search

Yubico / yubico-piv-tool

Command line tool for the YubiKey PIV application
https://developers.yubico.com/yubico-piv-tool
BSD 2-Clause "Simplified" License
295 stars 98 forks source link

macOS - libykpiv.2.dylib failing to load after upgrade to Ventura 13.1 (22C65) #427

Closed chtzvt closed 1 year ago

chtzvt commented 1 year ago

As of the most recent macOS update (to Ventura 13.1 (22C65)), I've experienced the following issue with libykcs11 being loaded by openssh:

🂁 charlton@phainopepla ~/Documents $ git clone git@github.com:TampaDevs/jobsyn.git
Cloning into 'jobsyn'...
dlopen /usr/local/lib/libykcs11.2.3.0.dylib failed: dlopen(/usr/local/lib/libykcs11.2.3.0.dylib, 0x0002): Library not loaded: @rpath/libykpiv.2.dylib
  Referenced from: <9DC8FEC9-CE74-3412-9D9D-565EB06DC85E> /usr/local/lib/libykcs11.2.3.0.dylib
  Reason: tried: '/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file), '/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS@rpath/libykpiv.2.dylib' (no such file), '/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file), '/System/Volumes/Preboot/Cryptexes/OS/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file), '/opt/homebrew/Cellar/yubico-piv-tool/2.3.0/lib/libykpiv.2.dylib' (no such file),
Load key "/Users/charlton/.ssh/id_yk5n_024.pub": invalid format
git@github.com: Permission denied (publickey).
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

This behavior is consistent across both of my machines with the same configuration present:

$ cat ~/.ssh/config
Host *
  IgnoreUnknown UseKeychain
  UseKeychain yes
  AddKeysToAgent yes
#  PKCS11Provider /usr/lib/x86_64-linux-gnu/libykcs11.so
  PKCS11Provider /usr/local/lib/libykcs11.2.3.0.dylib
  PKCS11Provider /usr/lib/ssh-keychain.dylib
  IdentitiesOnly yes
  IdentityFile /Users/charlton/.ssh/id_yk5n_024.pub
  ForwardAgent no
  ForwardX11 no

The issue appears to be related to the version of libykpiv.2.dylib provided by this library. On both of my systems, only version 2.3.1 of libykcs11 is present in /opt/homebrew/Cellar/yubico-piv-tool/, even after reinstalling yubikey-agent and yubico-piv-tool with brew.

I temporarily resolved the issue by creating a symlink from 2.3.1 to 2.3.0:

ln -s /opt/homebrew/Cellar/yubico-piv-tool/2.3.1 /opt/homebrew/Cellar/yubico-piv-tool/2.3.0
qpernil commented 1 year ago

Why not point out the newer version in your .ssh/config

chtzvt commented 1 year ago

Closing this issue with a bit of background:

Until a recent update to openssh on macOS, ssh-agent would reject any configuration where dylibs would load from non-whitelisted directories. This was one of the issues underlying #387, and the reason I ended up copying libykcs11 to /usr/local/lib in the first place.

Apparently, it's now possible to load /opt/homebrew/lib/libykcs11.dylib directly as a PKCS11Provider in my ~/.ssh/config, so this is no longer a problem 😄