2620 – Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.

Bug 2620 - Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.

Summary: Option AddKeysToAgent doesnt work with keys provided by PKCS11 libraries.

Status:	CLOSED WONTFIX

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh-agent (show other bugs)
Version:	7.3p1
Hardware:	Other Linux

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:	pkcs11

Depends on:
Blocks:

Reported:	2016-10-04 01:17 AEDT by Roman Valov
Modified:	2021-04-23 15:09 AEST (History)
CC List:	3 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Roman Valov 2016-10-04 01:17:37 AEDT

I would like to setup my ssh connection encryption using smart card with PKCS#11 interface provided by shared library. In trivial scenario I'm able to add this key to agent using ssh-add:

  reddot@docorp:~$ ssh-add -s /usr/lib/libeTPkcs11.so
  Enter passphrase for PKCS#11: 
  Card added: /usr/lib/libeTPkcs11.so
  
Now I would like to automate this process to be asked to card PIN only once on first key access, thus I would like to use option AddKeysToAgent available in the config. However it seems this option doesn't work with PKCS#11 keys. Could it be fixed.

There's one more annoying issue: if PKCS#11 key has been already loaded into agent it isn't considered if ssh uses PKCS11Provider option is set and I've got to enter card PIN again:

  reddot@docorp:~$ ssh-add -l
  2048 SHA256:........................................... /usr/lib/libeTPkcs11.so (RSA)
  2048 SHA256:........................................... /usr/lib/libeTPkcs11.so (RSA)

  reddot@docorp:~$ ssh valov.avp.ru
  Welcome to Ubuntu 16.04.1 LTS (GNU/Linux 4.4.0-38-generic x86_64)
  ...


  reddot@docorp:~$ ssh valov.avp.ru -I/usr/lib/libeTPkcs11.so
  Enter PIN for 'Roman Valov': 
  ...

  Have to enter my card PIN again despite it's key is available via agent.

Comment 1 Jakub Jelen 2018-02-23 01:35:40 AEDT

The second issue is probably resolved at this moment (or at least I can not reproduce it with current OpenSSH and OpenSC) and the bug #2635 talks about different behavior. Can you try with current OpenSSH, if it is still an issue for you? Can you provide the debug logs from OpenSSH?

The first thing would be nice to have. Passing the pkcs11-provider from ssh process to ssh-agent should not be too complicated to write. But there might be some more logic required to figure out the card removal from the agent, once the card is removed from reader and the login state becomes invalid.

I will try to have a look into that in coming weeks.

Comment 2 Damien Miller 2019-01-22 13:05:04 AEDT

I don't think we want to make AddKeysToAgent automate adding PKCS#11 tokens - there are too many side effects compared to the intended use-case of adding regular keys.

Comment 3 Damien Miller 2021-04-23 15:09:18 AEST

closing resolved bugs as of 8.6p1 release