Menu
▾
▴
Re: [Opensc-devel] Understanding of ssh pkcs key provider
|
From: Douglas E E. <dee...@gm...> - 2016-05-20 18:46:26
|
The problem maybe ssh_add has access to the environment variables, but it passes the name of the library /usr/lib64/pkcs11-spy.so to the ssh-agent that then loads the library. pkcs11-spy.so needs to then open the log and load the real PKCS#11 library so ssh-agent needs access to: export PKCS11SPY=/usr/lib64/opensc-pkcs11.so export PKCS11SPY_OUTPUT=/tmp/pkcs11-spy.$$.log Could also be full path to the logfile is needed in a directory writable like /tmp/pkcs11-spy.$$.log to get one log per process. On 5/20/2016 11:02 AM, Matthew Gyurgyik wrote: > On 16-05-20 07:09:16, Douglas E Engert wrote: >> >> >> On 5/19/2016 7:18 PM, Gyurgyik, Matthew S. wrote: >>> Hello. >>> >>> First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know. >>> >>> I can add keys provided by my smart card to ssh-agent with >>> >>> $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so >>> >>> However, if I remove the card from the reader and then reinsert it I have to re-add the keys >>> >>> $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so >>> $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so >>> >>> This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them? >>> >> >> You could ask on the OpenSSH list. >> >> I would suspect that the code is simple and only looks for a card when ssh-add is first called and the code does not know how to look for a reinsertion of the card. >> >> To see what it is doing, you could use the OpenSC SPY trace. See ssh-add example in: >> >> https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC >> > > I tried those instructions but I can't get PKCS11SPY to work. > > ~ $ PKCS11SPY=/usr/lib64/opensc-pkcs11.so PKCS11SPY_OUTPUT=logfile ssh-add -s /usr/lib64/pkcs11-spy.so > Enter passphrase for PKCS#11: > SSH_AGENT_FAILURE > Could not add card: /usr/lib64/pkcs11-spy.so > > However this works just fine > > ~ $ ssh-add -s /usr/lib64/opensc-pkcs11.so > Enter passphrase for PKCS#11: > Card added: /usr/lib64/opensc-pkcs11.so > > I tried on both RHEL and OS X. > > Thanks, > Matthew > . > -- Douglas E. Engert <DEE...@gm...> |
