local/lib*"
Pass a -P option to ssh-agent in Linux can be easily done in ~/.bashrc,
but I have no idea how to do this in Windows
The start of ssh-agent on Windows is handled by OpenSSH Authentication Agent Service,
and there is no way to pass argument to it.
Start it manually by ssh-agent.exe -P C:\Windows\System32\OpenSSH\libykcs11.dll does not work either,
that I checked the Command Line by the "Process Explorer" of Sysinternal,
that the Command Line does not include -P
I think PCKS#11 of Windows mostly works,
because ssh-keygen -D and ssh -I works as intended.
Just the ssh-agent -P need some work.
May be change the default allowlist of ssh-agent -P?
Expected behavior
`ssh-add -s libykcs11.dll` succeeds,
and `ssh-add -l` should list the keys stored in YubikeyActual behavior
`ssh-add -s libykcs11.dll` errors with
`Could not add card "libykcs11.dll": agent refused operation`Error details
Environment data
Name Value
---- -----
PSVersion 5.1.26100.6899
PSEdition Desktop
PSCompatibleVersions {1.0, 2.0, 3.0, 4.0...}
BuildVersion 10.0.26100.6899
CLRVersion 4.0.30319.42000
WSManStackVersion 3.0
PSRemotingProtocolVersion 2.3
SerializationVersion 1.1.0.1Version
OpenSSH_for_Windows_9.5p2, LibreSSL 3.8.2
Visuals
No response