opensc-pkcs11 not working with ssh-agent anymore on macOS 10.12.4

[bwesterb]

Expected behaviour

I insert my yubiKey, run

ssh-add -s/opt/local/lib/opensc-pkcs11.so

enter my PIN and now can successfully use my yubiKey for ssh without typing the PIN every time. This works on macOS 10.12.3.

Actual behaviour

I just updated to macOS 10.12.4 and this stopped working with the following generic error message.

$ ssh-add -s/opt/local/lib/opensc-pkcs11.so
Enter passphrase for PKCS#11: 
Could not add card "/opt/local/lib/opensc-pkcs11.so": agent refused operation

However, running ssh directly still works fine.

$ ssh -I/opt/local/lib/opensc-pkcs11.so user@myserver
Enter PIN for 'PIV_II (PIV Card Holder pin)':
user@myserver$

Software

• I installed opensc via mac ports: opensc @0.16.0_0+readline
• I use the ssh & ssh-agent that comes with macOS 10.12.4

Logs

Enabling logging (debug = 3) does not add anymore output to the failing ssh-add. (However, it adds lots of data to the ssh call, but that is working as expected.)

[bmah888]

I've seen this as well...similar circumstances to you but with ePass2003 tokens. I tried with OpenSC installed via homebrew and with the pkg.

Thanks for posting the workaround of ssh -I.

[bmah888]

macOS 10.12.4 includes a new version of OpenSSH...the behavior of ssh-agent has changed such that you need to "whitelist" the location of pkcs11 libraries. See the manual page for ssh-agent and the -P option. It's not clear to me that there's anything for the OpenSC project to do about this.

[bwesterb]

Indeed, by default /opt is not in the whitelist. I moved opensc-pkcs11.so under /usr/local/lib which is whitelisted. That fixed it. Thanks!

(I didn't know where the problem lied, sorry for the misreport.)

[Wesseldr]

Please note for OsX.
symbolic linking the opensc-pkcs11.so lib from the /Library/OpenSC/lib/opensc-pkcs11.so location will not work. You have to either "move" it or copy it into the /usr/local/lib directory.

[awesterb]

I found it also possible to whitelist /opt/local/lib/opensc-pkcs11.so itself by having launchd start ssh-agent with the -P/opt/local/lib/opensc-pkcs11.so option, by changing /System/Library/LaunchAgents/com.openssh.ssh-agent.plist to

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "https://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>Label</key>
	<string>com.openssh.ssh-agent</string>
	<key>ProgramArguments</key>
	<array>
		<string>/usr/bin/ssh-agent</string>
		<string>-l</string>
		<string>-P/opt/local/lib/opensc-pkcs11.so</string>
	</array>
	<key>Sockets</key>
	<dict>
		<key>Listeners</key>
		<dict>
			<key>SecureSocketWithKey</key>
			<string>SSH_AUTH_SOCK</string>
		</dict>
	</dict>
	<key>EnableTransactions</key>
	<true/>
</dict>
</plist>

and then rebooting.

N.B. To change com.openssh.ssh-agent.plist one must (temporarily) disable system integrity protection by running csrutil disable in recovery mode.