Re: Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, Feb 24, 2020 at 2:29 AM Jakub Jelen <jjelen@xxxxxxxxxx> wrote:
> I think the problem here is that the -D switch is not smartcards aware.
> PKCS#11 modules should be removed using -e switch, which works fine to
> my testing.

Aha, thanks for pointing this flag out to me. I had missed it. Indeed,
`ssh-add -e` does fix this issue for me on the latest release (though on the
release that ships with Ubuntu 19.10, "OpenSSH_8.0p1", it fails).

I realized there's a similar problem with the `-d` flag: If you delete
an identity
backed by a PKCS#11 device, it will remove the identity and report success
but not remove the provider.

Is it desirable in the future to have multiple identities offered by the same
provider? For instance, multiple instances of the same smartcard reader?
If so, we would need to have some facility to keep track of already-loaded
providers and reuse them, as well as do reference counting for removed
identities. That's why I was suggesting it would be more straightforward
to never unload providers (or in other words, require a restart of ssh-agent
if user requires that provider to be non-resident, which I think is quite rare).

FWIW, I maintain a signing library in Go that uses PKCS#11, and it uses the
approach I describe above, keeping the PKCS#11 module loaded until end
of process:
https://github.com/letsencrypt/pkcs11key/blob/master/key.go#L113.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux