Summary:
Attempting to use the above dylib as a PKCS11 provider stopped working as of 10.12.4.
You used to be able to perform the following operations:
1.$ ssh-keygen -D /usr/lib/ssh-keychain.dylib
2.$ ssh-add -s /usr/lib/ssh-keychain.dylib
3.$ ssh -I /usr/lib/ssh-keychain.dylib $host
In the case of 1 this works. You can read the public key and it will be displayed.
In the case of 2 you can add the public key as an identity to the ssh-agent. However, when you attempt to use this it fails at:
And the action for the third scenario just fails outright.
I've attempted this using a Yubikey Neo, Yubikey Nano and Nitrokey HSM. All appear to fail similarly.
Steps to Reproduce:
You used to be able to perform the following operations:
1.$ ssh-keygen -D /usr/lib/ssh-keychain.dylib
2.$ ssh-add -s /usr/lib/ssh-keychain.dylib
3.$ ssh -I /usr/lib/ssh-keychain.dylib $host
Expected Results:
should return the keys that are accessible through the pkcs11 provider
should add the public key to as an identity to the ssh-agent
should use the pkcs11 (shared object) provider directly to query identity.
Observed Results:
Succeeds.
Succeeds, but subsequent attempts to SSH (which uses the ssh-agent to pull the identity) fail at the signing operation.
Fails outright.
Version:
10.12.5 (16F73)
Notes:
Would love to speak to someone regarding plans re: pkcs11 and piv on MacOS.
Configuration:
So far reproducible on all hardware specs tested.
Description
Area: Something not on this list
Summary: Attempting to use the above dylib as a PKCS11 provider stopped working as of 10.12.4.
You used to be able to perform the following operations: 1.$ ssh-keygen -D /usr/lib/ssh-keychain.dylib 2.$ ssh-add -s /usr/lib/ssh-keychain.dylib 3.$ ssh -I /usr/lib/ssh-keychain.dylib $host
In the case of 1 this works. You can read the public key and it will be displayed.
In the case of 2 you can add the public key as an identity to the ssh-agent. However, when you attempt to use this it fails at:
debug2: input_userauth_pk_ok: fp SHA256:[REDACTED] debug3: sign_and_send_pubkey: RSA SHA256:[REDACTED] debug3: send packet: type 50 Authentication failed.
And the action for the third scenario just fails outright.
I've attempted this using a Yubikey Neo, Yubikey Nano and Nitrokey HSM. All appear to fail similarly.
Steps to Reproduce: You used to be able to perform the following operations: 1.$ ssh-keygen -D /usr/lib/ssh-keychain.dylib 2.$ ssh-add -s /usr/lib/ssh-keychain.dylib 3.$ ssh -I /usr/lib/ssh-keychain.dylib $host
Expected Results:
Observed Results:
Version: 10.12.5 (16F73)
Notes: Would love to speak to someone regarding plans re: pkcs11 and piv on MacOS.
Configuration: So far reproducible on all hardware specs tested.
- Product Version: 10.12.5 Created: 2017-07-10T19:07:56.399750 Originated: 2017-07-10T00:00:00 Open Radar Link: http://www.openradar.me/33218197