yubico-piv-tool icon indicating copy to clipboard operation
yubico-piv-tool copied to clipboard

Published 20 hours ago verified publisher icon Yubico

yubico-piv-tool doesn't appear to work with openssh 8.8p1

Open ogreface opened this issue 4 years ago • 12 comments

Having started an ssh-agent in debug mode like below: YKCS11_DBG=1 ssh-agent -d -s -P /usr/local/lib/*,/usr/local/Cellar/yubico-piv-tool/*/lib/*.dylib

And having copied the libykcs11.dylib from the homebrew directory to /usr/local/lib manually (per other issues).

I then successfully add the yubikey:

ssh-add -s /usr/local/lib/libykcs11.dylib

Agent pid 5090
Enter passphrase for PKCS#11:
Card added: /usr/local/lib/libykcs11.dylib

ssh-add -L shows the yubikey.

Now, if I use ssh from homebrew

~$ ssh -V
OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021`

I am never prompted to actually touch the yubikey, and authentication fails.

The ssh-agent debug output is

debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering

SSH goes through, the userauth banner is shown, and it drops me back to the command line with permission denied

Without changing anything, and immediately using the osx version of ssh

~$ /usr/bin/ssh -V
OpenSSH_8.1p1, LibreSSL 2.7.3

It then prompts for the touch and works as expected.

The ssh-agent debug output is:

debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
debug1: process_sign
debug1: check RSA /usr/local/lib/libykcs11.dylib Public key for PIV Authentication
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1809 (C_FindObjectsInit): In
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1842 (C_FindObjectsInit): Initialized search with 3 parameters
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:303 (get_doa): For data object 0, get
<elided>

I don't know if this is an openssh issue, or a yubico-piv-tool issue, so though I'd open the issue. 8.6 seems to work from other reports.

ogreface avatar Dec 06 '21 21:12 ogreface

I don't have a mac within reach, but I tried manually building 8.6 and 8.8 on an Ubuntu install and both versions work for me.

I have followed more or less the same steps that you mentioned above.

Just to avoid any confusion, you don't mention anything about setting environment variables and you say that without changing anything you can switch to the version of SSH that comes with your OS and things work. Are you setting the environment variable that ssh-agent prints when you run the version from brew manually?

When doing

$ ssh-agent -P "/path/to/ykcs11/directory/*" -d

you should be getting something like

SSH_AUTH_SOCK=/tmp/ssh-vkzEcTUPkySX/agent.115389; export SSH_AUTH_SOCK;
echo Agent pid 115389;
debug2: fd 3 setting O_NONBLOCK

are you exporting the SSH_AUTH_SOCK variable to the environment from where you'll be running ssh-add/ssh/ssh-keygen? If not you'll be using the incorrect agent. Also, when you run ssh-add -s /path/to/libykcs11.so what does the output of ssh-agent look like? What does that output look like when you get permission denied?

a-dma avatar Jan 14 '22 09:01 a-dma

without changing anything you can switch to the version of SSH that comes with your OS and things work.

Yes, that's correct.

Here's an example starting clean with no agent/env var's set.

rishi.malik@rishi:~$ env |grep SSH
rishi.malik@rishi:~$ ps aux |grep ssh
rishi.malik      18457   0.0  0.0 34253868    924 s003  S+    8:29AM   0:00.00 grep ssh


rishi.malik@rishi:~$ ssh-agent -s -P /usr/local/lib/*,/usr/local/Cellar/yubico-piv-tool/*/lib/*.dylib
SSH_AUTH_SOCK=/var/folders/4h/p0l4kg612xj5dg5k4c70_w6h0000gp/T//ssh-EbWMYiTCr5XV/agent.18462; export SSH_AUTH_SOCK;
SSH_AGENT_PID=18463; export SSH_AGENT_PID;
echo Agent pid 18463;

