On Mon, 2020-02-24 at 12:41 -0800, Jacob Hoffman-Andrews wrote: > On Mon, Feb 24, 2020 at 2:29 AM Jakub Jelen <jjelen@xxxxxxxxxx> > wrote: > > I think the problem here is that the -D switch is not smartcards > > aware. > > PKCS#11 modules should be removed using -e switch, which works fine > > to > > my testing. > > Aha, thanks for pointing this flag out to me. I had missed it. > Indeed, > `ssh-add -e` does fix this issue for me on the latest release (though > on the > release that ships with Ubuntu 19.10, "OpenSSH_8.0p1", it fails). > > I realized there's a similar problem with the `-d` flag: If you > delete > an identity > backed by a PKCS#11 device, it will remove the identity and report > success > but not remove the provider. Thank you for pointing that. It is certainly something that should be fixed. Can you open a new bug in so it will not get lost: https://bugzilla.mindrot.org/ Hopefully I will be able to look in to it in coming weeks. > Is it desirable in the future to have multiple identities offered by > the same > provider? For instance, multiple instances of the same smartcard > reader? > If so, we would need to have some facility to keep track of already- > loaded > providers and reuse them, as well as do reference counting for > removed > identities. That's why I was suggesting it would be more > straightforward > to never unload providers (or in other words, require a restart of > ssh-agent > if user requires that provider to be non-resident, which I think is > quite rare). > > FWIW, I maintain a signing library in Go that uses PKCS#11, and it > uses the > approach I describe above, keeping the PKCS#11 module loaded until > end > of process: > https://github.com/letsencrypt/pkcs11key/blob/master/key.go#L113. Never unloading pkcs11 modules can have unexpected results for users of for example long running ssh-agents and updates -- if you update pkcs11 module, you expect that if you remove it and add it back, it will load the new one. I implemented a way of adding different keys from single or different pkcs11 modules using PKCS #11 URIs, which is in use in Fedora: https://github.com/Jakuje/openssh-portable/commits/jjelen-pkcs11 Regards, -- Jakub Jelen Senior Software Engineer Security Technologies Red Hat, Inc. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
