Ubuntu
openssh package

Cannot add keys from PKCS#11 provider

Bug #791747 reported by Jan Krajdl
16
This bug affects 3 people
Affects Status Importance Assigned to Milestone
openssh (Ubuntu)
Expired
Undecided
Unassigned

Bug Description

it's not possible to add keys from security devices with ssh-agent which is running from Ubuntu session. I'm trying to use authentication with Rainbow iKey 3000 token with OpenSC. When I after login type into terminal this:
ssh-add -s /usr/lib/opensc-pkcs11.so
and after that I type PIN to the token, I get:
SSH_AGENT_FAILURE
Could not add card: /usr/lib/opensc-pkcs11.so

When I run new ssh-agent in terminal, set env variables, this command works OK - load keys from the token and I'm able to authenticate with keys in them. So whole openssh agent is working OK but I think that there is somewhere bug when Ubuntu running this agent after login.

Revision history for this message
Chuck Short (zulcss) wrote :

Which version are you using and how can I reproduce this?

Thanks
chuck

Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
Jan Krajdl (spamikcz) wrote :

OpenSSH version: 5.8p1-1ubuntu3
OpenSC version: 0.11.13-1ubuntu5
Which other software is ubuntu using for loading ssh agent (so I can write their versions here)

Steps to reproduce:
- you have a OpenSC compatible card/token with loaded key pair (pkcs15-tool -D prints information about private and public RSA key)
- type into terminal after login: ssh-add -s /usr/lib/opensc-pkcs11.so
- next type PIN for the security card/token
- you probably see error: SSH_AGENT_FAILURE
- now run new ssh agent (type into terminal ssh-agent and output copy to the terminal too) and repeat steps in this terminal - after typing PIN you get message "Card added: /usr/lib/opensc-pkcs11.so" and ssh-agent now knows key on the card/token - this is correct behaviour

Revision history for this message
netdata (bj7u6139z-info-jjcftv6wl) wrote :

I'm seeing exact the same behavior.

How can I help?

Revision history for this message
netdata (bj7u6139z-info-jjcftv6wl) wrote :

By disabling the component "GNOME Keyring: SSH Agent" at startup the issue is resolved.

However this breaks the integration with Gnome Keyring.

Revision history for this message
Launchpad Janitor (janitor) wrote :

[Expired for openssh (Ubuntu) because there has been no activity for 60 days.]

Changed in openssh (Ubuntu):
status: Incomplete → Expired
Revision history for this message
Janning Vygen (janning-h) wrote :

This affects me too with fresh ubuntu 12.10 installation. All packages are from standard ubuntu 12.10 repositories.
#2 describes exact behaviour.

Revision history for this message
Hồng Quân (ng-hong-quan) wrote :

To me, the solution at comment 4 works.
How to disable "GNOME Keyring: SSH Agent": http://dtek.net/blog/how-stop-gnome-keyring-clobbering-opensshs-ssh-agent-ubuntu-1204

To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.