As a side note, OpenSC is looking at issues with using tokens vs separate readers and smart cards. The code paths in PKCS#11 differ. Removing a card from a reader leaves the pkcs#11 slot still available. Removing a token (Yubikey) removes both the reader and and its builtin smart card. Firefox has a similar problem. See https://github.com/OpenSC/OpenSC/pull/1947 and #1945, #1935 and #1908 https://bugzilla.mozilla.org/show_bug.cgi?id=1613632 #1947 may be withdrawn and replaced with a different approach. On 2/21/2020 9:53 PM, Jacob Hoffman-Andrews wrote:
Hi all, Thanks for all your hard work! I was particularly excited to see FIDO/U2F support in the latest release. I'd like to make the following bug report in ssh-agent's PKCS#11 support: Steps to reproduce: 1. Configure a smart card (e.g. Yubikey in PIV mode) as an SSH key. 2. Add that key to ssh-agent. 3. Remove that key from ssh-agent. 4. Add that key to ssh-agent. Expected results: Key is successfully added to ssh-agent. Actual results: ssh-add fails with "agent refused operation". I've looked at the code, and it appears that register_pkcs11_provider (https://github.com/openssh/openssh-portable/blob/master/ssh-pkcs11.c#L1470) fails if a PKCS#11 provider already exists. However, PKCS#11 providers are never unloaded. There is a pkcs11_del_provider but it is never called. That means that after deleting a key, there is no way to re-add it. Also, since removing a USB smartcard reader results in ssh-agent losing its session, the user must call ssh-add again after reinserting the USB card reader, and that second ssh-add will fail in the same way. I think the best fix here is to treat "provider already exists" as a non-error. There is no need to unload providers when they become unused because they don't use very much memory, and because it is uncommon to have more than one provider on any given system. Also, a user is likely to reuse a provider they have previously used. If a maintainer can confirm that this is an acceptable fix, I may be able to write a patch. Environments reproduced on: Ubuntu 19.10, Fedora Version of OpenSSH: git commit b2491c28, latest at time of writing. Example output demonstrating the problem (with a Yubikey in PIV mode inserted): $ SSH_AUTH_SOCK=/tmp/ssh-dhfNCpXwSk8B/agent.21022; export SSH_AUTH_SOCK; $ ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so Enter passphrase for PKCS#11: Could not add card "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so": agent refused operation $ SSH_AUTH_SOCK=/tmp/ssh-RORElJeiiHBc/agent.21116; export SSH_AUTH_SOCK; $ ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so $ ssh-add -D All identities removed. $ ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so Enter passphrase for PKCS#11: Could not add card "/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so": agent refused operation In a separate terminal: $ ./ssh-agent -d SSH_AUTH_SOCK=/tmp/ssh-RORElJeiiHBc/agent.21116; export SSH_AUTH_SOCK; echo Agent pid 21116; debug2: fd 3 setting O_NONBLOCK debug2: fd 4 setting O_NONBLOCK debug1: process_message: socket 1 (fd=4) type 20 debug1: process_add_smartcard_key: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so debug1: pkcs11_start_helper: starting /usr/local/libexec/ssh-pkcs11-helper -vvv debug1: process_add debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framework> libraryVersion 0.19 debug1: provider /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so slot 0: label <SSH key> manufacturerID <piv_II> model <PKCS#15 emulate> serial <00000000> flags 0x40d debug1: have 1 keys debug1: pkcs11_k11_free: parent 0x5598092d2f30 ptr 0x5598092d2b10 idx 1 debug1: pkcs11_provider_unref: 0x559809258df0 refcount 2 debug2: fd 4 setting O_NONBLOCK debug1: process_message: socket 1 (fd=4) type 19 debug1: process_message: socket 1 (fd=4) type 9 debug2: fd 4 setting O_NONBLOCK debug1: process_message: socket 1 (fd=4) type 20 debug1: process_add_smartcard_key: add /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so debug1: process_add debug1: check 0x559809258df0 /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so debug1: pkcs11_register_provider: provider already registered: /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
-- Douglas E. Engert <DEEngert@xxxxxxxxx> _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev