Two problems with OpenSSH

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



My platform: macOS Sierra 10.12.1, Xcode-8.0.0, Macports-2.3.4, Macports-installed OpenSSH_7.3p1.

First problem: OpenSSH seems to ignore PKCS11Provider configuration variable in ~/.ssh/config file (and in the system/global config files as well). It acts as if it hasn’t been set:

$ ssh -V
OpenSSH_7.3p1, OpenSSL 1.0.2j  26 Sep 2016
$ ssh-keygen -D pkcs11 -e
dlopen pkcs11 failed: dlopen(pkcs11, 2): no suitable image found.  Did find:
	/opt/local/lib/pkcs11: not a file
	/Library/OpenSC/lib/pkcs11: not a file
cannot read public key from pkcs11
$ ssh-keygen -D /Library/OpenSC/lib/opensc-pkcs11.so -e

ssh-rsa AAAAB3NzaC1yc2EA . . . . .

$ ssh -I pkcs11 github.com
dlopen pkcs11 failed: dlopen(pkcs11, 2): no suitable image found.  Did find:
	/opt/local/lib/pkcs11: not a file
	/Library/OpenSC/lib/pkcs11: not a file
Permission denied (publickey).
$ ssh -I /Library/OpenSC/lib/opensc-pkcs11.so github.com
Enter PIN for 'PIV Card Holder pin (PIV_II)': 
PTY allocation request failed on channel 0
Hi xxxxxx! You've successfully authenticated, but GitHub does not provide shell access.
Connection to github.com closed.
$ fgrep PKCS11 ~/.ssh/config
PKCS11Provider /Library/OpenSC/lib/opensc-pkcs11.dylib
$

I’d appreciate some guidance on use of PKCS11Provider config parameter (if I’m doing something wrong with it), or fixing the bug of ignoring it (if my attempts to use it were correct).


Second problem - the build seems to require at runtime not only exactly the same version, but exactly the same build of the OpenSSL. Which means that if I make any update or bug fix to OpenSSL that does not affect the interface at all - I still have to re-install OpenSSH. It would be great if OpenSSH could limit its OpenSSL runtime validation to at least the exact version (say, 1.0.2-stable). It really is both inconvenient and unnecessary to have to rebuild OpenSSH every time.

Thank you!

Since I’m not a subscriber to this list (don’t have to contribute much), so please copy the replies to my email. Thanks again!
--
Uri Blumenthal
uri@xxxxxxx

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux