Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MacOS Sierra 10.12 failing to ssh-add pkcs11 key #75

Closed
jdh-- opened this issue Jun 6, 2017 · 3 comments
Closed

MacOS Sierra 10.12 failing to ssh-add pkcs11 key #75

jdh-- opened this issue Jun 6, 2017 · 3 comments

Comments

@jdh--
Copy link

jdh-- commented Jun 6, 2017

Just for reference incase this hits anyone else

See:
OpenSC/OpenSC#1007
OpenSC/OpenSC#1008

As of openssh 7.4, ssh-add will only accept pkcs libraries from directories specified at compile time or via ssh-agent run time flags on startup

The default match is /usr/lib*/*,/usr/local/lib*/*

Common locations to find the opensc-pkcs11 or libykcs11 libraries on MacOS don't match this.

Homebrew installed opensc will end up /usr/local/Cellar/opensc and get sym-linked into /usr/local/lib but the ssh-add follows the sym-link and the location check fails.

Quickest work around more me was to

rm /usr/local/lib/opensc-pkcs11.so
cp -a /usr/local/Cellar/opensc/0.16.0_1/lib/opensc-pkcs11.so /usr/local/lib/opensc-pkcs11.so
ssh-add -s /usr/local/lib/opensc-pkcs11.so

From OpenSSH 7.4 release notes:

Changes since OpenSSH 7.3

This is primarily a bugfix release.

Security

  • ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
    outside a trusted whitelist (run-time configurable). Requests to
    load modules could be passed via agent forwarding and an attacker
    could attempt to load a hostile PKCS#11 module across the forwarded
    agent channel: PKCS#11 modules are shared libraries, so this would
    result in code execution on the system running the ssh-agent if the
    attacker has control of the forwarded agent-socket (on the host
    running the sshd server) and the ability to write to the filesystem
    of the host running ssh-agent (usually the host running the ssh
    client). Reported by Jann Horn of Project Zero.
@matthewjweaver
Copy link
Owner

matthewjweaver commented Jun 9, 2017
edited
Loading

Interestingly, @djmdjm (who made this change) points out it was to address CVE-2016-10009:
https://nvd.nist.gov/vuln/detail/CVE-2016-10009

@minfrin
Copy link

minfrin commented Aug 8, 2018

I've just deployed OpenSC 0.18.0 onto High Sierra and ran into this problem, and can confirm the workaround above works.

Is there a way of getting the OpenSC installer on MacOS to do all the tasks necessary to make OpenSC functional on the Mac, rather than doing some of the tasks via the installer, and leaving other tasks to the end user to be done manually using the root account?

We've been stuck for ages unable to properly roll out smartcards, as they don't work for ordinary users.

@matthewjweaver
Copy link
Owner

Elided by #225 ; I strongly recommend moving to FIDO2 key support everywhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@minfrin @matthewjweaver @jdh--