rishi.malik@rishi:~$ env |grep SSH
rishi.malik@rishi:~$ export SSH_AUTH_SOCK=/var/folders/4h/p0l4kg612xj5dg5k4c70_w6h0000gp/T//ssh-EbWMYiTCr5XV/agent.18462
rishi.malik@rishi:~$ env |grep SSH
SSH_AUTH_SOCK=/var/folders/4h/p0l4kg612xj5dg5k4c70_w6h0000gp/T//ssh-EbWMYiTCr5XV/agent.18462
rishi.malik@rishi:~$ SSH_AGENT_PID=18463; export SSH_AGENT_PID;
rishi.malik@rishi:~$
rishi.malik@rishi:~$
rishi.malik@rishi:~$ env |grep SSH
SSH_AGENT_PID=18463
SSH_AUTH_SOCK=/var/folders/4h/p0l4kg612xj5dg5k4c70_w6h0000gp/T//ssh-EbWMYiTCr5XV/agent.18462
rishi.malik@rishi:~$ ssh-add -s /usr/local/lib/libykcs11.dylib
Enter passphrase for PKCS#11:
Card added: /usr/local/lib/libykcs11.dylib

At this point, running openSSH_8.8p1 (installed via homebrew: OpenSSH_8.8p1, OpenSSL 1.1.1l 24 Aug 2021) will fail to pause and wait for the yubikey press.

Changing nothing other then running /usr/bin/ssh (osx installation: OpenSSH_8.6p1, LibreSSL 2.8.3) works, and prompts for the yubikey touch.

ogreface avatar Jan 14 '22 16:01 ogreface

Are you able to show an error message from ssh-agent? Perhaps try reproducing the something similar to what I have below.

This is how the following is setup:

  • VM running Ubuntu 21.10 (again, no mac within reach unfortunately)
  • ykcs11 installed from apt
  • manual build of OpenSSH version 8.8p1

I run ssh-agent and the other command on the same terminal on purpose. It makes for some slightly messier output, but it shows exactly what the agent is replying to each command.

In my case I had to tell ssh-agent where to find the ssh-pkcs11-helper as I didn't install the new version system-wide. Also, I had no need to manually specify the PKCS#11 "allowed providers" options (-P to ssh-agent) since ykcs11 gets installed in a path that is allowed by default on this system.

Depending on your setup you might have to do one of the two above (or both). If you don't, ssh-agent should complain with a meaningful error.

The test signature at the end is just to show that the key is usable.

vagrant@ubuntu-impish:~/openssh-portable$ ./ssh -V
OpenSSH_8.8p1, OpenSSL 1.1.1l  24 Aug 2021

vagrant@ubuntu-impish:~/openssh-portable$ echo $SSH_AUTH_SOCK

vagrant@ubuntu-impish:~/openssh-portable$ export SSH_PKCS11_HELPER=/home/vagrant/openssh-portable/ssh-pkcs11-helper #needed since I didn't run `make install` and ssh-agent won't find the helper otherwise

vagrant@ubuntu-impish:~/openssh-portable$ ./ssh-agent -d
SSH_AUTH_SOCK=/tmp/ssh-XXXXXXM64A9j/agent.2088; export SSH_AUTH_SOCK;
echo Agent pid 2088;
debug1: new_socket: type = SOCKET
debug2: fd 3 setting O_NONBLOCK
^Z
[1]+  Stopped                 ./ssh-agent -d

vagrant@ubuntu-impish:~/openssh-portable$ bg
[1]+ ./ssh-agent -d &

vagrant@ubuntu-impish:~/openssh-portable$  SSH_AUTH_SOCK=/tmp/ssh-XXXXXXM64A9j/agent.2088; export SSH_AUTH_SOCK;

vagrant@ubuntu-impish:~/openssh-portable$ echo $SSH_AUTH_SOCK
/tmp/ssh-XXXXXXM64A9j/agent.2088

vagrant@ubuntu-impish:~/openssh-portable$ ./ssh-add -l
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug2: process_request_identities: replying with 0 allowed of 0 available keys
The agent has no identities.

