[CentOS] CentOS 6.7->6.8, ssh-add issue, followup, more info

Tue Jul 26 21:17:40 UTC 2016
m.roth at 5-cent.us <m.roth at 5-cent.us>

Denniston, Todd A CIV NAVSURFWARCENDIV Crane wrote:
>> From: m.roth at 5-cent.us [mailto:m.roth at 5-cent.us]
>> Sent: Friday, July 22, 2016 4:15 PM
>> m.roth at 5-cent.us wrote:
>> >
>> >    I am perplexed. I updated my workstation at work Wed before I left,
>> > from 6.7 to 6.8. Then, yesterday, I went to use ssh-add -s
>> > libcoolkeypk11.so, which I've done many times before to add the certs
>> > from my PIV card... and 100% of the time if fails, letting me
>> > SSH_AGENT_FAILURE, cannot add card.
>> >
>> > Now, using a script called sccr, which uses my public and private key
>> > to generate a one-time password (we use the to sudo to root), works
>> > with no problem. I used my card to go into the data center this
>> > morning, which also reads my card, and had no problem. I've tried eval
>> > $(ssh-agent) to start a new instance. Nothing works.
>> >
>> >    Also, pklogin-finder finds the cards, asks for my PIN< and it
>> works.
>> >
>> >    Clues for the poor?
>> >
>> I just tried ssh -I libcoolkeypk11.so <servername> and in messages, it
>> reports "ssh-pkcs11-helper: errror:no slots" before failing to let me
>> log on.

> Assuming
> 1) that /etc/pki/nssdb/ has been populated with all the appropriate and
> current gov certificate authorities (CA).
> certutil -L -d /etc/pki/nssdb/ #list the CAs
> 2) that you are using the RH/CentOS stock openssh*rpm files.
> 3) that you have not also gotten a newer card in the same time period,
> which happens to use a CA that is not in /etc/pki/nssdb/
> Have you tried a third different set of ssh commands to use the cac:
> ln -s /etc/pki/nssdb/*  ~/.ssh/ #make the certificate authorities
> available to ssh*
> ssh-add -D #clear out any existing sigs

I tried ssh-add -e, and it also said "unable to connect to agent".

> ssh-add -n #use nss to access the cac
> Also on some boxes coolkey gets disassociated from nss, and I have found
> the simple
> yum reinstall coolkey
> fixes it, may need to logout/reboot as it affects a bunch O'stuff (and
> been a while since I had the problem).
I could try the reinstall, but it's very odd - everything worked, and now,
after the upgrade, it doesn't. Oh, and here's another twist on this: Under
6.7, if I'd logged into my webmail via firefox, and while that was
happening, I stuck my AA ("Logical token" card) into the keyboard slot,
and used it in logging onto one server (using sccr), it just chugged
along. Now, at 6.8, *everything* in firefox hangs - even a google search,
until I pull the card out of the keyboard. It's clearly trying to
authenticate the client, not just the server....