-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
MacOS Sierra 10.12 failing to ssh-add pkcs11 key #75
Comments
Interestingly, @djmdjm (who made this change) points out it was to address CVE-2016-10009: |
I've just deployed OpenSC 0.18.0 onto High Sierra and ran into this problem, and can confirm the workaround above works. Is there a way of getting the OpenSC installer on MacOS to do all the tasks necessary to make OpenSC functional on the Mac, rather than doing some of the tasks via the installer, and leaving other tasks to the end user to be done manually using the root account? We've been stuck for ages unable to properly roll out smartcards, as they don't work for ordinary users. |
Elided by #225 ; I strongly recommend moving to FIDO2 key support everywhere. |
Just for reference incase this hits anyone else
See:
OpenSC/OpenSC#1007
OpenSC/OpenSC#1008
As of openssh 7.4, ssh-add will only accept pkcs libraries from directories specified at compile time or via ssh-agent run time flags on startup
The default match is
/usr/lib*/*,/usr/local/lib*/*
Common locations to find the opensc-pkcs11 or libykcs11 libraries on MacOS don't match this.
Homebrew installed opensc will end up /usr/local/Cellar/opensc and get sym-linked into /usr/local/lib but the ssh-add follows the sym-link and the location check fails.
Quickest work around more me was to
From OpenSSH 7.4 release notes:
The text was updated successfully, but these errors were encountered: