Bug 491312 - Make ssh-add work with opensc cards when lock_login is enabled
Make ssh-add work with opensc cards when lock_login is enabled
Status: CLOSED WONTFIX
Product: Fedora
Classification: Fedora
Component: openssh (Show other bugs)
12
All Linux
low Severity medium
: ---
: ---
Assigned To: Jan F. Chadima
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2009-03-20 07:45 EDT by Josh Bressers
Modified: 2010-12-05 01:59 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2010-12-05 01:59:17 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Josh Bressers 2009-03-20 07:45:40 EDT
Updating my opensc to version 0.11.7-1.fc10.x86_64 seems to have broken my ability to do an 'ssh-add -n' and have ssh use the RSA key on my etoken.

I keep seeing the below error:

[opensc-tool] reader-pcsc.c:877:pcsc_detect_readers: SCardListReaders failed: 0x8010002e
[opensc-tool] reader-pcsc.c:996:pcsc_detect_readers: returning with: No readers found



$ opensc-tool -n
[opensc-tool] reader-pcsc.c:877:pcsc_detect_readers: SCardListReaders failed: 0x8010002e
[opensc-tool] reader-pcsc.c:996:pcsc_detect_readers: returning with: No readers found
Using reader with a card: Aladdin eToken PRO
CardOS M4


[bress@link ~]$ ssh-agent bash
[bress@link ~]$ ssh-add -n
[opensc-pkcs11] reader-pcsc.c:877:pcsc_detect_readers: SCardListReaders failed: 0x8010002e
[opensc-pkcs11] reader-pcsc.c:996:pcsc_detect_readers: returning with: No readers found
[opensc-pkcs11] reader-pcsc.c:877:pcsc_detect_readers: SCardListReaders failed: 0x8010002e
[opensc-pkcs11] reader-pcsc.c:996:pcsc_detect_readers: returning with: No readers found
Enter passphrase for token OpenSC Card (mykeys): 
SSH_AGENT_FAILURE
Could not add key: OpenSC Card (mykeys):ssh


Let me know if you need anything else from me.

Thanks.
Comment 1 Mark J. Cox (Product Security) 2009-03-20 08:26:55 EDT
I had the same problem and suspected this is a problem with the interaction with the ssh-agent, as using ssh with -o "UseNSS...." still works perfectly with a token.
Comment 2 Tomas Mraz 2009-07-27 11:02:28 EDT
Does it still happen with opensc-0.11.8 version?
Comment 3 Mark J. Cox (Product Security) 2009-07-29 06:03:18 EDT
I get the same error with opensc-0.11.8, with ssh-agent logging:

"error: Cannot find key in nss, token removed"
"error: nss_get_keys failed"

This is fedora 10 i386.  It worked before updating to 0.11.7-1.fc10, and
works if you ignore ssh-agent and use 
    ssh -o "UseNSS yes" -o "NSSToken OpenSC Card (mysshkeys)" host
directly.
Comment 4 Tomas Mraz 2009-07-29 06:23:32 EDT
To eliminate the possibility that something else caused this, could you temporarily move back to 0.11.6 and verify, that this version is OK?
Comment 5 Mark J. Cox (Product Security) 2009-07-29 07:42:02 EDT
Yes, 

$ ssh-add -n
Enter passphrase for token OpenSC Card (ssh): 
SSH_AGENT_FAILURE
Could not add key: OpenSC Card (ssh):ssh1
$ sudo rpm -Uvh opensc-0.11.6-1.fc10.i386.rpm --force
Preparing...                ########################################### [100%]
   1:opensc                 ########################################### [100%]
$ ssh-add -n
Enter passphrase for token OpenSC Card (ssh): 
Key added: OpenSC Card (ssh):ssh1
Comment 6 Tomas Mraz 2009-07-29 10:11:23 EDT
Can you please create a debugging output from opensc by setting debug=5 and debug_file=<the-debug-log-file> in the /etc/opensc.conf?
Comment 7 Mark J. Cox (Product Security) 2009-07-31 06:25:56 EDT
I've compared the log files and found what is stopping the token working, it's this patch:

svn diff src/pkcs11/slot.c  -c3583

slot_get_token(): return CKR_TOKEN_NOT_PRESENT if CKF_TOKEN_PRESENT is
not set.

Thanks to Douglas E. Engert for the patch
http://www.opensc-project.org/pipermail/opensc-devel/2008-October/011361.html

So I need to dig a bit more to find out why we're not getting CKF_TOKEN_PRESENT set.

EDIT: no it wasn't anything to do with this!
Comment 8 Mark J. Cox (Product Security) 2009-09-18 12:53:31 EDT
ok, so I got annoyed enough at this to do a bit of a svn binary chop to find out when the etoken stopped working.  It worked with svn r3603 and stopped with svn r3604.  The only relevant change made was to invert the default for 'lock_login'.  

When no 'lock_login' is specified in the pkcs11 section of opensc.conf then with OpenSC 0.11.6 it defaulted to 'false' but with 0.11.7 it defaulted to 'true'.

So to get your etoken working again with 'ssh-add -n' you just need to add 'lock_login=false' to your pkcs11 section of /etc/opensc.conf.

Now the next job would be to figure out what's locking the card and why, but I might leave that for someone who understands nss!
Comment 9 Tomas Mraz 2009-09-22 12:52:01 EDT
Thanks Mark for the changeset bisect. I wonder why I did not spot this change myself.

The problem is that if lock_login is enabled you cannot share the card in logged-in state between multiple processes. And that is what exactly happens with ssh-add and ssh-agent. Basically ssh-add has to release/logout the card before it calls the ssh-agent which means that the ssh-add support for NSS has to be rewritten so that it first lists the keys on the card, then it releases the card and only then adds the key names/pins to the ssh agent.
Comment 12 Jan F. Chadima 2009-09-30 03:24:20 EDT
Package was changed that the ssh-add works as expected
Comment 13 Bug Zapper 2009-11-16 04:52:22 EST
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 14 Bug Zapper 2010-11-04 07:26:26 EDT
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 15 Josh Bressers 2010-11-12 07:45:16 EST
This does work now. We can close this. Thanks.
Comment 16 Bug Zapper 2010-12-05 01:59:17 EST
Fedora 12 changed to end-of-life (EOL) status on 2010-12-02. Fedora 12 is 
no longer maintained, which means that it will not receive any further 
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of 
Fedora please feel free to reopen this bug against that version.

Thank you for reporting this bug and we are sorry it could not be fixed.

Note You need to log in before you can comment on or make changes to this bug.