Ubuntu
openssh package

ssh-agent PKCS#11: agent refused operation

Bug #1606929 reported by Chris
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Invalid
Undecided
Unassigned

Bug Description

I'm using simple-tpm-pk11 (from Ubuntu repo) and can successfully connect to SSH using a TPM key.

When trying to add the key to my ssh-agent, the action is refused:
$ ssh-add -s /usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so": agent refused operation

Thomas Habets, author of simple-tpm-pk11 suggested to compile ssh-agent from source [1]. This fixed the issue.

Recompile steps:
$ apt-get source openssh-client
[…]
$ cd openssh-7.2p2
$ ./configure --prefix=$HOME/opt/openssh
[…]
$ grep -q '^#define ENABLE_PKCS11' config.h && echo success || echo fail
success
$ sudo mkdir -p /var/empty
$ make install
[…]
$ ~/opt/openssh/bin/ssh-agent
[… env stuff for ssh-agent. copy-paste run this …]
$ ssh-add -s /usr/local/lib/libsimple-tpm-pk11.so
Enter passphrase for PKCS#11:
Card added: /usr/local/lib/libsimple-tpm-pk11.so
$ ssh-add -l
2048 SHA256:xxxxx[…]xxxxxx /usr/local/lib/libsimple-tpm-pk11.so (RSA)

1) Ubuntu 16.04.1 LTS

2)
openssh-client 1:7.2p2-4ubuntu1
simple-tpm-pk11 0.04-1

3) I would expect the Ubuntu binary release of ssh-agent to allow adding the TPM key just like the locally compiled test.

4) An error is returned by ssh-add: Could not add card "/usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so": agent refused operation

ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: openssh-client 1:7.2p2-4ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
Uname: Linux 4.4.0-21-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jul 27 06:24:19 2016
InstallationDate: Installed on 2016-07-26 (1 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
RelatedPackageVersions:
 ssh-askpass N/A
 libpam-ssh N/A
 keychain N/A
 ssh-askpass-gnome N/A
SSHClientVersion: OpenSSH_7.2p2 Ubuntu-4ubuntu1, OpenSSL 1.0.2g-fips 1 Mar 2016
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)
upstart.ssh-agent.log:
 ssh-agent stop/pre-start, process 4012
 ssh-agent stop/pre-start, process 3782
 ssh-agent stop/pre-start, process 3440

Revision history for this message
Chris (qistoph) wrote :
Revision history for this message
Chris (qistoph) wrote :

Sorry. Actually I just discovered that ssh-agent wasn't used by default, but gnome-keyring-daemon is. Probably gnome-keyring-daemon just does not support PKCS#11 yet...

Revision history for this message
Robie Basak (racb) wrote :

Thanks Chris. I guess this is invalid for openssh then, and possibly a Wishlist item for gnome-keyring-daemon? I'm not sure which you'd prefer, so I'll mark the openssh task as Invalid for now, and you can add a gnome-keyring-daemon task if you wish.

Changed in openssh (Ubuntu):
status: New → Invalid
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.