Make ssh-add work, and/or document how to make it work

[ThomasHabets]

$ ssh-add -s /…/libsimple-tpm-pk11.so
Enter passphrase for PKCS#11: 
Could not add card "/…/libsimple-tpm-pk11.so": agent refused operation

[ThomasHabets]

$ ./configure  --prefix=$HOME/opt/openssh
[…]
$ grep -q '^#define ENABLE_PKCS11' config.h && echo success || echo fail
success
$ sudo mkdir -p /var/empty
$ make install
[…]
$ ~/opt/openssh/bin/ssh-agent
[… env stuff for ssh-agent. copy-paste run this …]
$ ssh-add -s /usr/local/lib/libsimple-tpm-pk11.so
Enter passphrase for PKCS#11: 
Card added: /usr/local/lib/libsimple-tpm-pk11.so
$ ssh-add -l
2048 SHA256:xxxxx[…]xxxxxx /usr/local/lib/libsimple-tpm-pk11.so (RSA)

[ThomasHabets]

In conclusion: this is not a problem with simple-tpm-pk11, but with OpenSSH on my system (and presumably others) not being built with PKCS11 support for ssh-agent. That's strange since the ssh binary works just fine. I guess ssh didn't #ifdef away any cases in a switch statement, so it just happened to work.

Presumably my system has the dependencies needed for PKCS11 to be considered supported, and Ubuntu does not.

I should contact upstream.

[qistoph]

Rebuilding ssh-agent as described indeed solves the problem and makes my TPM based key available in ssh-agent.

Ubuntu 16.04

[ThomasHabets]

@qistoph
I don't have a pure enough Ubuntu system. Could you follow https://help.ubuntu.com/community/ReportingBugs to report this as a bug?

[qistoph]

Done: Ubuntu bug 1606929.

[qistoph]

Actually I just discovered that ssh-agent wasn't used by default, but gnome-keyring-daemon is. Probably gnome-keyring-daemon just does not support PKCS#11 yet...

If I run ssh-agent, without recompiling, it also works.

$ /usr/bin/ssh-agent
[… env stuff for ssh-agent. copy-paste run this …]
$ ssh-add -s /usr/local/lib/libsimple-tpm-pk11.so
Enter passphrase for PKCS#11: 
Card added: /usr/local/lib/libsimple-tpm-pk11.so
$ ssh-add -l
2048 SHA256:xxxxx[…]xxxxxx /usr/local/lib/libsimple-tpm-pk11.so (RSA)

[ThomasHabets]

I'm going to assume every case has been gnome-keyring. Closing after documenting.

[williamcroberts]

@qistoph I am seeing similair issue, and you don't need to rebuild open-ssh? What magic did you perform to get it to accept the pkcs11 provider?

[qistoph]

@qistoph I am seeing similair issue, and you don't need to rebuild open-ssh? What magic did you perform to get it to accept the pkcs11 provider?

Exactly what I posted earlier:

Actually I just discovered that ssh-agent wasn't used by default, but gnome-keyring-daemon is. Probably gnome-keyring-daemon just does not support PKCS#11 yet...

If I run ssh-agent, without recompiling, it also works.

$ /usr/bin/ssh-agent
[… env stuff for ssh-agent. copy-paste run this …]
$ ssh-add -s /usr/local/lib/libsimple-tpm-pk11.so
Enter passphrase for PKCS#11: 
Card added: /usr/local/lib/libsimple-tpm-pk11.so
$ ssh-add -l
2048 SHA256:xxxxx[…]xxxxxx /usr/local/lib/libsimple-tpm-pk11.so (RSA)