> -----Original Message----- > From: m.roth at 5-cent.us [mailto:m.roth at 5-cent.us] > Sent: Friday, July 22, 2016 4:15 PM > To: CentOS mailing list > Subject: Re: [CentOS] CentOS 6.7->6.8, ssh-add issue, followup, more info > > m.roth at 5-cent.us wrote: > > Folks, > > > > I am perplexed. I updated my workstation at work Wed before I left, > > from 6.7 to 6.8. Then, yesterday, I went to use ssh-add -s > > libcoolkeypk11.so, which I've done many times before to add the certs > > from my PIV card... and 100% of the time if fails, letting me > > SSH_AGENT_FAILURE, cannot add card. > > > > Now, using a script called sccr, which uses my public and private key > > to generate a one-time password (we use the to sudo to root), works > > with no problem. I used my card to go into the data center this > > morning, which also reads my card, and had no problem. I've tried eval > > $(ssh-agent) to start a new instance. Nothing works. > > > > Also, pklogin-finder finds the cards, asks for my PIN< and it works. > > > > Clues for the poor? > > > I just tried ssh -I libcoolkeypk11.so <servername> and in messages, it > reports "ssh-pkcs11-helper: errror:no slots" before failing to let me log > on. > > mark > Assuming 1) that /etc/pki/nssdb/ has been populated with all the appropriate and current gov certificate authorities (CA). certutil -L -d /etc/pki/nssdb/ #list the CAs 2) that you are using the RH/CentOS stock openssh*rpm files. 3) that you have not also gotten a newer card in the same time period, which happens to use a CA that is not in /etc/pki/nssdb/ Have you tried a third different set of ssh commands to use the cac: ln -s /etc/pki/nssdb/* ~/.ssh/ #make the certificate authorities available to ssh* ssh-add -D #clear out any existing sigs ssh-add -n #use nss to access the cac Also on some boxes coolkey gets disassociated from nss, and I have found the simple yum reinstall coolkey fixes it, may need to logout/reboot as it affects a bunch O'stuff (and been a while since I had the problem). Even when this disclaimer is not here: I am not a contracting officer. I do not have authority to make or modify the terms of any contract.