Public bug reported:
I'm using simple-tpm-pk11 (from Ubuntu repo) and can successfully
connect to SSH using a TPM key.
When trying to add the key to my ssh-agent, the action is refused:
$ ssh-add -s /usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so": agent
refused operation
Thomas Habets, author of simple-tpm-pk11 suggested to compile ssh-agent
from source [1]. This fixed the issue.
Recompile steps:
$ apt-get source openssh-client
[…]
$ cd openssh-7.2p2
$ ./configure --prefix=$HOME/opt/openssh
[…]
$ grep -q '^#define ENABLE_PKCS11' config.h && echo success || echo fail
success
$ sudo mkdir -p /var/empty
$ make install
[…]
$ ~/opt/openssh/bin/ssh-agent
[… env stuff for ssh-agent. copy-paste run this …]
$ ssh-add -s /usr/local/lib/libsimple-tpm-pk11.so
Enter passphrase for PKCS#11:
Card added: /usr/local/lib/libsimple-tpm-pk11.so
$ ssh-add -l
2048 SHA256:xxxxx[…]xxxxxx /usr/local/lib/libsimple-tpm-pk11.so (RSA)
1) Ubuntu 16.04.1 LTS
2)
openssh-client 1:7.2p2-4ubuntu1
simple-tpm-pk11 0.04-1
3) I would expect the Ubuntu binary release of ssh-agent to allow adding
the TPM key just like the locally compiled test.
4) An error is returned by ssh-add: Could not add card "/usr/lib/x86_64
-linux-gnu/libsimple-tpm-pk11.so": agent refused operation
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: openssh-client 1:7.2p2-4ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
Uname: Linux 4.4.0-21-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jul 27 06:24:19 2016
InstallationDate: Installed on 2016-07-26 (1 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64 (20160420.1)
RelatedPackageVersions:
ssh-askpass N/A
libpam-ssh N/A
keychain N/A
ssh-askpass-gnome N/A
SSHClientVersion: OpenSSH_7.2p2 Ubuntu-4ubuntu1, OpenSSL 1.0.2g-fips 1 Mar 2016
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)
upstart.ssh-agent.log:
ssh-agent stop/pre-start, process 4012
ssh-agent stop/pre-start, process 3782
ssh-agent stop/pre-start, process 3440
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug xenial
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/1606929
Title:
ssh-agent PKCS#11: agent refused operation
Status in openssh package in Ubuntu:
New
Bug description:
I'm using simple-tpm-pk11 (from Ubuntu repo) and can successfully
connect to SSH using a TPM key.
When trying to add the key to my ssh-agent, the action is refused:
$ ssh-add -s /usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so
Enter passphrase for PKCS#11:
Could not add card "/usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so": agent
refused operation
Thomas Habets, author of simple-tpm-pk11 suggested to compile ssh-
agent from source [1]. This fixed the issue.
Recompile steps:
$ apt-get source openssh-client
[…]
$ cd openssh-7.2p2
$ ./configure --prefix=$HOME/opt/openssh
[…]
$ grep -q '^#define ENABLE_PKCS11' config.h && echo success || echo fail
success
$ sudo mkdir -p /var/empty
$ make install
[…]
$ ~/opt/openssh/bin/ssh-agent
[… env stuff for ssh-agent. copy-paste run this …]
$ ssh-add -s /usr/local/lib/libsimple-tpm-pk11.so
Enter passphrase for PKCS#11:
Card added: /usr/local/lib/libsimple-tpm-pk11.so
$ ssh-add -l
2048 SHA256:xxxxx[…]xxxxxx /usr/local/lib/libsimple-tpm-pk11.so (RSA)
1) Ubuntu 16.04.1 LTS
2)
openssh-client 1:7.2p2-4ubuntu1
simple-tpm-pk11 0.04-1
3) I would expect the Ubuntu binary release of ssh-agent to allow
adding the TPM key just like the locally compiled test.
4) An error is returned by ssh-add: Could not add card
"/usr/lib/x86_64-linux-gnu/libsimple-tpm-pk11.so": agent refused
operation
ProblemType: Bug
DistroRelease: Ubuntu 16.04
Package: openssh-client 1:7.2p2-4ubuntu1
ProcVersionSignature: Ubuntu 4.4.0-21.37-generic 4.4.6
Uname: Linux 4.4.0-21-generic x86_64
ApportVersion: 2.20.1-0ubuntu2.1
Architecture: amd64
CurrentDesktop: Unity
Date: Wed Jul 27 06:24:19 2016
InstallationDate: Installed on 2016-07-26 (1 days ago)
InstallationMedia: Ubuntu 16.04 LTS "Xenial Xerus" - Release amd64
(20160420.1)
RelatedPackageVersions:
ssh-askpass N/A
libpam-ssh N/A
keychain N/A
ssh-askpass-gnome N/A
SSHClientVersion: OpenSSH_7.2p2 Ubuntu-4ubuntu1, OpenSSL 1.0.2g-fips 1 Mar
2016
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)
upstart.ssh-agent.log:
ssh-agent stop/pre-start, process 4012
ssh-agent stop/pre-start, process 3782
ssh-agent stop/pre-start, process 3440
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1606929/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : touch-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
