yubico-piv-tool directory structure is incompatible with ssh-add -s under OSX 10.12

[paul-pearce]

• "Please always follow these steps"

Steps followed, but the issue is not a formula error. The formula installs correctly.

• What I'm trying to do:

Use the PKCS11 library provided by yubico-piv-tool to perform:

ssh-add -s /usr/local/lib/libykcs11.dylib

(Perform PKCS#11 operations with an yubikey device.)

• What happened (only under OSX 10.12):

Could not add card "/usr/local/lib/libykcs11.dylib": agent refused operation

• What I expect to happen:

Card added: /usr/local/lib/libykcs11.dylib

• Recreation:

brew install yubico-piv-tool 
# insert yubikey
ssh-add -s /usr/local/lib/libykcs11.dylib

Please see the issue filed here with yubico-piv-tool: Yubico/yubico-piv-tool#118

The core issue is the directory structure of this forumla under 10.12 symlinks:

/usr/local/lib/libykcs11.dylib -> ../Cellar/yubico-piv-tool/1.4.0/lib/libykcs11.dylib

Which is a violation of the OSX 10.12 ssh-agent PKCS_WHITELIST (see man ssh-agent). This whitelist only allows PKCS libraries from within /usr/local/lib and /usr/lib/, and does not allow symlinks.

The fix would be for the formula to copy the library into /usr/local/lib instead of symlinking it. Is that possible? (My brew knowledge is low.)

[ilovezfs]

The fix would be for the formula to copy the library into /usr/local/lib instead of symlinking it. Is that possible? (My brew knowledge is low.)

Not without significant hacking.

     -P pkcs11_whitelist
             Specify a pattern-list of acceptable paths for PKCS#11 shared libraries that may be added using the -s option to ssh-add(1).  The default is to allow loading
             PKCS#11 libraries from ``/usr/lib/*,/usr/local/lib/*''.  PKCS#11 libraries that do not match the whitelist will be refused.  See PATTERNS in ssh_config(5) for a
             description of pattern-list syntax.

This sounds like your best bet.

[paul-pearce]

@ilovezfs, near as I can tell ssh-agent on 10.12, despite claiming to accept -P (man and -h), does not allow you to specify that argument. It always comes back with illegal option. (And 10.12 protects the existing ssh-agent install and invocation, meaning you can't simply replace the existing agent with a fixed version or updated arguments, you'd have to run a 2nd copy of agent.)

This is reported in other threads (such as OpenSC/OpenSC#1008).

As of now, the only solution I can find involves copying the library into one of the two pre-defined paths.

Is executing a post-install bash script not something brew can easily do?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[paul-pearce]

This is still an issue. I replied with further info and am hoping for a response.

[paul-pearce]

What? I clearly added activity? Does your stalebot only consider owner activity as activity? @ilovezfs

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[paul-pearce]

:( Any progress?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[paul-pearce]

My last attempt at reviving this. @ilovezfs?

[grantho]

I am also experiencing this as an issue. Is there a plan to resolve it?

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs.

[JCount]

If you are using they system install of OpenSSH this might be pertinent: Technical Note TN2449
OpenSSH updates in macOS 10.12.2

[ilovezfs]

@paul-pearce also you may want to try it with brew's openssh and see if you get a different outcome.