33218197: /usr/lib/ssh-keychain.dylib doesn't function for use as PKCS11 provider to SSH for NON ADMIN USERS!

[openradar-mirror]

Description

Area: Something not on this list

Summary: Attempting to use the above dylib as a PKCS11 provider stopped working as of 10.12.4.

You used to be able to perform the following operations: 1.$ ssh-keygen -D /usr/lib/ssh-keychain.dylib 2.$ ssh-add -s /usr/lib/ssh-keychain.dylib 3.$ ssh -I /usr/lib/ssh-keychain.dylib $host

In the case of 1 this works. You can read the public key and it will be displayed.

In the case of 2 you can add the public key as an identity to the ssh-agent. However, when you attempt to use this it fails at:

debug2: input_userauth_pk_ok: fp SHA256:[REDACTED] debug3: sign_and_send_pubkey: RSA SHA256:[REDACTED] debug3: send packet: type 50 Authentication failed.

And the action for the third scenario just fails outright.

I've attempted this using a Yubikey Neo, Yubikey Nano and Nitrokey HSM. All appear to fail similarly.

Steps to Reproduce: You used to be able to perform the following operations: 1.$ ssh-keygen -D /usr/lib/ssh-keychain.dylib 2.$ ssh-add -s /usr/lib/ssh-keychain.dylib 3.$ ssh -I /usr/lib/ssh-keychain.dylib $host

Expected Results:

1. should return the keys that are accessible through the pkcs11 provider
2. should add the public key to as an identity to the ssh-agent
3. should use the pkcs11 (shared object) provider directly to query identity.

Observed Results:

1. Succeeds.
2. Succeeds, but subsequent attempts to SSH (which uses the ssh-agent to pull the identity) fail at the signing operation.
3. Fails outright.

Version: 10.12.5 (16F73)

Notes: Would love to speak to someone regarding plans re: pkcs11 and piv on MacOS.

Configuration: So far reproducible on all hardware specs tested.

- Product Version: 10.12.5 Created: 2017-07-10T19:07:56.399750 Originated: 2017-07-10T00:00:00 Open Radar Link: http://www.openradar.me/33218197

[openradar-mirror]

Modified: 2017-07-10T20:04:59.935240