ssh-agent PKCS#11: agent refused operation
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Ubuntu) |
Invalid
|
Undecided
|
Unassigned |
Bug Description
I'm using simple-tpm-pk11 (from Ubuntu repo) and can successfully connect to SSH using a TPM key.
When trying to add the key to my ssh-agent, the action is refused:
$ ssh-add -s /usr/lib/
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/
Thomas Habets, author of simple-tpm-pk11 suggested to compile ssh-agent from source [1]. This fixed the issue.
Recompile steps:
$ apt-get source openssh-client
[…]
$ cd openssh-7.2p2
$ ./configure --prefix=
[…]
$ grep -q '^#define ENABLE_PKCS11' config.h && echo success || echo fail
success
$ sudo mkdir -p /var/empty
$ make install
[…]
$ ~/opt/openssh/
[… env stuff for ssh-agent. copy-paste run this …]
$ ssh-add -s /usr/local/
Enter passphrase for PKCS#11:
Card added: /usr/local/
$ ssh-add -l
2048 SHA256:
1) Ubuntu 16.04.1 LTS
2)
openssh-client 1:7.2p2-4ubuntu1
simple-tpm-pk11 0.04-1
3) I would expect the Ubuntu binary release of ssh-agent to allow adding the TPM key just like the locally compiled test.
4) An error is returned by ssh-add: Could not add card "/usr/lib/
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: openssh-client 1:7.2p2-4ubuntu1
ProcVersionSign
Uname: Linux 4.4.0-21-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jul 27 06:24:19 2016
InstallationDate: Installed on 2016-07-26 (1 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
RelatedPackageV
ssh-askpass N/A
libpam-ssh N/A
keychain N/A
ssh-askpass-gnome N/A
SSHClientVersion: OpenSSH_7.2p2 Ubuntu-4ubuntu1, OpenSSL 1.0.2g-fips 1 Mar 2016
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)
upstart.
ssh-agent stop/pre-start, process 4012
ssh-agent stop/pre-start, process 3782
ssh-agent stop/pre-start, process 3440
Sorry. Actually I just discovered that ssh-agent wasn't used by default, but gnome-keyring- daemon is. Probably gnome-keyring- daemon just does not support PKCS#11 yet...