vagrant@ubuntu-impish:~/openssh-portable$ ./ssh-add -s /usr/lib/x86_64-linux-gnu/libykcs11.so
Enter passphrase for PKCS#11: debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK

debug1: process_message: socket 1 (fd=4) type 20
debug2: process_add_smartcard_key: entering
debug1: process_add_smartcard_key: add /usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0
debug1: pkcs11_start_helper: starting /home/vagrant/openssh-portable/ssh-pkcs11-helper -vvv
debug1: process_add
debug1: provider /usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0: manufacturerID <Yubico (www.yubico.com)> cryptokiVersion 2.40 libraryDescription <PKCS#11 PIV Library (SP-800-73)> libraryVersion 2.20
debug1: provider /usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0 slot 0: label <YubiKey PIV #0> manufacturerID <Yubico (www.yubico.com)> model <YubiKey YK5> serial <0> flags 0x40d
debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0 slot 0: RSA SHA256:CpTJ8Wj5nHquTG6sCxYVr6GjHywPrIN+QzHsqb0lQis
debug1: have 1 keys
debug2: pkcs11_fetch_keys: provider /usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0 slot 0: ECDSA SHA256:RE5oQh5mRtULcDuWSlU7Hf/5mlo3WzhHyAeSfZvba6A
debug1: have 2 keys
debug2: pkcs11_fetch_certs: provider /usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0 slot 0: RSA SHA256:CpTJ8Wj5nHquTG6sCxYVr6GjHywPrIN+QzHsqb0lQis
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55ed8a51ecc0 ptr 0x55ed8a51d8b0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0" refcount 3
debug2: pkcs11_fetch_certs: provider /usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0 slot 0: ECDSA SHA256:RE5oQh5mRtULcDuWSlU7Hf/5mlo3WzhHyAeSfZvba6A
debug2: pkcs11_fetch_certs: key already included
debug1: pkcs11_k11_free: parent 0x55ed8a51db20 ptr 0x55ed8a51fdf0 idx 1
debug1: pkcs11_provider_unref: provider "/usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0" refcount 3
Card added: /usr/lib/x86_64-linux-gnu/libykcs11.so

vagrant@ubuntu-impish:~/openssh-portable$ ./ssh-add -L
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug3: identity_permitted: entering: key RSA comment "Public key for PIV Authentication", 0 socket bindings, 0 constraints
debug3: identity_permitted: entering: key ECDSA comment "Public key for Digital Signature", 0 socket bindings, 0 constraints
debug2: process_request_identities: replying with 2 allowed of 2 available keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/8oGKjTWnBR/qSF1PTioxmkoIqLlLhlsC1rsOdTANOf4opzzQrIE6YcafojiCZY4AkrEx0JRaWkVd1F/+XqNpuldyZPqH1cLbMe1ZNVddyydjfB7poQ5inKdcsDTINzoUkLAAAjOYLlveFDA335jtxmpWBCfJ/fpa6ydSHvCZBF5pBwHr8goktCA/5ZhP1dqnw0289kdaHTAskD5Lgm5fjRor2Mp0ymJqYSUliZrwqrC5bXvY0mBjCOFtaHpIoBsewgG0CK9XAt5+VBUJhgiBC7n0x1l8EolfuwHTiOyDIhOClycyK4svBSvJ5+szuC16v93PdPkCqT2WBLOSzMTj Public key for PIV Authentication
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDRe+hSt+1ZwLkEJsGoElv2csHfDNZVVKpy921sHu4s9ZK7uiToPHRgzb5gPl2ysBjZ/IXfcYzrLg79UGx76A8w= Public key for Digital Signature
vagrant@ubuntu-impish:~/openssh-portable$ echo ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC/8oGKjTWnBR/qSF1PTioxmkoIqLlLhlsC1rsOdTANOf4opzzQrIE6YcafojiCZY4AkrEx0JRaWkVd1F/+XqNpuldyZPqH1cLbMe1ZNVddyydjfB7poQ5inKdcsDTINzoUkLAAAjOYLlveFDA335jtxmpWBCfJ/fpa6ydSHvCZBF5pBwHr8goktCA/5ZhP1dqnw0289kdaHTAskD5Lgm5fjRor2Mp0ymJqYSUliZrwqrC5bXvY0mBjCOFtaHpIoBsewgG0CK9XAt5+VBUJhgiBC7n0x1l8EolfuwHTiOyDIhOClycyK4svBSvJ5+szuC16v93PdPkCqT2WBLOSzMTj Public key for PIV Authentication >9a.pub

