Bug 2620

Summary: Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.
Product: Portable OpenSSH Reporter: Roman Valov <reddot.rocks>
Component: ssh-agentAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm, jjelen, reddot.rocks
Priority: P5 Keywords: pkcs11
Version: 7.3p1   
Hardware: Other   
OS: Linux   

Description Roman Valov 2016-10-04 01:17:37 AEDT 
I would like to setup my ssh connection encryption using smart card with PKCS#11 interface provided by shared library. In trivial scenario I'm able to add this key to agent using ssh-add:

  reddot@docorp:~$ ssh-add -s /usr/lib/libeTPkcs11.so
  Enter passphrase for PKCS#11: 
  Card added: /usr/lib/libeTPkcs11.so
  
Now I would like to automate this process to be asked to card PIN only once on first key access, thus I would like to use option AddKeysToAgent available in the config. However it seems this option doesn't work with PKCS#11 keys. Could it be fixed.

There's one more annoying issue: if PKCS#11 key has been already loaded into agent it isn't considered if ssh uses PKCS11Provider option is set and I've got to enter card PIN again:

  reddot@docorp:~$ ssh-add -l
  2048 SHA256:........................................... /usr/lib/libeTPkcs11.so (RSA)
  2048 SHA256:........................................... /usr/lib/libeTPkcs11.so (RSA)

  reddot@docorp:~$ ssh valov.avp.ru
  Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
  ...


  reddot@docorp:~$ ssh valov.avp.ru -I/usr/lib/libeTPkcs11.so
  Enter PIN for 'Roman Valov': 
  ...

  Have to enter my card PIN again despite it's key is available via agent.
Comment 1 Jakub Jelen 2018-02-23 01:35:40 AEDT 
The second issue is probably resolved at this moment (or at least I can not reproduce it with current OpenSSH and OpenSC) and the bug #2635 talks about different behavior. Can you try with current OpenSSH, if it is still an issue for you? Can you provide the debug logs from OpenSSH?

The first thing would be nice to have. Passing the pkcs11-provider from ssh process to ssh-agent should not be too complicated to write. But there might be some more logic required to figure out the card removal from the agent, once the card is removed from reader and the login state becomes invalid.

I will try to have a look into that in coming weeks.
Comment 2 Damien Miller 2019-01-22 13:05:04 AEDT 
I don't think we want to make AddKeysToAgent automate adding PKCS#11 tokens - there are too many side effects compared to the intended use-case of adding regular keys.
Comment 3 Damien Miller 2021-04-23 15:09:18 AEST 
closing resolved bugs as of 8.6p1 release