Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MacOS Sierra 10.12 failing to ssh-add pkcs11 key #75

jdh-- opened this issue Jun 6, 2017 · 3 comments

MacOS Sierra 10.12 failing to ssh-add pkcs11 key #75

jdh-- opened this issue Jun 6, 2017 · 3 comments


Copy link

jdh-- commented Jun 6, 2017

Just for reference incase this hits anyone else


As of openssh 7.4, ssh-add will only accept pkcs libraries from directories specified at compile time or via ssh-agent run time flags on startup

The default match is /usr/lib*/*,/usr/local/lib*/*

Common locations to find the opensc-pkcs11 or libykcs11 libraries on MacOS don't match this.

Homebrew installed opensc will end up /usr/local/Cellar/opensc and get sym-linked into /usr/local/lib but the ssh-add follows the sym-link and the location check fails.

Quickest work around more me was to

rm /usr/local/lib/
cp -a /usr/local/Cellar/opensc/0.16.0_1/lib/ /usr/local/lib/
ssh-add -s /usr/local/lib/

From OpenSSH 7.4 release notes:

Changes since OpenSSH 7.3

This is primarily a bugfix release.


  • ssh-agent(1): Will now refuse to load PKCS#11 modules from paths
    outside a trusted whitelist (run-time configurable). Requests to
    load modules could be passed via agent forwarding and an attacker
    could attempt to load a hostile PKCS#11 module across the forwarded
    agent channel: PKCS#11 modules are shared libraries, so this would
    result in code execution on the system running the ssh-agent if the
    attacker has control of the forwarded agent-socket (on the host
    running the sshd server) and the ability to write to the filesystem
    of the host running ssh-agent (usually the host running the ssh
    client). Reported by Jann Horn of Project Zero.
Copy link

matthewjweaver commented Jun 9, 2017

Interestingly, @djmdjm (who made this change) points out it was to address CVE-2016-10009:

Copy link

minfrin commented Aug 8, 2018

I've just deployed OpenSC 0.18.0 onto High Sierra and ran into this problem, and can confirm the workaround above works.

Is there a way of getting the OpenSC installer on MacOS to do all the tasks necessary to make OpenSC functional on the Mac, rather than doing some of the tasks via the installer, and leaving other tasks to the end user to be done manually using the root account?

We've been stuck for ages unable to properly roll out smartcards, as they don't work for ordinary users.

Copy link

matthewjweaver commented Apr 30, 2022

Elided by #225 ; I strongly recommend moving to FIDO2 key support everywhere.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
None yet

No branches or pull requests

3 participants