vagrant@ubuntu-impish:~/openssh-portable$ echo "Hello World!" >dummy

vagrant@ubuntu-impish:~/openssh-portable$ ssh-keygen -Y sign -f 9a.pub -n sshtest dummy
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug3: identity_permitted: entering: key RSA comment "Public key for PIV Authentication", 0 socket bindings, 0 constraints
debug3: identity_permitted: entering: key ECDSA comment "Public key for Digital Signature", 0 socket bindings, 0 constraints
debug2: process_request_identities: replying with 2 allowed of 2 available keys
Signing file dummy
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
debug1: process_sign
debug1: check RSA /usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0 Public key for PIV Authentication
debug1: pkcs11_check_obj_bool_attrib: provider "/usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0" slot 0 object 86: attrib 514 = 0
debug1: pkcs11_k11_free: parent 0x55ed8a51ecc0 ptr (nil) idx 1
Write signature to dummy.sig

vagrant@ubuntu-impish:~/openssh-portable$ cat dummy.sig
-----BEGIN SSH SIGNATURE-----
U1NIU0lHAAAAAQAAARcAAAAHc3NoLXJzYQAAAAMBAAEAAAEBAL/ygYqNNacFH+pIXU9OKj
GaSgiouUuGWwLWuw51MA05/iinPNCsgTphxp+iOIJljgCSsTHQlFpaRV3UX/5eo2m6V3Jk
+ofVwtsx7Vk1V13LJ2N8HumhDmKcp1ywNMg3OhSQsAACM5guW94UMDffmO3GalYEJ8n9+l
rrJ1Ie8JkEXmkHAevyCiS0ID/lmE/V2qfDTbz2R1odMCyQPkuCbl+NGivYynTKYmphJSWJ
mvCqsLlte9jSYGMI4W1oekigGx7CAbQIr1cC3n5UFQmGCIELufTHWXwSiV+7AdOI7IMiE4
KXJzIriy8FK8nn6zO4LXq/3c90+QKpPZYEs5LMxOMAAAAHc3NodGVzdAAAAAAAAAAGc2hh
NTEyAAABFAAAAAxyc2Etc2hhMi01MTIAAAEAP7nlPV3s/wp5BCNqs29b9p2GI3TlmlZ/V6
Wy8y0afy2YdBxyqOQw5fcLT6LknvHXw7Tud/1QrDbuLUOR2FUHIDIpqQ5hkDDktI4ZpYuV
n8X6G4w4XpBCL8Ri5JoJjMn4NxZ7xnNppx84z7Jq1n2g8XkkdmjxzCqueyrHVNRhxL7ty5
nu+pT5SxZ7hZ0e8twKGzhZMBxF77TgMHy1t+tY8s/SpNZA0IfS4D4a9+sI42ENfOdImx7Y
FUCuUxTXj4ke2AWZYwKvwQ6uW2qIw2C4epJxAPrO9hXE74j2ypc8JbeP5LyOMXsLQxXqHL
MYy2bgSWiv2fLwbTGkfo4SGU2G4A==
-----END SSH SIGNATURE-----

a-dma avatar Jan 17 '22 11:01 a-dma

Hi @a-dma. Sure, I duplicated this again. When it fails, the agent output is.

debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering

When it succeeds (and prompted for the press), the output is

Certificate signed with disallowed algorithm
debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
* * * * * * * * Touch your yubikey to proceed * * * * * * * * *
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
debug1: process_sign
debug1: check RSA /usr/local/lib/libykcs11.dylib Public key for PIV Authentication
<rest elided as it's already progressed past the failed mode>

As before the only different is which ssh client version is used.

ogreface avatar Jan 22 '22 17:01 ogreface

sorry but that is not enough information to go on with. As you can see from both your logs and mine, the line ending in entering is not indicative of an error as it happens during normal operation and your output doesn't seem to match what I'm getting.

As shown above, even with no keys loaded and no YubiKey plugged into my computer, the agent debug log prints the following when running ./ssh-add -l

debug1: new_socket: type = SOCKET
debug2: fd 3 setting O_NONBLOCK
debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 11
debug2: process_request_identities: entering
debug2: process_request_identities: replying with 0 allowed of 0 available keys

and if I run ./ssh-add -s /usr/lib/x86_64-linux-gnu/libykcs11.so without a device plugged in I get

debug1: new_socket: type = CONNECTION
debug2: fd 4 setting O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 20
debug2: process_add_smartcard_key: entering
debug1: process_add_smartcard_key: add /usr/lib/x86_64-linux-gnu/libykcs11.so.2.2.0
write to helper failed
read from helper failed: 0

Do you see a similar behavior?

