Red Hat Bugzilla – Full Text Bug Listing
|Summary:||Make ssh-add work with opensc cards when lock_login is enabled|
|Product:||[Fedora] Fedora||Reporter:||Josh Bressers <bressers>|
|Component:||openssh||Assignee:||Jan F. Chadima <jchadima>|
|Status:||CLOSED WONTFIX||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||12||CC:||jchadima, mgrepl, mjc, tmraz, tuju|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2010-12-05 01:59:17 EST||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Josh Bressers 2009-03-20 07:45:40 EDT
Updating my opensc to version 0.11.7-1.fc10.x86_64 seems to have broken my ability to do an 'ssh-add -n' and have ssh use the RSA key on my etoken. I keep seeing the below error: [opensc-tool] reader-pcsc.c:877:pcsc_detect_readers: SCardListReaders failed: 0x8010002e [opensc-tool] reader-pcsc.c:996:pcsc_detect_readers: returning with: No readers found $ opensc-tool -n [opensc-tool] reader-pcsc.c:877:pcsc_detect_readers: SCardListReaders failed: 0x8010002e [opensc-tool] reader-pcsc.c:996:pcsc_detect_readers: returning with: No readers found Using reader with a card: Aladdin eToken PRO CardOS M4 [bress@link ~]$ ssh-agent bash [bress@link ~]$ ssh-add -n [opensc-pkcs11] reader-pcsc.c:877:pcsc_detect_readers: SCardListReaders failed: 0x8010002e [opensc-pkcs11] reader-pcsc.c:996:pcsc_detect_readers: returning with: No readers found [opensc-pkcs11] reader-pcsc.c:877:pcsc_detect_readers: SCardListReaders failed: 0x8010002e [opensc-pkcs11] reader-pcsc.c:996:pcsc_detect_readers: returning with: No readers found Enter passphrase for token OpenSC Card (mykeys): SSH_AGENT_FAILURE Could not add key: OpenSC Card (mykeys):ssh Let me know if you need anything else from me. Thanks.
Comment 1 Mark J. Cox (Product Security) 2009-03-20 08:26:55 EDT
I had the same problem and suspected this is a problem with the interaction with the ssh-agent, as using ssh with -o "UseNSS...." still works perfectly with a token.
Comment 2 Tomas Mraz 2009-07-27 11:02:28 EDT
Does it still happen with opensc-0.11.8 version?
Comment 3 Mark J. Cox (Product Security) 2009-07-29 06:03:18 EDT
I get the same error with opensc-0.11.8, with ssh-agent logging: "error: Cannot find key in nss, token removed" "error: nss_get_keys failed" This is fedora 10 i386. It worked before updating to 0.11.7-1.fc10, and works if you ignore ssh-agent and use ssh -o "UseNSS yes" -o "NSSToken OpenSC Card (mysshkeys)" host directly.
Comment 4 Tomas Mraz 2009-07-29 06:23:32 EDT
To eliminate the possibility that something else caused this, could you temporarily move back to 0.11.6 and verify, that this version is OK?
Comment 5 Mark J. Cox (Product Security) 2009-07-29 07:42:02 EDT
Yes, $ ssh-add -n Enter passphrase for token OpenSC Card (ssh): SSH_AGENT_FAILURE Could not add key: OpenSC Card (ssh):ssh1 $ sudo rpm -Uvh opensc-0.11.6-1.fc10.i386.rpm --force Preparing... ########################################### [100%] 1:opensc ########################################### [100%] $ ssh-add -n Enter passphrase for token OpenSC Card (ssh): Key added: OpenSC Card (ssh):ssh1
Comment 6 Tomas Mraz 2009-07-29 10:11:23 EDT
Can you please create a debugging output from opensc by setting debug=5 and debug_file=<the-debug-log-file> in the /etc/opensc.conf?
Comment 7 Mark J. Cox (Product Security) 2009-07-31 06:25:56 EDT
I've compared the log files and found what is stopping the token working, it's this patch: svn diff src/pkcs11/slot.c -c3583 slot_get_token(): return CKR_TOKEN_NOT_PRESENT if CKF_TOKEN_PRESENT is not set. Thanks to Douglas E. Engert for the patch http://www.opensc-project.org/pipermail/opensc-devel/2008-October/011361.html So I need to dig a bit more to find out why we're not getting CKF_TOKEN_PRESENT set. EDIT: no it wasn't anything to do with this!
Comment 8 Mark J. Cox (Product Security) 2009-09-18 12:53:31 EDT
ok, so I got annoyed enough at this to do a bit of a svn binary chop to find out when the etoken stopped working. It worked with svn r3603 and stopped with svn r3604. The only relevant change made was to invert the default for 'lock_login'. When no 'lock_login' is specified in the pkcs11 section of opensc.conf then with OpenSC 0.11.6 it defaulted to 'false' but with 0.11.7 it defaulted to 'true'. So to get your etoken working again with 'ssh-add -n' you just need to add 'lock_login=false' to your pkcs11 section of /etc/opensc.conf. Now the next job would be to figure out what's locking the card and why, but I might leave that for someone who understands nss!
Comment 9 Tomas Mraz 2009-09-22 12:52:01 EDT
Thanks Mark for the changeset bisect. I wonder why I did not spot this change myself. The problem is that if lock_login is enabled you cannot share the card in logged-in state between multiple processes. And that is what exactly happens with ssh-add and ssh-agent. Basically ssh-add has to release/logout the card before it calls the ssh-agent which means that the ssh-add support for NSS has to be rewritten so that it first lists the keys on the card, then it releases the card and only then adds the key names/pins to the ssh agent.
Comment 12 Jan F. Chadima 2009-09-30 03:24:20 EDT
Package was changed that the ssh-add works as expected
Comment 13 Bug Zapper 2009-11-16 04:52:22 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 14 Bug Zapper 2010-11-04 07:26:26 EDT
This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 15 Josh Bressers 2010-11-12 07:45:16 EST
This does work now. We can close this. Thanks.
Comment 16 Bug Zapper 2010-12-05 01:59:17 EST
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed.