ssh-agent seems to fail with new opensc

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

ssh-agent seems to fail with new opensc

Kevin Oberman
Since I updated my OpenSC code to version 0.12.0, my ssh-agent can't
seem to get keys to load into the ssh-agent.

I am running OpenSSH_5.2p1 and I re-built it after the upgrade of
OpenSC. Everything continued to work normally until I logged out of my
session for the day. After logging back in, 'ssh-add -s 0' fails with:
ssh-agent[1961]: error: Unknown message 20
SSH_AGENT_FAILURE
Could not add card: 0

Attempting 'ssh -I 0' got a simple "no support for smartcards." message.

Is there something else I need to re-build to get this fixed? I have
confirmed that ssh-add, ssh, and ssh-agent were all rebuilt.

Thanks,
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [hidden email] Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ssh-agent seems to fail with new opensc

Kevin Oberman
> Date: Tue, 04 Jan 2011 10:22:29 -0800
> From: "Kevin Oberman" <[hidden email]>
> Sender: [hidden email]
>
> Since I updated my OpenSC code to version 0.12.0, my ssh-agent can't
> seem to get keys to load into the ssh-agent.
>
> I am running OpenSSH_5.2p1 and I re-built it after the upgrade of
> OpenSC. Everything continued to work normally until I logged out of my
> session for the day. After logging back in, 'ssh-add -s 0' fails with:
> ssh-agent[1961]: error: Unknown message 20
> SSH_AGENT_FAILURE
> Could not add card: 0
>
> Attempting 'ssh -I 0' got a simple "no support for smartcards." message.
>
> Is there something else I need to re-build to get this fixed? I have
> confirmed that ssh-add, ssh, and ssh-agent were all rebuilt.

I found the problem was in the FreeBSD OpenSSH-portable port and has
nothing to do with the upgrade to OpenSC 0.12.0. Sorry for the noise!
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [hidden email] Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ssh-agent seems to fail with new opensc

Martin Paljak-4

On Jan 4, 2011, at 10:02 PM, Kevin Oberman wrote:

>> Since I updated my OpenSC code to version 0.12.0, my ssh-agent can't
>> seem to get keys to load into the ssh-agent.
>>
>> I am running OpenSSH_5.2p1 and I re-built it after the upgrade of
>> OpenSC. Everything continued to work normally until I logged out of my
>> session for the day. After logging back in, 'ssh-add -s 0' fails with:
>> ssh-agent[1961]: error: Unknown message 20
>> SSH_AGENT_FAILURE
>> Could not add card: 0
>>
>> Attempting 'ssh -I 0' got a simple "no support for smartcards." message.
>>
>> Is there something else I need to re-build to get this fixed? I have
>> confirmed that ssh-add, ssh, and ssh-agent were all rebuilt.
>
> I found the problem was in the FreeBSD OpenSSH-portable port and has
> nothing to do with the upgrade to OpenSC 0.12.0. Sorry for the noise!
It should be related.

OpenSC 0.12.0 is not supposed to be linked by applications. OpenSSH versions < 5.3 used to do it, OpenSSH 5.3+ use the PKCS#11 interface.

So OpenSSH < 5.3 + OpenSC > 0.12 should be a no go (But OpenSSH <5.3 and OpenSC < 0.12 should be technically possible, but may require patching OpenSSH). Whereas OpenSSH 5.3+ should be OK with any version of OpenSC as well as other smart cards.

--
@MartinPaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ssh-agent seems to fail with new opensc

Kevin Oberman
> From: Martin Paljak <[hidden email]>
> Date: Wed, 5 Jan 2011 09:12:21 +0200
>
> On Jan 4, 2011, at 10:02 PM, Kevin Oberman wrote:
> >> Since I updated my OpenSC code to version 0.12.0, my ssh-agent can't
> >> seem to get keys to load into the ssh-agent.
> >>
> >> I am running OpenSSH_5.2p1 and I re-built it after the upgrade of
> >> OpenSC. Everything continued to work normally until I logged out of my
> >> session for the day. After logging back in, 'ssh-add -s 0' fails with:
> >> ssh-agent[1961]: error: Unknown message 20
> >> SSH_AGENT_FAILURE
> >> Could not add card: 0
> >>
> >> Attempting 'ssh -I 0' got a simple "no support for smartcards." message.
> >>
> >> Is there something else I need to re-build to get this fixed? I have
> >> confirmed that ssh-add, ssh, and ssh-agent were all rebuilt.
> >
> > I found the problem was in the FreeBSD OpenSSH-portable port and has
> > nothing to do with the upgrade to OpenSC 0.12.0. Sorry for the noise!
> It should be related.
>
> OpenSC 0.12.0 is not supposed to be linked by applications. OpenSSH versions < 5.3 used to do it, OpenSSH 5.3+ use the PKCS#11 interface.
>
> So OpenSSH < 5.3 + OpenSC > 0.12 should be a no go (But OpenSSH <5.3
> and OpenSC < 0.12 should be technically possible, but may require
> patching OpenSSH). Whereas OpenSSH 5.3+ should be OK with any version
> of OpenSC as well as other smart cards.

Marin,

Thanks! That looks to be it. The FreeBSD port of OpenSSH is still at
5.2p1, so it's a non-starter to update OpenSC to 0.12.0. I've rolled
back to OpenSC 0.11.13 and it works again. (The FreeBSD port has all
required patches (scardpin.patch) for OpenSC.)

I'll just have to wait for 5.3 before updating to 0.12.0. I'll also
have to keep the old ssh port around since the OPENSSH option has been
pulled from the current port. (I'll ask the maintainer to put it back!)

Thanks again.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [hidden email] Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ssh-agent seems to fail with new opensc

Jean-Michel Pouré - GOOZE
Le mercredi 05 janvier 2011 à 08:51 -0800, Kevin Oberman a écrit :
> Thanks! That looks to be it. The FreeBSD port of OpenSSH is still at
> 5.2p1, so it's a non-starter to update OpenSC to 0.12.0. I've rolled
> back to OpenSC 0.11.13 and it works again. (The FreeBSD port has all
> required patches (scardpin.patch) for OpenSC.)

Here are some tutorials about OpenSSH with smartcards:
http://www.gooze.eu/howto/using-openssh-with-smartcards

And Putty/WinSCP with smartcards (new tutorial):
http://www.gooze.eu/howto/using-putty-and-winscp-with-smart-cards-under-windows

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ssh-agent seems to fail with new opensc

Kevin Oberman
> From: Jean-Michel =?ISO-8859-1?Q?Pour=E9?= - GOOZE <[hidden email]>

> Date: Wed, 05 Jan 2011 18:55:43 +0100
>
> Le mercredi 05 janvier 2011 à 08:51 -0800, Kevin Oberman a écrit :
> > Thanks! That looks to be it. The FreeBSD port of OpenSSH is still at
> > 5.2p1, so it's a non-starter to update OpenSC to 0.12.0. I've rolled
> > back to OpenSC 0.11.13 and it works again. (The FreeBSD port has all
> > required patches (scardpin.patch) for OpenSC.)
>
> Here are some tutorials about OpenSSH with smartcards:
> http://www.gooze.eu/howto/using-openssh-with-smartcards
>
> And Putty/WinSCP with smartcards (new tutorial):
> http://www.gooze.eu/howto/using-putty-and-winscp-with-smart-cards-under-windows
Thanks, but I have been using OpenSC and SamrtCard tokens with OpenSSH
for at least two years. It's just that 0.12 depends on the PKCS11 code
in OpenSSH 5.3 and newer and FreeBSD does not yet have a port newer
than 5.2. :-(

What would be nice is to find a good source of tokens, but GOOZE seems
to be unable to sell them to folks in the US. :-( And supported Aladdin
tokens are getting harder and harder to find.
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: [hidden email] Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ssh-agent seems to fail with new opensc

Martin Paljak-4
In reply to this post by Kevin Oberman
Hello,
On Jan 5, 2011, at 6:51 PM, Kevin Oberman wrote:

>>
>> OpenSC 0.12.0 is not supposed to be linked by applications. OpenSSH versions < 5.3 used to do it, OpenSSH 5.3+ use the PKCS#11 interface.
>>
>> So OpenSSH < 5.3 + OpenSC > 0.12 should be a no go (But OpenSSH <5.3
>> and OpenSC < 0.12 should be technically possible, but may require
>> patching OpenSSH). Whereas OpenSSH 5.3+ should be OK with any version
>> of OpenSC as well as other smart cards.
> Thanks! That looks to be it. The FreeBSD port of OpenSSH is still at
> 5.2p1, so it's a non-starter to update OpenSC to 0.12.0. I've rolled
> back to OpenSC 0.11.13 and it works again. (The FreeBSD port has all
> required patches (scardpin.patch) for OpenSC.)

> I'll just have to wait for 5.3 before updating to 0.12.0. I'll also
> have to keep the old ssh port around since the OPENSSH option has been
> pulled from the current port. (I'll ask the maintainer to put it back!)

Sorry, my memory is bad - PKCS#11 support was added in 5.4p1, not 5.3 [1].

Also, I don't know much about FreeBSD port options, but the best thing you could do is to urge OpenSSH port maintainer(s) to update to OpenSSH 5.4+

[1] http://www.opensc-project.org/opensc/wiki/OpenSSH
--
@MartinPaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ssh-agent seems to fail with new opensc

Martin Paljak-4
In reply to this post by Kevin Oberman

On Jan 5, 2011, at 8:07 PM, Kevin Oberman wrote:
> What would be nice is to find a good source of tokens, but GOOZE seems
> to be unable to sell them to folks in the US. :-( And supported Aladdin
> tokens are getting harder and harder to find.
Do you want tokens or smart cards?

From traditional cards (non-javacards) I was recently happy with Athena [1]. For example that seems to be a card that requires the SO PIN before erasing the card with a SO PIN, thus you (or some evil/minded person) can't destroy your keys.

[1] http://www.opensc-project.org/opensc/wiki/ASEPCOS
--
@MartinPaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user