-----Original Message----- From: m.roth@5-cent.us [mailto:m.roth@5-cent.us] Sent: Friday, July 22, 2016 4:15 PM To: CentOS mailing list Subject: Re: [CentOS] CentOS 6.7->6.8, ssh-add issue, followup, more info
m.roth@5-cent.us wrote:
Folks,
I am perplexed. I updated my workstation at work Wed before I left, from 6.7 to 6.8. Then, yesterday, I went to use ssh-add -s libcoolkeypk11.so, which I've done many times before to add the certs from my PIV card... and 100% of the time if fails, letting me SSH_AGENT_FAILURE, cannot add card.
Now, using a script called sccr, which uses my public and private key to generate a one-time password (we use the to sudo to root), works with no problem. I used my card to go into the data center this morning, which also reads my card, and had no problem. I've tried eval $(ssh-agent) to start a new instance. Nothing works.
Also, pklogin-finder finds the cards, asks for my PIN< and it works.
Clues for the poor?
I just tried ssh -I libcoolkeypk11.so <servername> and in messages, it reports "ssh-pkcs11-helper: errror:no slots" before failing to let me log on.
mark
Assuming 1) that /etc/pki/nssdb/ has been populated with all the appropriate and current gov certificate authorities (CA). certutil -L -d /etc/pki/nssdb/ #list the CAs 2) that you are using the RH/CentOS stock openssh*rpm files. 3) that you have not also gotten a newer card in the same time period, which happens to use a CA that is not in /etc/pki/nssdb/
Have you tried a third different set of ssh commands to use the cac: ln -s /etc/pki/nssdb/* ~/.ssh/ #make the certificate authorities available to ssh* ssh-add -D #clear out any existing sigs ssh-add -n #use nss to access the cac
Also on some boxes coolkey gets disassociated from nss, and I have found the simple yum reinstall coolkey fixes it, may need to logout/reboot as it affects a bunch O'stuff (and been a while since I had the problem).
Even when this disclaimer is not here: I am not a contracting officer. I do not have authority to make or modify the terms of any contract.