[CentOS] CentOS 6.7->6.8, ssh-add issue, followup, more info

Tue Jul 26 21:11:43 UTC 2016
Denniston, Todd A CIV NAVSURFWARCENDIV Crane <todd.denniston at navy.mil>

> -----Original Message-----
> From: m.roth at 5-cent.us [mailto:m.roth at 5-cent.us]
> Sent: Friday, July 22, 2016 4:15 PM
> To: CentOS mailing list
> Subject: Re: [CentOS] CentOS 6.7->6.8, ssh-add issue, followup, more info
> m.roth at 5-cent.us wrote:
> > Folks,
> >
> >    I am perplexed. I updated my workstation at work Wed before I left,
> > from 6.7 to 6.8. Then, yesterday, I went to use ssh-add -s
> > libcoolkeypk11.so, which I've done many times before to add the certs
> > from my PIV card... and 100% of the time if fails, letting me
> > SSH_AGENT_FAILURE, cannot add card.
> >
> >    Now, using a script called sccr, which uses my public and private key
> > to generate a one-time password (we use the to sudo to root), works
> > with no problem. I used my card to go into the data center this
> > morning, which also reads my card, and had no problem. I've tried eval
> > $(ssh-agent) to start a new instance. Nothing works.
> >
> >    Also, pklogin-finder finds the cards, asks for my PIN< and it works.
> >
> >    Clues for the poor?
> >
> I just tried ssh -I libcoolkeypk11.so <servername> and in messages, it
> reports "ssh-pkcs11-helper: errror:no slots" before failing to let me log
> on.
>      mark

1) that /etc/pki/nssdb/ has been populated with all the appropriate and current gov certificate authorities (CA).
certutil -L -d /etc/pki/nssdb/ #list the CAs
2) that you are using the RH/CentOS stock openssh*rpm files.
3) that you have not also gotten a newer card in the same time period, which happens to use a CA that is not in /etc/pki/nssdb/

Have you tried a third different set of ssh commands to use the cac:
ln -s /etc/pki/nssdb/*  ~/.ssh/ #make the certificate authorities available to ssh*
ssh-add -D #clear out any existing sigs
ssh-add -n #use nss to access the cac

Also on some boxes coolkey gets disassociated from nss, and I have found the simple
yum reinstall coolkey
fixes it, may need to logout/reboot as it affects a bunch O'stuff (and been a while since I had the problem).

Even when this disclaimer is not here:
I am not a contracting officer. I do not have authority to make or modify the terms of any contract.