Coincidentally, your debug lines regarding the type of file descriptor are debug3 lines whereas they show up as debug2 for me. That makes me think that either the mac/brew version does something considerably different, or perhaps your ssh process is talking to a different agent? Are you sure that there is only one ssh-agent process running at the time and that it is the correct version and that, for example, the OS doesn't spawn a new one for you?

a-dma avatar Jan 24 '22 08:01 a-dma

Yeah, unfortunately there's no other output in the failure case. It just stops after "entering". Good spot on the debug2 vs debug3, let me check versions on the agent. I did confirm there was only one agent, but I will double check.

ogreface avatar Jan 27 '22 14:01 ogreface

I have confirmed there is only one ssh-agent running at a time. ssh-agent itself doesn't seem to have a version embedded in it, however I have confirmed the issue occurs when running the brew version of ssh and ssh-agent together, or when using the osx version of ssh-agent and the homebrew version of ssh. The osx version of ssh works with both versions of the ssh-agent.

ogreface avatar Jan 31 '22 15:01 ogreface

@ogreface, can you please try to pipe the output of ssh-add -L to a file, edit the file so that only the PIV authentication key is present, and test using ssh-add -T file instead? The fact that there's no other output in the failure case suggests that ssh-agent is not involved in the error path, and ssh-add -T will simply check whether the agent is able to perform a test signature with the given pubkey (without involving a SSH server, ssh_config options, etc). Thanks.

martelletto avatar Feb 02 '22 15:02 martelletto

@martelletto The output of the ssh-add -T is below. Seems to hang for bit before finishing (unlike the ssh commands).

rishi.malik@rishi:~$ ssh-add -T add_output.txt
debug1: new_socket: type = CONNECTION
debug3: fd 4 is O_NONBLOCK
debug1: process_message: socket 1 (fd=4) type 13
debug1: process_sign_request2: entering
debug1: process_sign
debug1: check RSA /usr/local/lib/libykcs11.dylib Public key for PIV Authentication
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1809 (C_FindObjectsInit): In
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1842 (C_FindObjectsInit): Initialized search with 3 parameters
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:303 (get_doa): For data object 0, get
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:307 (get_doa): CLASS
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1860 (C_FindObjectsInit): Removing object 0
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:303 (get_doa): For data object 25, get
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:307 (get_doa): CLASS
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1860 (C_FindObjectsInit): Removing object 25
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:303 (get_doa): For data object 26, get
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:307 (get_doa): CLASS
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1860 (C_FindObjectsInit): Removing object 26
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:303 (get_doa): For data object 31, get
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:307 (get_doa): CLASS
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1860 (C_FindObjectsInit): Removing object 31
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:394 (_get_coa): For certificate object 37, get
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:398 (_get_coa): CLASS
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1860 (C_FindObjectsInit): Removing object 37
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:521 (get_proa): For private key object 86, get
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:525 (get_proa): CLASS
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:521 (get_proa): For private key object 86, get
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:561 (get_proa): ID
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:521 (get_proa): For private key object 86, get
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:617 (get_proa): SIGN
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1867 (C_FindObjectsInit): Keeping object 86
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:760 (get_puoa): For public key object 111, get
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:764 (get_puoa): CLASS
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1860 (C_FindObjectsInit): Removing object 111
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1874 (C_FindObjectsInit): 1 object(s) left after attribute matching
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1878 (C_FindObjectsInit): Out
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1889 (C_FindObjects): In
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1918 (C_FindObjects): Can return 1 object(s), 1 remaining
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1927 (C_FindObjects): Returning 1 objects, 0 remaining
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1931 (C_FindObjects): Out
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1939 (C_FindObjectsFinal): In
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1965 (C_FindObjectsFinal): Out
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:2752 (C_SignInit): In
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:2822 (C_SignInit): Out
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1741 (C_GetAttributeValue): In
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:521 (get_proa): For private key object 86, get
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/objects.c:712 (get_proa): ALWAYS AUTHENTICATE
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:1786 (C_GetAttributeValue): Out
debug1: pkcs11_check_obj_bool_attrib: provider "/usr/local/lib/libykcs11.dylib" slot 1 object 86: attrib 514 = 0
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:2834 (C_Sign): In
Sign command failed with code 6982.
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/mechanisms.c:299 (sign_mechanism_final): ykpiv_sign_data with key 9a failed: Authentication error
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:2894 (C_Sign): sign_mechanism_final failed
debug: /tmp/yubico-piv-tool-20210910-75601-pubfgc/yubico-piv-tool-2.2.1/ykcs11/ykcs11.c:2907 (C_Sign): Out
C_Sign failed: 257
debug1: pkcs11_k11_free: parent 0x6000032f8000 ptr 0x0 idx 1
process_sign_request2: sshkey_sign: error in libcrypto
Agent signature failed for add_output.txt: agent refused operation

ogreface avatar Feb 23 '22 16:02 ogreface

@ogreface Thank you. It looks like the key was waiting for touch and timed out. When you are prompted to touch the key, what does that look like? The key should blink, but do you also get a notification from ssh/ssh-agent?

martelletto avatar Mar 01 '22 10:03 martelletto

@martelletto Sorry for the delay! I'm not sure what you mean by notification. When I'm prompted for the press, the key does blink. But I'm not sure what I would be looking for from ssh, since this was just the ssh-add.

The output when I touch the key when flashing is below.

debug: /tmp/yubico-piv-tool-20220305-76098-aqo9v4/yubico-piv-tool-2.3.0/ykcs11/ykcs11.c:2785 (C_SignInit): In
debug: /tmp/yubico-piv-tool-20220305-76098-aqo9v4/yubico-piv-tool-2.3.0/ykcs11/ykcs11.c:2855 (C_SignInit): Out
debug: /tmp/yubico-piv-tool-20220305-76098-aqo9v4/yubico-piv-tool-2.3.0/ykcs11/ykcs11.c:1773 (C_GetAttributeValue): In
debug: /tmp/yubico-piv-tool-20220305-76098-aqo9v4/yubico-piv-tool-2.3.0/ykcs11/objects.c:523 (get_proa): For private key object 86, get
debug: /tmp/yubico-piv-tool-20220305-76098-aqo9v4/yubico-piv-tool-2.3.0/ykcs11/objects.c:706 (get_proa): ALWAYS AUTHENTICATE
debug: /tmp/yubico-piv-tool-20220305-76098-aqo9v4/yubico-piv-tool-2.3.0/ykcs11/ykcs11.c:1819 (C_GetAttributeValue): Out
debug1: pkcs11_check_obj_bool_attrib: provider "/usr/local/lib/libykcs11.dylib" slot 1 object 86: attrib 514 = 0
debug: /tmp/yubico-piv-tool-20220305-76098-aqo9v4/yubico-piv-tool-2.3.0/ykcs11/ykcs11.c:2867 (C_Sign): In


debug: /tmp/yubico-piv-tool-20220305-76098-aqo9v4/yubico-piv-tool-2.3.0/ykcs11/mechanisms.c:297 (sign_mechanism_final): ykpiv_sign_data 256 bytes with key 9a returned 256 bytes data
debug: /tmp/yubico-piv-tool-20220305-76098-aqo9v4/yubico-piv-tool-2.3.0/ykcs11/ykcs11.c:2934 (C_Sign): The signature is 256 bytes
debug: /tmp/yubico-piv-tool-20220305-76098-aqo9v4/yubico-piv-tool-2.3.0/ykcs11/ykcs11.c:2940 (C_Sign): Out
debug1: pkcs11_k11_free: parent 0x600002dd42c0 ptr 0x0 idx 1

Is there something I should be looking for from ssh-agent?

ogreface avatar Apr 28 '22 14:04 ogreface

Thank you. It looks like the ssh-agent + ykcs11 + YubiKey combo is working as expected, and that the problem relates to SSH configuration. If you're comfortable sharing it, could you please provide the complete output of ssh -vvv , with both Homebrew and macOS ssh? Feel free to reach out directly to me (pedro at yubico dot com) if you prefer. Happy to help.

martelletto avatar Apr 29 '22 13:04 martelletto

This issue is now quite old and I'm closing it for that reason. If this is still a problem please open a new issue.

qpernil avatar Oct 28 '22 13:10 qpernil