[Bug 1606929] Re: ssh-agent PKCS#11: agent refused operation

Chris 1606929 at bugs.launchpad.net
Wed Jul 27 14:33:52 UTC 2016 

Sorry. Actually I just discovered that ssh-agent wasn't used by default,
but gnome-keyring-daemon is. Probably gnome-keyring-daemon just does not
support PKCS#11 yet...

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1606929

Title:
  ssh-agent PKCS#11: agent refused operation

Status in openssh package in Ubuntu:
  New

Bug description:
  I'm using simple-tpm-pk11 (from Ubuntu repo) and can successfully
  connect to SSH using a TPM key.

  When trying to add the key to my ssh-agent, the action is refused:
  $ ssh-add -s /usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so
  Enter passphrase for PKCS#11: 
  Could not add card "/usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so": agent refused operation

  Thomas Habets, author of simple-tpm-pk11 suggested to compile ssh-
  agent from source [1]. This fixed the issue.

  Recompile steps:
  $ apt-get source openssh-client
  […]
  $ cd openssh-7.2p2
  $ ./configure  --prefix=$HOME/opt/openssh
  […]
  $ grep -q '^#define ENABLE_PKCS11' config.h && echo success || echo fail
  success
  $ sudo mkdir -p /var/empty
  $ make install
  […]
  $ ~/opt/openssh/bin/ssh-agent
  [… env stuff for ssh-agent. copy-paste run this …]
  $ ssh-add -s /usr/local/lib/libsimple-tpm-pk11.so
  Enter passphrase for PKCS#11: 
  Card added: /usr/local/lib/libsimple-tpm-pk11.so
  $ ssh-add -l
  2048 SHA256:xxxxx[…]xxxxxx /usr/local/lib/libsimple-tpm-pk11.so (RSA)

  1) Ubuntu 16.04.1 LTS

  2)
  openssh-client 1:7.2p2-4ubuntu1
  simple-tpm-pk11 0.04-1

  3) I would expect the Ubuntu binary release of ssh-agent to allow
  adding the TPM key just like the locally compiled test.

  4) An error is returned by ssh-add: Could not add card
  "/usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so": agent refused
  operation

  ProblemType: Bug
  DistroRelease: Ubuntu 16.04
  Package: openssh-client 1:7.2p2-4ubuntu1
  ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
  Uname: Linux 4.4.0-21-generic x86_64
  ApportVersion: 2.20.1-0ubuntu2.1
  Architecture: amd64
  CurrentDesktop: Unity
  Date: Wed Jul 27 06:24:19 2016
  InstallationDate: Installed on 2016-07-26 (1 days ago)
  InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
  RelatedPackageVersions:
   ssh-askpass       N/A
   libpam-ssh        N/A
   keychain          N/A
   ssh-askpass-gnome N/A
  SSHClientVersion: OpenSSH_7.2p2 Ubuntu-4ubuntu1, OpenSSL 1.0.2g-fips  1 Mar 2016
  SourcePackage: openssh
  UpgradeStatus: No upgrade log present (probably fresh install)
  upstart.ssh-agent.log:
   ssh-agent stop/pre-start, process 4012
   ssh-agent stop/pre-start, process 3782
   ssh-agent stop/pre-start, process 3440

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1606929/+subscriptions

More information about the foundations-bugs mailing list