Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Error: Could not add card "/usr/local/lib/opensc-pkcs11-local.so": agent refused operation #3032

Closed
chayanikapandey opened this issue Feb 16, 2024 · 2 comments
Closed

Error: Could not add card "/usr/local/lib/opensc-pkcs11-local.so": agent refused operation #3032

chayanikapandey opened this issue Feb 16, 2024 · 2 comments

Comments

@chayanikapandey
Copy link

Steps to reproduce:

ssh-add -s /usr/local/lib/opensc-pkcs11-local.so
Enter passphrase for PKCS#11:
Could not add card "/usr/local/lib/opensc-pkcs11-local.so": agent refused operation

Error: Could not add card "/usr/local/lib/opensc-pkcs11-local.so": agent refused operation

ssh -V
OpenSSH_9.4p1, LibreSSL 3.3.6

I tried to debugged and below are the debug logs:

ssh-agent -d -a /tmp/agent.socket
SSH_AUTH_SOCK=/tmp/agent.socket; export SSH_AUTH_SOCK;
echo Agent pid 3476;
debug1: new_socket: type = SOCKET
debug2: fd 3 setting O_NONBLOCK
debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 20
debug2: process_add_smartcard_key: entering
debug1: process_add_smartcard_key: add /usr/local/lib/opensc-pkcs11-local.so
debug3: pkcs11_start_helper: start helper for /usr/local/lib/opensc-pkcs11-local.so
debug3: pkcs11_start_helper: helper 0 for "/usr/local/lib/opensc-pkcs11-local.so" on fd 5 pid 3497
debug1: pkcs11_start_helper: starting /usr/libexec/ssh-pkcs11-helper -vvv
debug1: process_add
debug1: provider /usr/local/lib/opensc-pkcs11-local.so: manufacturerID cryptokiVersion 2.20 libraryDescription libraryVersion 0.24
debug1: provider /usr/local/lib/opensc-pkcs11-local.so slot 0: label <YK-20206044-9a-202211030838-P...> manufacturerID <piv_II> model <PKCS#15 emulated> serial <5fda01d983250312> flags 0x4040d
C_Login failed: 164
debug1: pkcs11_provider_finalize: provider "/usr/local/lib/opensc-pkcs11-local.so" refcount 1 valid 1
debug1: pkcs11_provider_unref: provider "/usr/local/lib/opensc-pkcs11-local.so" refcount 1
debug1: pkcs11_add_provider: provider /usr/local/lib/opensc-pkcs11-local.so returned no keys

Has my account locked? As I don't see any solution to this issue anywhere. Below are some options I tried,

Have physically removed the keys and reinserted and restarted Mac
Have reinstalled Opensc
@Jakuje
Copy link
Member

Jakuje commented Feb 16, 2024

What are you trying to achieve?

C_Login failed: 164

The error 164 is CKR_PIN_LOCKED, which means you did try too many login attempts to the card (sounds like a yubikey) and the PIN was locked as a security measure. It can be unlocked with yubico-piv-tool with a PUK:

https://developers.yubico.com/yubico-piv-tool/Manuals/yubico-piv-tool.1.html

@chayanikapandey
Copy link
Author

Thanks for the reply, am try. to set up my access to the linux hosts through YubiKey. Shall try to reset my password.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@frankmorgner @Jakuje @chayanikapandey