Re: Re-adding PKCS#11 key in ssh-agent produces "agent refused operation" error.

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 2020-02-24 at 12:41 -0800, Jacob Hoffman-Andrews wrote:
> On Mon, Feb 24, 2020 at 2:29 AM Jakub Jelen <jjelen@xxxxxxxxxx>
> wrote:
> > I think the problem here is that the -D switch is not smartcards
> > aware.
> > PKCS#11 modules should be removed using -e switch, which works fine
> > to
> > my testing.
> 
> Aha, thanks for pointing this flag out to me. I had missed it.
> Indeed,
> `ssh-add -e` does fix this issue for me on the latest release (though
> on the
> release that ships with Ubuntu 19.10, "OpenSSH_8.0p1", it fails).
> 
> I realized there's a similar problem with the `-d` flag: If you
> delete
> an identity
> backed by a PKCS#11 device, it will remove the identity and report
> success
> but not remove the provider.

Thank you for pointing that. It is certainly something that should be
fixed. Can you open a new bug in so it will not get lost:

https://bugzilla.mindrot.org/

Hopefully I will be able to look in to it in coming weeks.

> Is it desirable in the future to have multiple identities offered by
> the same
> provider? For instance, multiple instances of the same smartcard
> reader?
> If so, we would need to have some facility to keep track of already-
> loaded
> providers and reuse them, as well as do reference counting for
> removed
> identities. That's why I was suggesting it would be more
> straightforward
> to never unload providers (or in other words, require a restart of
> ssh-agent
> if user requires that provider to be non-resident, which I think is
> quite rare).
> 
> FWIW, I maintain a signing library in Go that uses PKCS#11, and it
> uses the
> approach I describe above, keeping the PKCS#11 module loaded until
> end
> of process:
> https://github.com/letsencrypt/pkcs11key/blob/master/key.go#L113.

Never unloading pkcs11 modules can have unexpected results for users of
for example long running ssh-agents and updates -- if you update pkcs11
module, you expect that if you remove it and add it back, it will load
the new one.

I implemented a way of adding different keys from single or different
pkcs11 modules using PKCS #11 URIs, which is in use in Fedora:

https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11

Regards,
-- 
Jakub Jelen
Senior Software Engineer
Security Technologies
Red Hat, Inc.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux