Bug 491312
| Summary: | Make ssh-add work with opensc cards when lock_login is enabled | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Josh Bressers <bressers> |
| Component: | openssh | Assignee: | Jan F. Chadima <jchadima> |
| Status: | CLOSED WONTFIX | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | medium | Docs Contact: | |
| Priority: | low | ||
| Version: | 12 | CC: | jchadima, mgrepl, mjc, tmraz, tuju |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2010-12-05 06:59:17 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Josh Bressers
2009-03-20 11:45:40 UTC
I had the same problem and suspected this is a problem with the interaction with the ssh-agent, as using ssh with -o "UseNSS...." still works perfectly with a token. Does it still happen with opensc-0.11.8 version? I get the same error with opensc-0.11.8, with ssh-agent logging:
"error: Cannot find key in nss, token removed"
"error: nss_get_keys failed"
This is fedora 10 i386. It worked before updating to 0.11.7-1.fc10, and
works if you ignore ssh-agent and use
ssh -o "UseNSS yes" -o "NSSToken OpenSC Card (mysshkeys)" host
directly.
To eliminate the possibility that something else caused this, could you temporarily move back to 0.11.6 and verify, that this version is OK? Yes, $ ssh-add -n Enter passphrase for token OpenSC Card (ssh): SSH_AGENT_FAILURE Could not add key: OpenSC Card (ssh):ssh1 $ sudo rpm -Uvh opensc-0.11.6-1.fc10.i386.rpm --force Preparing... ########################################### [100%] 1:opensc ########################################### [100%] $ ssh-add -n Enter passphrase for token OpenSC Card (ssh): Key added: OpenSC Card (ssh):ssh1 Can you please create a debugging output from opensc by setting debug=5 and debug_file=<the-debug-log-file> in the /etc/opensc.conf? I've compared the log files and found what is stopping the token working, it's this patch: svn diff src/pkcs11/slot.c -c3583 slot_get_token(): return CKR_TOKEN_NOT_PRESENT if CKF_TOKEN_PRESENT is not set. Thanks to Douglas E. Engert for the patch http://www.opensc-project.org/pipermail/opensc-devel/2008-October/011361.html So I need to dig a bit more to find out why we're not getting CKF_TOKEN_PRESENT set. EDIT: no it wasn't anything to do with this! ok, so I got annoyed enough at this to do a bit of a svn binary chop to find out when the etoken stopped working. It worked with svn r3603 and stopped with svn r3604. The only relevant change made was to invert the default for 'lock_login'. When no 'lock_login' is specified in the pkcs11 section of opensc.conf then with OpenSC 0.11.6 it defaulted to 'false' but with 0.11.7 it defaulted to 'true'. So to get your etoken working again with 'ssh-add -n' you just need to add 'lock_login=false' to your pkcs11 section of /etc/opensc.conf. Now the next job would be to figure out what's locking the card and why, but I might leave that for someone who understands nss! Thanks Mark for the changeset bisect. I wonder why I did not spot this change myself. The problem is that if lock_login is enabled you cannot share the card in logged-in state between multiple processes. And that is what exactly happens with ssh-add and ssh-agent. Basically ssh-add has to release/logout the card before it calls the ssh-agent which means that the ssh-add support for NSS has to be rewritten so that it first lists the keys on the card, then it releases the card and only then adds the key names/pins to the ssh agent. Package was changed that the ssh-add works as expected This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle. Changing version to '12'. More information and reason for this action is here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping This message is a reminder that Fedora 12 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 12. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '12'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 12's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 12 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping This does work now. We can close this. Thanks. Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. |