-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MacOS Sierra: Could not add card "/usr/local/lib/opensc-pkcs11.so": agent refused operation (Redux) #1060
Comments
IIRC you need to use an agent from brew or selfcompiled |
Unfortunately, I cannot currently test ssh usage. I assumed after getting 👍 in #1041, the patch got tested... If the problem lies within the PKCS#11 library, you may raise the debug level to see what's going on. |
@martinpaljak Can you please elaborate how to "use an agent from brew" or point to some writeup. I understand that macos has a builtin ssh-agent that nicely interacts with the macos keychain and starts when the os boots. @frankmorgner how can we "raise the debug level" to see what is going on? |
@gae123 set |
I do not see anything suspicious. The message is exactly the same independently on what I pass too ssh-add: $ ssh-add -s foo ssh-add does not seem to have a -v/-V/--version option: $ type ssh-add |
It could also be that your ssh-agent is not working (independent from OpenSC)... @bwithem, @mouse07410 do you have similar problems? Do you know a simple setup of this use case for local debugging? |
No issue with password protected file based keys though: $ ssh-add ~/.ssh/id_rsa |
Please, run the
and in different terminal try to add the card:
|
Magically after I copied again with: sudo cp -p /Library/OpenSC/lib/opensc-pkcs11.so /usr/local/lib/opensc-pkcs11.so everything worked. Not sure what has fixed the issue. I have not rebooted the machine since then, the only possibly material change I can think of is that I installed the krypt.co kr tools. @Jakuje Thank you very much, I did confirm that your local debugging directions work and I will double check them if I run into this again. |
Ran into this again while testing v1.7.0-rc1. It seems that if the following card is left plugged into the Mac when the machine is rebooted we get the "agent refused operation" from ssh-add: Using reader with a card: ACS ACR101 ICC Reader As soon as the card is physically unplugged from the USB, and then reinserted, retrying the ssh-add works: [reboot machine with card plugged in] This is using the native ssh-add that comes with MacOS Sierra: Little-Net:~ minfrin$ which ssh-add |
It seems that macOS has some problems propagating the smart card reader or its state. If so, this should also apply to the OpenSC version from brew @martinpaljak. If I understood correctly, the original problem is fixed. @minfrin if you think you are able to debug the problem about the card reader that's unavailable for OpenSC, although plugged into the mac, then please open a new issue with a log. You may simply copy your comment above to the new issue's description. |
I don't follow at all? |
Right now, after putting the machine to sleep and waking it up, I need to reboot the machine before the smartcard will give me anything other than "agent refused operation". |
Sorry, please ignore my comment from above. I got mixed up with the other issue about the file permissions The problem with sleep/weakup still needs to be debugged: |
I was having this error repeatedly and I discovered that the Yubikey was locked due to too many bad PINs. As soon as I reset the PIN it worked perfectly. |
@foozmeat are you referring to the problem when going to sleep and weaking up? |
@frankmorgner no sorry, my reply was to the original bug report. I installed OpenSC from homebrew as well as a direct download and could not get the key added to the agent. I confirmed that the library was copied into place and not a symlink. It wasn't until after running It's too bad that the real error isn't displayed when adding to the agent. |
@minfrin if you want your problem during wakeup to be resolved, please send a debug log of OpenSC which should contain the specific errors. I'm suspecting that the agent uses an old session after resume, though OpenSC sends errors like |
@frankmorgner I had the problem again this morning. This time, restarting the ssh-agent appeared to be a workaround. Here is the error I was getting: I also conclude that the cause might be related to suspend/resume of MacOS. Here is what I saw:
|
Please open a new issue for resume/suspend and use the debugging options mentioned above for both, ssh and OpenSC, thanks. |
In an effort to work out the patterns behind what's going on, I've turned on debug logging and the first thing I've noticed is that if the Mac is restarted with the token still plugged in, the token will be ignored until the token is physically unplugged and plugged back in again. During this state, Firefox claims no token is plugged in, and ssh-add -s says "agent refused operation". |
New behavior this morning - woke my laptop from sleep, plugged the smartcard in, and the smartcard was ignored. No messages indicating the smartcard was plugged or unplugged in /tmp/opensc-debug.log. |
Google for: USB not working after sleep mode
This could be the reader is powered off.
…On 10/2/2017 4:01 AM, minfrin wrote:
New behavior this morning - woke my laptop from sleep, plugged the smartcard in, and the smartcard was ignored. No messages indicating the smartcard was plugged or unplugged in /tmp/opensc-debug.log.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#1060 (comment)>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA00MZAP5vT5RS_Stt70cZgs7UtrNOTkks5soKZ1gaJpZM4Ny5wZ>.
--
Douglas E. Engert <[email protected]>
|
"USB not working after sleep mode" is too general a search, is there a specific known mac issue? I am not finding one. The USB reader is powered up with LEDs on, so USB is definitely working after sleep. |
Using OpenSC 0.19 installed with brew, I also got The reason I found is that I had a ECCP256 key that openssh doesn't seem to like. I added a second RSA2048 key and now it works well. |
Agent support for ECC keys comes with OpenSSH 8.0 |
I would have to see the logs from the agent. Also trying to login directly without agent would be helpful. Noting what card you have and if yubikey, in which slot the ecdsa key is shuodl also help. |
it's a yubikey and the key is in slot 0:
I don't know if that would help |
There may be issues with the keyUsage flags in the certificate. (With the PIV applet the PIV driver reads the certificate to obtain the public key and the namedCurve. And for a non-government issued card, the certificate keyUsage is used to set a number of flags. |
Here is the output:
|
Looks like OpenSSH 8.0 will only support ECDSA with OpenSSL 1.1 You are running with OpenSSL-1.0.2r
OpenSSL-1.0.2 does not have |
I think the "agent refused operation" issue is the same as #1007 |
Do this as root (sudo bash) them do: ssh-add -s /usr/local/lib/opensc-pkcs11.so and ssh-add -l should show your keys ssh and carry on.... |
Expected behaviour
What should happen?
Little-Net:~ minfrin$ ssh-add -s /usr/local/lib/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Card added successfully.
Actual behaviour
What happens instead?
Little-Net:~ minfrin$ ssh-add -s /usr/local/lib/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Could not add card "/usr/local/lib/opensc-pkcs11.so": agent refused operation
Little-Net:~ minfrin$ ls -al /usr/local/lib/opensc-pkcs11.so
-rwxr-xr-x 1 root wheel 1679920 May 31 14:35 /usr/local/lib/opensc-pkcs11.so
Steps to reproduce
There appears to be further regression of MacOS Sierra and https://github.com/OpenSC/OpenSC/pull/1041/files doesn't fix this.
The text was updated successfully, but these errors were encountered: