Bug#932071: openssh-client: [Regr. 7.9p1-10 -> 8.0p1-3] Always prompts for Yubikey (PKCS#11) PIN, even if already in agent
Package: openssh-client
Version: 1:8.0p1-3
Severity: normal
Dear Maintainer,
I have a Yubikey ("Yubikey 5 NFC") with my (RSA-2048) SSH key on it.
This connects to OpenSSH via OpenSC, through the line
PKCS11Provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so
which I have in my $HOME/.ssh/config. The key is configured to require a
PIN and a button press in order to sign. In 7.9p1, I was able to add the
PIN to the SSH agent for the current session with
ssh-add -s /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
and then, upon ssh'ing into a host, only touch the key to sign in. This
behavior no longer works in 8.0p1. Instead, I now have to enter the PIN
for every single sign-in attempt, even if adding the key to the agent
succeeds. Simply downgrading openssh-client (while leaving the same
agent running) restores the prior behavior, so a workaround exists for
now. But it would be fantastic if this (convenient) function could be
restored.
Here are logs of what occurs with ssh -v in each case:
-------------------------------------------------------------------------------
8.0p1: (bad)
-------------------------------------------------------------------------------
$ ssh -v marten
OpenSSH_8.0p1 Debian-3, OpenSSL 1.1.1c 28 May 2019
debug1: Reading configuration data /home/andreas/.ssh/config
debug1: /home/andreas/.ssh/config line 7: Deprecated option "useroaming"
debug1: /home/andreas/.ssh/config line 173: Applying options for marten
debug1: /home/andreas/.ssh/config line 189: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to marten.tiker.net [2a01:4f8:191:73ea::2] port 22.
debug1: Connection established.
debug1: provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framework> libraryVersion 0.19
debug1: provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so slot 0: label <SSH key> manufacturerID <piv_II> model <PKCS#15 emulate> serial <7ecd62c148f8bee> flags 0x40d
Enter PIN for 'SSH key':
-------------------------------------------------------------------------------
7.9p1: (good)
-------------------------------------------------------------------------------
$ ssh -v marten
OpenSSH_7.9p1 Debian-10, OpenSSL 1.1.1c 28 May 2019
debug1: Reading configuration data /home/andreas/.ssh/config
debug1: /home/andreas/.ssh/config line 7: Deprecated option "useroaming"
debug1: /home/andreas/.ssh/config line 173: Applying options for marten
debug1: /home/andreas/.ssh/config line 189: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to marten.tiker.net [2a01:4f8:191:73ea::2] port 22.
debug1: Connection established.
debug1: provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so: manufacturerID <OpenSC Project> cryptokiVersion 2.20 libraryDescription <OpenSC smartcard framework> libraryVersion 0.19
debug1: provider /usr/lib/x86_64-linux-gnu/pkcs11/opensc-pkcs11.so slot 0: label <SSH key> manufacturerID <piv_II> model <PKCS#15 emulate> serial <7ecd62c148f8bee> flags 0x40d
debug1: have 1 keys
debug1: pkcs11_provider_unref: 0x556a2fafabb0 refcount 2
debug1: identity file /home/andreas/.ssh/id_rsa type 0
debug1: identity file /home/andreas/.ssh/id_rsa-cert type -1
debug1: identity file /home/andreas/.ssh/id_dsa type -1
debug1: identity file /home/andreas/.ssh/id_dsa-cert type -1
debug1: identity file /home/andreas/.ssh/id_ecdsa type -1
debug1: identity file /home/andreas/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/andreas/.ssh/id_ed25519 type 3
debug1: identity file /home/andreas/.ssh/id_ed25519-cert type -1
debug1: identity file /home/andreas/.ssh/id_xmss type -1
debug1: identity file /home/andreas/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_7.9p1 Debian-10
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9p1 Debian-10
debug1: match: OpenSSH_7.9p1 Debian-10 pat OpenSSH* compat 0x04000000
debug1: Authenticating to marten.tiker.net:22 as 'akadmin'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: curve25519-sha256
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug0: expecting SSH2_MSG_KEX_ECDH_REPLY
[snip]
-------------------------------------------------------------------------------
Thanks,
Andreas
-- System Information:
Debian Release: bullseye/sid
APT prefers testing
APT policy: (990, 'testing'), (500, 'unstable-debug'), (500, 'unstable'), (500, 'stable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_USER, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-client depends on:
ii adduser 3.118
ii dpkg 1.19.7
ii libc6 2.28-10
ii libedit2 3.1-20190324-1
ii libgssapi-krb5-2 1.17-3
ii libselinux1 2.8-1+b1
ii libssl1.1 1.1.1c-1
ii passwd 1:4.7-1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages openssh-client recommends:
ii xauth 1:1.0.10-1
Versions of packages openssh-client suggests:
pn keychain <none>
ii ksshaskpass [ssh-askpass] 4:5.14.5-1
pn libpam-ssh <none>
pn monkeysphere <none>
ii ssh-askpass-gnome [ssh-askpass] 1:8.0p1-3
-- no debconf information
Reply to: