As of openssh 7.4, ssh-add will only accept pkcs libraries from directories specified at compile time or via ssh-agent run time flags on startup
The default match is /usr/lib*/*,/usr/local/lib*/*
Common locations to find the opensc-pkcs11 or libykcs11 libraries on MacOS don't match this.
Homebrew installed opensc will end up /usr/local/Cellar/opensc and get sym-linked into /usr/local/lib but the ssh-add follows the sym-link and the location check fails.
Quickest work around more me was to
cp -a /usr/local/Cellar/opensc/0.16.0_1/lib/opensc-pkcs11.so /usr/local/lib/opensc-pkcs11.so
ssh-add -s /usr/local/lib/opensc-pkcs11.so
From OpenSSH 7.4 release notes:
Changes since OpenSSH 7.3
This is primarily a bugfix release.
ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
outside a trusted whitelist (run-time configurable). Requests to
load modules could be passed via agent forwarding and an attacker
could attempt to load a hostile PKCS#11 module across the forwarded
agent channel: PKCS#11 modules are shared libraries, so this would
result in code execution on the system running the ssh-agent if the
attacker has control of the forwarded agent-socket (on the host
running the sshd server) and the ability to write to the filesystem
of the host running ssh-agent (usually the host running the ssh
client). Reported by Jann Horn of Project Zero.
The text was updated successfully, but these errors were encountered:
I've just deployed OpenSC 0.18.0 onto High Sierra and ran into this problem, and can confirm the workaround above works.
Is there a way of getting the OpenSC installer on MacOS to do all the tasks necessary to make OpenSC functional on the Mac, rather than doing some of the tasks via the installer, and leaving other tasks to the end user to be done manually using the root account?
We've been stuck for ages unable to properly roll out smartcards, as they don't work for ordinary users.